stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add unit tests for Router configuration and transport layers
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source 
- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly.
- Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified.
- Created tests for ConfigValidationResult to check success and error scenarios.
- Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig.
- Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport.
- Added scripts for signing authority gaps and hashing DevPortal SDK snippets.
This commit is contained in:
StellaOps Bot
2025-12-05 08:01:47 +02:00
parent 635c70e828
commit 6a299d231f
294 changed files with 28434 additions and 1329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
docs/implplan/BLOCKED_DEPENDENCY_TREE.md
View File

@@ -1,6 +1,6 @@
# BLOCKED Tasks Dependency Tree
> **Last Updated:** 2025-12-04 (12 specs + 2 implementations = ~74+ tasks unblocked)
> **Last Updated:** 2025-12-05 (13 specs + 3 implementations = ~84+ tasks unblocked)
> **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
## How to Use This Document
@@ -201,6 +201,104 @@ attestor SDK transport contract (scanner analyzers ✅ COMPILE)
---
## 7. CONSOLE OBSERVABILITY DOCS (CONOBS5201)
**Root Blocker:** Observability Hub widget captures + deterministic sample payload hashes not delivered (Console Guild)
```
Console assets (widgets + hashes)
+-- DOCS-CONSOLE-OBS-52-001 (docs/console/observability.md)
+-- DOCS-CONSOLE-OBS-52-002 (docs/console/forensics.md)
```
**Impact:** 2 documentation tasks (Md.III ladder) remain BLOCKED
**To Unblock:** Provide deterministic captures/payloads + hash list; populate `docs/console/SHA256SUMS`
---
## 8. EXCEPTION DOCS CHAIN (EXC-25)
**Root Blocker:** Exception lifecycle/routing/API contracts and UI/CLI payloads not delivered
```
Exception contracts (lifecycle + routing + API + UI/CLI payloads)
+-- DOCS-EXC-25-001: governance/exceptions.md
+-- DOCS-EXC-25-002: approvals-and-routing.md
+-- DOCS-EXC-25-003: api/exceptions.md
+-- DOCS-EXC-25-005: ui/exception-center.md
+-- DOCS-EXC-25-006: cli/guides/exceptions.md
```
**Impact:** 5 documentation tasks BLOCKED (Md.III ladder, console/UI/CLI docs)
**To Unblock:** Deliver lifecycle states, routing matrix, API schema, UI assets, and CLI command shapes with hashes; fill existing stubs and SHA files
---
## 9. AUTHORITY GAP SIGNING (AU/RR)
**Root Blocker:** Authority signing key not available for production DSSE
```
Authority signing key missing
+-- AUTH-GAPS-314-004 artefact signing
+-- REKOR-RECEIPT-GAPS-314-005 artefact signing
```
**Impact:** Production DSSE for AU1AU10 and RR1RR10 artefacts pending (dev-smoke bundles exist)
**To Unblock:** Provide Authority private key (COSIGN_PRIVATE_KEY_B64 or tools/cosign/cosign.key) and run `tools/cosign/sign-authority-gaps.sh`
---
## 10. EXCITITOR CHUNK API FREEZE (EXCITITOR-DOCS-0001)
**Root Blocker:** Chunk API CI validation + OpenAPI freeze not complete
```
Chunk API CI/OpenAPI freeze
+-- EXCITITOR-DOCS-0001
+-- EXCITITOR-ENG-0001
+-- EXCITITOR-OPS-0001
```
**Impact:** 3 documentation/eng/ops tasks blocked
**To Unblock:** Provide pinned `chunk-api.yaml`, hashed samples, and CI green per `OPENAPI_FREEZE_CHECKLIST.md`
---
## 11. DEVPORTAL SDK SNIPPETS (DEVPORT-63-002)
**Root Blocker:** Wave B SDK snippet pack not delivered
```
SDK snippet pack (Wave B)
+-- DEVPORT-63-002: embed/verify snippets
```
**Impact:** Snippet verification pending; hash index stub in `SHA256SUMS.devportal-stubs`
**To Unblock:** Deliver snippet pack + hashes; populate SHA index and validate against aggregate spec
---
## 12. GRAPH OPS DEMO OUTPUTS (GRAPH-OPS-0001)
**Root Blocker:** Latest demo observability outputs not delivered
```
Demo observability outputs
+-- GRAPH-OPS-0001: runbook/dashboard refresh
```
**Impact:** Graph ops doc refresh pending; placeholders and hash index ready
**To Unblock:** Provide demo metrics/dashboards (JSON) and hashes; update runbooks and SHA lists
---
## 7. TASK RUNNER CHAINS
### 7.1 AirGap
@@ -461,6 +559,102 @@ docs/deployment/
---
## 8.4 POLICY STUDIO WAVE C UNBLOCKING (2025-12-05)
> **Creation Date:** 2025-12-05
> **Purpose:** Document Policy Studio infrastructure that unblocks Wave C tasks (UI-POLICY-20-001 through UI-POLICY-23-006)
### Root Blockers Resolved
The following blockers for Wave C Policy Studio tasks have been resolved:
| Blocker | Status | Resolution |
|---------|--------|------------|
| Policy DSL schema for Monaco | ✅ CREATED | `features/policy-studio/editor/stella-dsl.language.ts` |
| Policy RBAC scopes in UI | ✅ CREATED | 11 scopes added to `scopes.ts` |
| Policy API client contract | ✅ CREATED | `features/policy-studio/services/policy-api.service.ts` |
| Simulation inputs wiring | ✅ CREATED | Models + API client for simulation |
| RBAC roles ready | ✅ CREATED | 7 guards in `auth.guard.ts` |
### Infrastructure Created
**1. Policy Studio Scopes (`scopes.ts`)**
```
policy:author, policy:edit, policy:review, policy:submit, policy:approve,
policy:operate, policy:activate, policy:run, policy:publish, policy:promote, policy:audit
```
**2. Policy Scope Groups (`scopes.ts`)**
```
POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN
```
**3. AuthService Methods (`auth.service.ts`)**
```
canViewPolicies(), canAuthorPolicies(), canEditPolicies(), canReviewPolicies(),
canApprovePolicies(), canOperatePolicies(), canActivatePolicies(), canSimulatePolicies(),
canPublishPolicies(), canAuditPolicies()
```
**4. Policy Guards (`auth.guard.ts`)**
```
requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard,
requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard,
requirePolicyAuditGuard
```
**5. Monaco Language Definition (`features/policy-studio/editor/`)**
- `stella-dsl.language.ts` — Monarch tokenizer, syntax highlighting, bracket matching
- `stella-dsl.completions.ts` — IntelliSense completion provider
**6. Policy API Client (`features/policy-studio/services/`)**
- `policy-api.service.ts` — Full CRUD, lint, compile, simulate, approval, dashboard APIs
**7. Policy Domain Models (`features/policy-studio/models/`)**
- `policy.models.ts` — 30+ TypeScript interfaces (packs, versions, simulations, approvals)
### Previously Blocked Tasks (Now TODO)
```
Policy Studio Wave C Blockers (RESOLVED)
+-- UI-POLICY-20-001: Monaco editor with DSL highlighting → TODO
+-- UI-POLICY-20-002: Simulation panel → TODO
+-- UI-POLICY-20-003: Submit/review/approve workflow → TODO
+-- UI-POLICY-20-004: Run viewer dashboards → TODO
+-- UI-POLICY-23-001: Policy Editor workspace → TODO
+-- UI-POLICY-23-002: YAML editor with validation → TODO
+-- UI-POLICY-23-003: Guided rule builder → TODO
+-- UI-POLICY-23-004: Review/approval workflow UI → TODO
+-- UI-POLICY-23-005: Simulator panel integration → TODO
+-- UI-POLICY-23-006: Explain view with exports → TODO
```
**Impact:** 10 Wave C tasks unblocked for implementation
### File Locations
```
src/Web/StellaOps.Web/src/app/
├── core/auth/
│ ├── scopes.ts # Policy scopes + scope groups + labels
│ ├── auth.service.ts # Policy methods in AuthService
│ └── auth.guard.ts # Policy guards
└── features/policy-studio/
├── editor/
│ ├── stella-dsl.language.ts # Monaco language definition
│ ├── stella-dsl.completions.ts # IntelliSense provider
│ └── index.ts
├── models/
│ ├── policy.models.ts # Domain models
│ └── index.ts
├── services/
│ ├── policy-api.service.ts # API client
│ └── index.ts
└── index.ts
```
---
## 9. CONCELIER RISK CHAIN
**Root Blocker:** ~~`POLICY-20-001 outputs + AUTH-TEN-47-001`~~ + `shared signals library`

4
docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
View File

@@ -27,7 +27,7 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | AIAI-DOCS-31-001 | BLOCKED (2025-11-22) | Await CLI/Policy artefacts | Advisory AI Docs Guild | Author guardrail + evidence docs with upstream references |
| 2 | AIAI-PACKAGING-31-002 | MOVED to SPRINT_503_ops_devops_i (2025-11-23) | Track under DEVOPS-AIAI-31-002 in Ops sprint | Advisory AI Release | Package advisory feeds with SBOM pointers + provenance |
| 2 | AIAI-PACKAGING-31-002 | MOVED to SPRINT_0503_0001_0001_ops_devops_i (2025-11-23) | Track under DEVOPS-AIAI-31-002 in Ops sprint | Advisory AI Release | Package advisory feeds with SBOM pointers + provenance |
| 3 | AIAI-RAG-31-003 | DONE | None | Advisory AI + Concelier | Align RAG evidence payloads with LNM schema |
| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-23) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants |
| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED (2025-11-23) | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs; proceed once upstream artefacts land |
@@ -36,7 +36,7 @@
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Docs | Draft guardrail evidence doc | Docs Guild | 2025-11-18 | BLOCKED (awaiting CLI/Policy artefacts) |
| Packaging | Define SBOM/policy bundle for Advisory AI | Release Guild | 2025-11-20 | MOVED to SPRINT_503_ops_devops_i (DEVOPS-AIAI-31-002) |
| Packaging | Define SBOM/policy bundle for Advisory AI | Release Guild | 2025-11-20 | MOVED to SPRINT_0503_0001_0001_ops_devops_i (DEVOPS-AIAI-31-002) |
## Execution Log
| Date (UTC) | Update | Owner |

2
docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
View File

@@ -68,7 +68,7 @@
| 2025-11-23 | Local build of `StellaOps.Concelier.WebService.Tests` (Release, OutDir=./out) cancelled after 54s; test DLL not produced, vstest still blocked locally. Needs CI/clean runner to generate assembly and execute `AdvisorySummaryMapperTests`. | Concelier Core |
| 2025-11-23 | Retried WebService.Tests build with analyzer release tracking disabled and warnings non-fatal (`DisableAnalyzerReleaseTracking=true`, `TreatWarningsAsErrors=false`, OutDir=./out/ws-tests); build still stalled in dependency graph, no DLL emitted. CI runner still required to produce test assembly. | Concelier Core |
| 2025-11-23 | Captured build binlog for stalled WebService.Tests attempt at `out/ws-tests.binlog` for CI triage. | Concelier Core |
| 2025-11-23 | Split CI runner blocker into DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i); all CI/vstest-related blocks now point to that ops task. | Project Mgmt |
| 2025-11-23 | Split CI runner blocker into DEVOPS-CONCELIER-CI-24-101 (SPRINT_0503_0001_0001_ops_devops_i); all CI/vstest-related blocks now point to that ops task. | Project Mgmt |
| 2025-11-23 | Marked downstream tasks (GRAPH-24-101/28-102, LNM-21-004..203) BLOCKED pending CI/clean runner; local harness cannot compile or run tests (`invalid test source` / hang). Development awaiting CI resources. Split storage/backfill/object-store tasks into DEV (here) vs DEVOPS release items (10b/11b/12b) to avoid dev blockage. | Project Mgmt |
| 2025-11-23 | Imported CONCELIER-AIRGAP-56-001..58-001, CONCELIER-CONSOLE-23-001..003, FEEDCONN-ICSCISA-02-012/KISA-02-008 from SPRINT_0110; statuses remain BLOCKED pending mirror/console/feed artefacts. | Project Mgmt |
| 2025-11-20 | Wired optional NATS transport for `advisory.observation.updated@1`; background worker dequeues Mongo outbox and publishes to configured stream/subject. | Implementer |

2
docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
View File

@@ -95,7 +95,7 @@
| 2025-11-22 | Marked ORCH-32/33/34 BLOCKED pending CI/clean runner build + restore (local runner stuck on missing packages/nullability). | Concelier Core |
| 2025-11-22 | Retried `dotnet restore concelier-webservice.slnf -v minimal` with timeout guard; cancelled at ~25s with `NuGet.targets` reporting "Restore canceled!". No packages downloaded; ORCH-32/33/34 remain blocked until CI/warm cache is available. | Concelier Implementer |
| 2025-11-22 | Ran `dotnet restore concelier-webservice.slnf -v diag` (60s timeout); aborted after prolonged spinner, no packages fetched, no new diagnostic log produced. Orchestrator tasks stay blocked pending CI/runner with warm cache. | Concelier Implementer |
| 2025-11-23 | Routed ORCH-32/33/34 CI dependency to DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i); dev sprint waits on ops runner deliverable. | Project Mgmt |
| 2025-11-23 | Routed ORCH-32/33/34 CI dependency to DEVOPS-CONCELIER-CI-24-101 (SPRINT_0503_0001_0001_ops_devops_i); dev sprint waits on ops runner deliverable. | Project Mgmt |
| 2025-11-24 | Added CPE normalization/storage + API projection for `/v1/lnm/linksets*` responses; Mongo schema updated and round-trip test added (`AdvisoryLinksetStoreTests`). POLICY-20-001 remains DOING pending severity/timeline fields. | Concelier Core |
| 2025-11-24 | Added severity string extraction and minimal timeline event (created + evidence hash) to `/v1/lnm/linksets*`; OpenAPI updated, normalized shape now carries CPEs. POLICY-20-001 still needs full severity/timeline coverage before closure. | Concelier Core |
| 2025-11-24 | Marked CONCELIER-POLICY-20-001 BLOCKED: upstream linkset/ingest lacks authoritative severity data and published/modified timestamps; cannot emit full severity/timeline fields until schema and data are supplied. | Concelier Core |

4
docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
View File

@@ -55,7 +55,7 @@
| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle provenance fields frozen in `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; staleness/anchor rules defined. |
| 1 | LEDGER-29-007 | DONE (2025-11-17) | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
| 2 | LEDGER-29-008 | DONE (2025-11-22) | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. |
| 3 | LEDGER-29-009-DEV | BLOCKED | DEPLOY-LEDGER-29-009 (SPRINT_501_ops_deployment_i) — waiting on DevOps to assign target paths for Helm/Compose/offline-kit assets; backup/restore runbook review pending | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions (dev/staging artifacts). |
| 3 | LEDGER-29-009-DEV | BLOCKED | DEPLOY-LEDGER-29-009 (SPRINT_0501_0001_0001_ops_deployment_i) — waiting on DevOps to assign target paths for Helm/Compose/offline-kit assets; backup/restore runbook review pending | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions (dev/staging artifacts). |
| 4 | LEDGER-34-101 | DONE (2025-11-22) | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. Contract reference: `docs/modules/orchestrator/job-export-contract.md`. |
| 5 | LEDGER-AIRGAP-56-001 | DONE (2025-11-22) | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
| 6 | LEDGER-AIRGAP-56-002 | BLOCKED | Freshness thresholds + staleness policy spec pending from AirGap Time Guild | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
@@ -75,7 +75,7 @@
| 2025-11-22 | LEDGER-29-009 remains BLOCKED: DevOps/Offline kit overlays live outside module working dir; awaiting approved path for Helm/Compose assets and backup runbooks. | Findings Ledger Guild |
| 2025-11-22 | Marked AIRGAP-56-002 BLOCKED pending freshness threshold spec; downstream AIRGAP-57/58 remain blocked accordingly. | Findings Ledger Guild |
| 2025-11-22 | Added backup/restore and restore-replay guidance to `docs/modules/findings-ledger/deployment.md`; noted placeholder until DevOps assigns manifest paths. | Findings Ledger Guild |
| 2025-11-23 | Routed deployment assets to DEPLOY-LEDGER-29-009 (SPRINT_501_ops_deployment_i); LEDGER-29-009-DEV remains blocked until ops task delivers target paths. | Project Mgmt |
| 2025-11-23 | Routed deployment assets to DEPLOY-LEDGER-29-009 (SPRINT_0501_0001_0001_ops_deployment_i); LEDGER-29-009-DEV remains blocked until ops task delivers target paths. | Project Mgmt |
| 2025-11-22 | Switched LEDGER-29-008 to DOING; created `src/Findings/StellaOps.Findings.Ledger/TASKS.md` mirror for status tracking. | Findings Ledger Guild |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-19 | Marked PREP tasks P1P3 BLOCKED: observability schema, orchestrator ledger export contract, and mirror bundle schema are still missing, keeping LEDGER-29-008/34-101/AIRGAP-56-* blocked. | Project Mgmt |

8
docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
View File

@@ -37,7 +37,7 @@
| 1 | SCANNER-ANALYZERS-DENO-26-009 | DONE (2025-11-24) | Runtime trace shim + AnalysisStore runtime payload implemented; Deno runtime tests passing. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
| 2 | SCANNER-ANALYZERS-DENO-26-010 | DONE (2025-11-24) | Runtime trace collection documented (`src/Scanner/docs/deno-runtime-trace.md`); analyzer auto-runs when `STELLA_DENO_ENTRYPOINT` is set. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
| 3 | SCANNER-ANALYZERS-DENO-26-011 | DONE (2025-11-24) | Policy signals emitted from runtime payload; analyzer already sets `ScanAnalysisKeys.DenoRuntimePayload` and emits metadata. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC; DEVOPS-SCANNER-CI-11-001 (SPRINT_503_ops_devops_i) for CI runner/binlogs. | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC; DEVOPS-SCANNER-CI-11-001 (SPRINT_0503_0001_0001_ops_devops_i) for CI runner/binlogs. | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
| 5 | SCANNER-ANALYZERS-JAVA-21-006 | BLOCKED (depends on 21-005) | Needs outputs from 21-005. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
| 6 | SCANNER-ANALYZERS-JAVA-21-007 | BLOCKED (depends on 21-006) | After 21-006; align manifest parsing with resolver. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON; DEVOPS-SCANNER-CI-11-001 for CI runner/restore logs. | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
@@ -68,7 +68,7 @@
| 2025-11-17 | Reviewed Deno analyzer scope; runtime evidence hook contract and policy-signal keys not defined in docs or code. Marked DENO-26-009/010/011 as BLOCKED pending approved trace/signal schema shared with Surface/Signals. | Implementer |
| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added JNI/native hint scanning (native libs, Graal jni-config, System.load/Library strings) with component metadata + evidence; targeted tests added. Test run aborted ~80s in due to concurrent repo-wide builds; rerun on clean runner. | Java Analyzer Guild |
| 2025-11-17 | Authored `docs/modules/scanner/design/deno-runtime-signals.md` defining NDJSON runtime trace + policy signal keys; unblocked DENO-26-009/010/011 back to TODO. | Implementer |
| 2025-11-23 | Pointed Java/Lang analyzer blocks to DEVOPS-SCANNER-CI-11-001 (SPRINT_503_ops_devops_i) to obtain CI runner/binlogs for restore/test hangs. | Project Mgmt |
| 2025-11-23 | Pointed Java/Lang analyzer blocks to DEVOPS-SCANNER-CI-11-001 (SPRINT_0503_0001_0001_ops_devops_i) to obtain CI runner/binlogs for restore/test hangs. | Project Mgmt |
| 2025-11-17 | Implemented Deno runtime NDJSON serializer + metadata (module/permission counts, remote origins, npm/wasm/dynamic import counts) with deterministic ordering and hash; added regression tests for serializer, path hashing, recorder ordering, and policy signal emission. Loader/require shim still pending. | Implementer |
| 2025-11-17 | Deno runtime tests passing: `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj --no-restore`. | Implementer |
| 2025-11-17 | DenoLanguageAnalyzer now ingests `deno-runtime.ndjson` if present, computes metadata/hash, stores runtime payload in AnalysisStore, and emits policy signals; added runtime probe parser + tests. Loader/require shim that generates the trace remains to be built. | Implementer |
@@ -87,7 +87,7 @@
| 2025-11-22 | DenoLanguageAnalyzer now invokes runtime trace runner when `STELLA_DENO_ENTRYPOINT` is set, enabling optional runtime capture without separate wiring; guarded to remain no-op otherwise. | Implementer |
| 2025-11-24 | Ran Deno analyzer tests (`dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj -c Release --logger trx`); build/tests succeeded. Marked DENO-26-009 DONE and moved 26-010 to DOING. | Implementer |
| 2025-11-24 | Documented runtime collection for CLI/Worker (`src/Scanner/docs/deno-runtime-trace.md`); DENO-26-010 set to DONE. | Implementer |
| 2025-11-24 | Moved DevOps packaging task DEVOPS-SCANNER-JAVA-21-011-REL to `SPRINT_503_ops_devops_i.md` per ops/dev split; removed from Delivery Tracker here. | Project Mgmt |
| 2025-11-24 | Moved DevOps packaging task DEVOPS-SCANNER-JAVA-21-011-REL to `SPRINT_0503_0001_0001_ops_devops_i.md` per ops/dev split; removed from Delivery Tracker here. | Project Mgmt |
## Decisions & Risks
- Scanner record payload schema still unpinned; drafting prep at `docs/modules/scanner/prep/2025-11-21-scanner-records-prep.md` while waiting for analyzer output confirmation from Scanner Guild.
@@ -102,7 +102,7 @@
- Runtime payload key aligned to `ScanAnalysisKeys.DenoRuntimePayload` (compat shim keeps legacy `"deno.runtime"`); downstream consumers should read the keyed payload to avoid silent misses.
- PREP note for SCANNER-ANALYZERS-JAVA-21-005 published at `docs/modules/scanner/prep/2025-11-20-java-21-005-prep.md`; awaiting CoreLinksets package fix and isolated CI slot before tests can run.
- PREP docs added for SCANNER-ANALYZERS-JAVA-21-008 (`docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md`) and LANG-11-001 (`docs/modules/scanner/prep/2025-11-20-lang-11-001-prep.md`); both depend on resolver outputs/CI isolation.
- DevOps packaging task for Java analyzer (DEVOPS-SCANNER-JAVA-21-011-REL) relocated to `SPRINT_503_ops_devops_i.md` to keep this sprint development-only.
- DevOps packaging task for Java analyzer (DEVOPS-SCANNER-JAVA-21-011-REL) relocated to `SPRINT_0503_0001_0001_ops_devops_i.md` to keep this sprint development-only.
## Next Checkpoints
| Date (UTC) | Session | Goal | Impacted work | Owner |

2
docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
View File

@@ -70,7 +70,7 @@
| 2025-11-23 | Inventory evidence emitted with scope/runtime_flag/paths/nearest_safe_version; diagnostics via `/internal/sbom/inventory` + backfill. SBOM-VULN-29-001 marked DONE. | SBOM Service |
| 2025-11-24 | Ran full SbomService test suite (`dotnet test ... --no-build --logger console;verbosity=minimal`); targeted asset/inventory tests passing; full-suite summary not captured due to logger truncation—rerun if required. | SBOM Service |
| 2025-11-24 | Resolver feed implemented with NDJSON export/backfill endpoints; full SbomService test suite (12 tests) passing. SBOM-VULN-29-002 marked DONE. | SBOM Service |
| 2025-11-23 | Split build/feed blocker into DEVOPS-SBOM-23-001 (SPRINT_503_ops_devops_i); SBOM-CONSOLE-23-001/002 remain BLOCKED pending ops feed + CI proof. | Project Mgmt |
| 2025-11-23 | Split build/feed blocker into DEVOPS-SBOM-23-001 (SPRINT_0503_0001_0001_ops_devops_i); SBOM-CONSOLE-23-001/002 remain BLOCKED pending ops feed + CI proof. | Project Mgmt |
| 2025-11-23 | ProjectionEndpointTests now pass (400/200 responses); WAF configured with fixture path + in-memory component repo; duplicate test PackageReferences removed. SBOM-SERVICE-21-001 marked DONE. | SBOM Service |
| 2025-11-23 | Added Mongo fallback to in-memory component lookup to keep tests/offline runs alive; WebApplicationFactory still returns HTTP 500 for projection endpoints (manual curl against `dotnet run` returns 400/200). Investigation pending; SBOM-SERVICE-21-001 remains DOING. | SBOM Service |
| 2025-11-23 | Fixed test package references (`FluentAssertions`, `Microsoft.AspNetCore.Mvc.Testing`, xUnit) and attempted `dotnet test --filter ProjectionEndpointTests`; build runs but projection endpoint responses returned HTTP 500 instead of expected 400/200, leaving SBOM-SERVICE-21-001 in DOING pending investigation. | SBOM Service |

30
docs/implplan/SPRINT_0201_0001_0001_cli_i.md
View File

@@ -29,16 +29,16 @@
| 5 | CLI-AIAI-31-003 | DONE (2025-11-24) | Depends on CLI-AIAI-31-002 | DevEx/CLI Guild | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. |
| 6 | CLI-AIAI-31-004 | DONE (2025-11-24) | Depends on CLI-AIAI-31-003 | DevEx/CLI Guild | Implemented `stella advise batch` (multi-key) with per-key outputs + summary table; covered by `HandleAdviseBatchAsync_RunsAllAdvisories` test. |
| 7 | CLI-AIRGAP-56-001 | DONE (2025-12-04) | Implemented `stella mirror create` using `docs/schemas/mirror-bundle.schema.json`; models in `MirrorBundleModels.cs`; tested with VEX domain. | DevEx/CLI Guild | Implement `stella mirror create` for air-gap bootstrap. |
| 8 | CLI-AIRGAP-56-002 | TODO | 56-001 complete; proceed with sealed mode telemetry. | DevEx/CLI Guild | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. |
| 9 | CLI-AIRGAP-57-001 | BLOCKED (2025-11-27) | Depends on CLI-AIRGAP-56-002 (mirror bundle contract missing) | DevEx/CLI Guild | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. |
| 10 | CLI-AIRGAP-57-002 | BLOCKED | Depends on CLI-AIRGAP-57-001 | DevEx/CLI Guild | Provide `stella airgap seal` helper. Blocked: upstream 57-001. |
| 11 | CLI-AIRGAP-58-001 | BLOCKED | Depends on CLI-AIRGAP-57-002 | DevEx/CLI Guild · Evidence Locker Guild | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. Blocked: upstream 57-002. |
| 12 | CLI-ATTEST-73-001 | TODO | CLI build fixed (2025-12-04); attestor SDK transport schema available at `docs/schemas/attestor-transport.schema.json`; ready to implement. | CLI Attestor Guild | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
| 13 | CLI-ATTEST-73-002 | BLOCKED | Depends on CLI-ATTEST-73-001 | CLI Attestor Guild | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. Blocked: upstream 73-001 contract. |
| 14 | CLI-ATTEST-74-001 | BLOCKED | Depends on CLI-ATTEST-73-002 | CLI Attestor Guild | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. Blocked: upstream 73-002. |
| 15 | CLI-ATTEST-74-002 | BLOCKED | Depends on CLI-ATTEST-74-001 | CLI Attestor Guild | Implement `stella attest fetch` to download envelopes and payloads to disk. Blocked: upstream 74-001. |
| 16 | CLI-ATTEST-75-001 | BLOCKED | Depends on CLI-ATTEST-74-002 | CLI Attestor Guild · KMS Guild | Implement `stella attest key create` workflows. Blocked: upstream 74-002. |
| 17 | CLI-ATTEST-75-002 | BLOCKED | Depends on CLI-ATTEST-75-001 | CLI Attestor Guild · Export Guild | Add support for building/verifying attestation bundles in CLI. Blocked: upstream 75-001. |
| 8 | CLI-AIRGAP-56-002 | DONE (2025-12-04) | Implemented sealed mode telemetry in `SealedModeTelemetry.cs` and `CliMetrics.cs`; all metrics tagged with `deployment.phase=AirGapped-Phase-1` when offline. | DevEx/CLI Guild | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. |
| 9 | CLI-AIRGAP-57-001 | DONE (2025-12-04) | Implemented `stella airgap import` with `BuildAirgapCommand` in CommandFactory.cs and `HandleAirgapImportAsync` handler; supports bundle scope selection (`--tenant`, `--global`), checksum verification via SHA256SUMS, diff preview with `--dry-run`, audit logging, and progress reporting. | DevEx/CLI Guild | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. |
| 10 | CLI-AIRGAP-57-002 | DONE (2025-12-04) | Implemented `stella airgap seal` with `HandleAirgapSealAsync` handler; supports `--verify` for bundle checksum validation, `--dry-run` for preview, `--force` for reseal, `--reason` for audit logging. Creates sealed.json marker, writes to seal-events.ndjson audit log, and sets CliMetrics.IsSealedMode=true. | DevEx/CLI Guild | Provide `stella airgap seal` helper. |
| 11 | CLI-AIRGAP-58-001 | DONE (2025-12-04) | Implemented `stella airgap export-evidence` with `HandleAirgapExportEvidenceAsync` handler; supports evidence type filtering (`--include attestations,sboms,scans,vex,all`), date range (`--from`, `--to`), tenant/subject filters, signature verification (`--verify`), compression (`--compress`), JSON output, and generates manifest.json with SHA256SUMS checksum manifest. | DevEx/CLI Guild · Evidence Locker Guild | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. |
| 12 | CLI-ATTEST-73-001 | DONE (2025-12-04) | Implemented `stella attest sign` with `HandleAttestSignAsync` handler; supports predicate files, subject digests, keyed/keyless signing, Rekor transparency log, and DSSE/sigstore-bundle formats; models in `AttestorTransportModels.cs`; metrics via `CliMetrics.AttestSignCompleted()`. | CLI Attestor Guild | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
| 13 | CLI-ATTEST-73-002 | DONE (2025-12-04) | Implemented `stella attest verify` with `HandleAttestVerifyAsync` handler; parses DSSE envelope, decodes in-toto statement, runs 6 verification checks (structure, payload type, subjects, signature via trust root, transparency log via checkpoint, policy compliance); supports policy selection via `--policy` with requiredPredicateTypes/minimumSignatures/requiredSigners constraints; outputs JSON to file or table to console with explainability reasons; metrics via `CliMetrics.RecordAttestVerify()`. | CLI Attestor Guild | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. |
| 14 | CLI-ATTEST-74-001 | DONE (2025-12-04) | Implemented `stella attest list` with `HandleAttestListAsync` handler; supports filters for `--subject`, `--type`, `--issuer`, `--tenant`, `--scope` (local/remote/all), pagination via `--limit` and `--offset`; reads attestations from ~/.stellaops/attestations/, parses DSSE envelope payloads to extract predicate type and subjects, displays table or JSON output with pagination info. | CLI Attestor Guild | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. |
| 15 | CLI-ATTEST-74-002 | DONE (2025-12-04) | Implemented `stella attest fetch` with `HandleAttestFetchAsync` handler; supports filters for `--id`, `--subject`, `--type`; `--include envelope,payload,both`; `--scope local,remote,all`; `--format json,raw` for payloads; `--overwrite` to replace existing files; downloads DSSE envelopes and decoded payloads to output directory. | CLI Attestor Guild | Implement `stella attest fetch` to download envelopes and payloads to disk. |
| 16 | CLI-ATTEST-75-001 | DONE (2025-12-04) | Implemented `stella attest key create` with `HandleAttestKeyCreateAsync` handler; supports `--name`, `--algorithm` (ECDSA-P256/P384), `--password`, `--output`, `--format`, `--export-public`; uses FileKmsClient for encrypted key storage in ~/.stellaops/keys/; generates SPKI-format public keys; outputs table or JSON with key metadata. | CLI Attestor Guild · KMS Guild | Implement `stella attest key create` workflows. |
| 17 | CLI-ATTEST-75-002 | DONE (2025-12-04) | Implemented `stella attest bundle build` and `stella attest bundle verify` commands with `HandleAttestBundleBuildAsync` and `HandleAttestBundleVerifyAsync` handlers; builds audit bundles conforming to `audit-bundle-index.schema.json`; supports artifact filtering (`--include`), time window (`--from`, `--to`), compression (`--compress`), integrity verification (root hash, SHA256SUMS), policy compliance checks; output JSON/table. | CLI Attestor Guild · Export Guild | Add support for building/verifying attestation bundles in CLI. |
| 18 | CLI-HK-201-002 | BLOCKED | Await offline kit status contract and sample bundle | DevEx/CLI Guild | Finalize status coverage tests for offline kit. |
| 19 | CLI-GAPS-201-003 | DONE (2025-12-01) | None; informs tasks 718. | Product Mgmt · DevEx/CLI Guild | Addressed CLI gaps CL1CL10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned command/flag/exit-code spec with compatibility tests, deterministic output fixtures, auth key rotation/cleanup and audience validation, offline-kit import/verify contract, cosign verification on install/update, pinned buildx plugin digest + rollback, telemetry opt-in/off defaults, UX/a11y guidelines, structured errors/help, and checksum-enforced install paths (online/offline). |
@@ -97,3 +97,13 @@
| 2025-11-24 | Verified advise batch implementation and marked CLI-AIAI-31-004 DONE; coverage via `HandleAdviseBatchAsync_RunsAllAdvisories` test. | DevEx/CLI Guild |
| 2025-12-01 | Added CLI-GAPS-201-003 to capture CL1CL10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-04 | Implemented CLI-AIRGAP-56-001 (`stella mirror create`): added `MirrorBundleModels.cs` DTOs from `docs/schemas/mirror-bundle.schema.json`, wired `BuildMirrorCommand` in CommandFactory.cs, and `HandleMirrorCreateAsync` handler in CommandHandlers.cs. Command creates manifest JSON, SHA256SUMS, and placeholder exports conforming to air-gap bundle schema. Build verified (0 errors); tested with `stella mirror create --domain vex-advisories --output /tmp/test`. Unblocked CLI-AIRGAP-56-002. | DevEx/CLI Guild |
| 2025-12-04 | Implemented CLI-AIRGAP-56-002 (sealed mode telemetry): created `SealedModeTelemetry.cs` with `SealedModeTelemetrySink`, `CorrelationContext`, `TelemetryRecord`, and DI extensions; updated `Program.cs` to wire `AddSealedModeTelemetryIfOffline()`; updated all `CliMetrics.cs` methods to use `WithSealedModeTag()` helper that appends `deployment.phase=AirGapped-Phase-1` label when `IsSealedMode` is true. Local telemetry buffers to ndjson files in offline mode while preserving W3C trace context correlation IDs. Build verified (0 errors). Unblocked CLI-AIRGAP-57-001. | DevEx/CLI Guild |
| 2025-12-04 | Implemented CLI-ATTEST-73-001 (`stella attest sign`): command was already wired in `CommandFactory.cs` (lines 4294-4379) with options for `--predicate`, `--predicate-type`, `--subject`, `--digest`, `--key`, `--keyless`, `--rekor`, `--output`, `--format`. Handler `HandleAttestSignAsync` (lines 9314-9521) creates in-toto statements, builds DSSE envelopes with placeholder signatures (full signing service integration pending), supports `dsse` and `sigstore-bundle` output formats. Added `AttestorTransportModels.cs` DTOs conforming to `docs/schemas/attestor-transport.schema.json`. Metrics recorded via `CliMetrics.AttestSignCompleted()`. Build verified (0 errors). Unblocked CLI-ATTEST-73-002. | CLI Attestor Guild |
| 2025-12-04 | Implemented CLI-AIRGAP-57-001 (`stella airgap import`): added `BuildAirgapCommand` in CommandFactory.cs (lines 9928-10007) with subcommand `import` and options for `--bundle`, `--tenant`, `--global`, `--dry-run`, `--force`, `--verify-only`, `--json`. Handler `HandleAirgapImportAsync` (lines 26147-26459) parses mirror bundle manifest, verifies SHA256SUMS checksums, shows diff preview, supports tenant/global scope selection, and records audit log entries. Fixed CS0136 naming conflict. Build verified (0 errors). Unblocked CLI-AIRGAP-57-002. | DevEx/CLI Guild |
| 2025-12-04 | Implemented CLI-ATTEST-74-002 (`stella attest fetch`): added `fetch` subcommand to `BuildAttestCommand` in CommandFactory.cs (lines 4418-4487) with options for `--id`, `--subject`, `--type`, `--output-dir`, `--include envelope,payload,both`, `--scope local,remote,all`, `--format json,raw`, `--overwrite`. Handler `HandleAttestFetchAsync` (lines 9824-10058) reads attestations from ~/.stellaops/attestations/, applies filters, decodes DSSE payloads, and writes envelope/payload files to output directory with skip/overwrite control. Build verified (0 errors). Unblocked CLI-ATTEST-75-001. | CLI Attestor Guild |
| 2025-12-04 | Implemented CLI-AIRGAP-57-002 (`stella airgap seal`): added `seal` subcommand to `BuildAirgapCommand` in CommandFactory.cs (lines 10005-10067) with options for `--config-dir`, `--verify`, `--force`, `--dry-run`, `--json`, `--reason`. Handler `HandleAirgapSealAsync` (lines 26739-27117) verifies imported bundles checksums, creates sealed.json marker file with configuration (telemetryMode=local, networkMode=offline), writes audit log entries to seal-events.ndjson, sets CliMetrics.IsSealedMode=true. Supports dry-run preview and forced reseal. Build verified (0 errors). Unblocked CLI-AIRGAP-58-001. | DevEx/CLI Guild |
| 2025-12-04 | Implemented CLI-ATTEST-73-002 (`stella attest verify`): enhanced `HandleAttestVerifyAsync` handler (lines 9161-9506) with full DSSE envelope parsing, in-toto statement decoding from base64 payload, 6 verification checks (envelope structure, payload type, subject presence, signature verification via `--root` trust root, transparency log via `--transparency-checkpoint`, policy compliance via `--policy`). Policy compliance supports `requiredPredicateTypes`, `minimumSignatures`, and `requiredSigners` constraints. Outputs JSON to file via `--output` or table to console with explainability reasons for each check. Exit codes: 0 success, 2 verification failed, 4 input error. Metrics via `CliMetrics.RecordAttestVerify()`. Build verified (0 errors). Unblocked CLI-ATTEST-74-001. | CLI Attestor Guild |
| 2025-12-04 | Implemented CLI-AIRGAP-58-001 (`stella airgap export-evidence`): added `export-evidence` subcommand to `BuildAirgapCommand` in CommandFactory.cs (lines 10081-10169) with options for `--output`, `--include`, `--from`, `--to`, `--tenant`, `--subject`, `--compress`, `--json`, `--verify`. Handler `HandleAirgapExportEvidenceAsync` (lines 27140-27597) collects evidence from ~/.stellaops/{attestations,sboms,scans,vex} directories, filters by type/date/subject, verifies DSSE structure if requested, generates manifest.json with evidence inventory, creates SHA256SUMS checksum manifest, and optionally compresses output as tar.gz. Outputs evidence breakdown table and verification results to console or JSON. Build verified (0 errors). | DevEx/CLI Guild · Evidence Locker Guild |
| 2025-12-04 | Implemented CLI-ATTEST-74-001 (`stella attest list`): enhanced command in CommandFactory.cs (lines 4242-4299) with new options for `--subject`, `--type`, `--scope`, `--offset`; enhanced `HandleAttestListAsync` handler (lines 9529-9783) to read attestations from ~/.stellaops/attestations/, parse DSSE envelope payloads to extract predicate type and subjects, apply filters (subject, type, issuer, scope), support pagination with limit/offset, output table or JSON with pagination metadata and verbose filter display. Added `AttestationListItem` internal class for attestation records. Build verified (0 errors). Unblocked CLI-ATTEST-74-002. | CLI Attestor Guild |
| 2025-12-04 | Implemented CLI-ATTEST-75-001 (`stella attest key create`): added `key` command with `create` subcommand to CommandFactory.cs (lines 4489-4556) with options for `--name`, `--algorithm` (ECDSA-P256/P384), `--password`, `--output`, `--format`, `--export-public`. Handler `HandleAttestKeyCreateAsync` (lines 10060-10211) uses `FileKmsClient` from StellaOps.Cryptography.Kms to create encrypted signing keys in ~/.stellaops/keys/; supports password prompting if not provided; generates SPKI-format public key export; outputs table or JSON with key ID, algorithm, version, and public key info. Added `FormatBase64ForPem` helper for PEM formatting. Build verified (0 errors). Unblocked CLI-ATTEST-75-002. | CLI Attestor Guild · KMS Guild |
| 2025-12-04 | Implemented CLI-ATTEST-75-002 (`stella attest bundle build/verify`): added `bundle` command with `build` and `verify` subcommands to CommandFactory.cs (lines 4551-4714). `build` handler `HandleAttestBundleBuildAsync` (lines 10231-10614) collects artifacts from input directory (attestations, SBOMs, VEX, scans, policy-evals), creates audit bundle conforming to `audit-bundle-index.schema.json`, computes SHA256 checksums and root hash, supports time window filtering, compression to tar.gz, and JSON/table output. `verify` handler `HandleAttestBundleVerifyAsync` (lines 10621-10989) validates bundle index structure, required fields, root hash integrity, artifact checksums, and optional policy compliance; outputs verification report with PASS/FAIL/WARN status. Added helpers: `CopyFileAsync`, `CreateTarGzAsync`, `ExtractTarGzAsync`. Build verified (0 errors). Sprint 0201 CLI attestor tasks complete. | CLI Attestor Guild · Export Guild |

3
docs/implplan/SPRINT_0206_0001_0001_devportal.md
View File

@@ -44,6 +44,8 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Action #1 (SDK snippet pack verification) BLOCKED: awaiting Wave B artefacts from SPRINT_0208_0001_0001_sdk to compare against embedded quickstarts. | Developer Portal Guild |
| 2025-12-05 | Created stub hash index `src/DevPortal/StellaOps.DevPortal.Site/SHA256SUMS.devportal-stubs` for SDK snippet packs and offline bundle outputs; will populate once Wave B arrives. | Docs Guild |
| 2025-12-05 | Added `tools/devportal/hash-snippets.sh` helper and seeded snippet placeholder `snippets/README.stub`; hash index now records stub hash. Ready to ingest Wave B snippets on delivery. | Docs Guild |
| 2025-11-26 | Defined DevPortal offline bundle manifest (paths, hashes, policy) at `docs/modules/export-center/devportal-offline-manifest.md`; marked Action #2 DONE. | Developer Portal Guild |
| 2025-11-25 | A11y run still blocked: Playwright browsers installed, but host libs missing (`libnss3`, `libnspr4`, `libasound2t64` per playwright install-deps). Link check now passing; preview cleanup added to QA scripts. | Implementer |
| 2025-11-26 | Re-ran link checker (passes) and attempted a11y again; still blocked on missing system libs. Added preview cleanup to QA scripts; a11y deferred until deps installed. | Implementer |
@@ -69,6 +71,7 @@
- RapiDoc schema viewer + version selector rely on `/api/stella.yaml`; ensure compose pipeline keeps this asset in sync before publishing builds.
- Try-It console currently targets `https://sandbox.api.stellaops.local`; adjust if platform assigns a different sandbox base URL.
- Offline bundle script (`npm run build:offline`) is unverified until dependencies install on a faster volume; ensure `tar` availability and run validation before shipping artifacts.
- SHA index for DevPortal artefacts lives at `src/DevPortal/StellaOps.DevPortal.Site/SHA256SUMS.devportal-stubs`; populate when Wave B SDK snippets land and after offline bundle regeneration. Helper script: `tools/devportal/hash-snippets.sh` (sorts and writes hashes into the same file).
- New test scripts (`test:a11y`, `lint:links`, `budget:dist`) require `npm ci` and `npm run preview` on a faster volume before they can be executed.
- Node_modules currently removed after cleanup attempts; rerun `npm ci --ignore-scripts --progress=false --no-fund --no-audit` on a fast volume before executing any QA commands.
- Current build emits only 404 + assets (no `/docs/*` pages), causing `lint:links` and `test:a11y` to fail with preview 404s; needs root-cause/fix before shipping offline bundle.

5
docs/implplan/SPRINT_0209_0001_0001_ui_i.md
View File

@@ -79,8 +79,8 @@
| 6 | Publish canonical UI Micro-Interactions advisory (MI1MI10) with motion tokens, reduced-motion rules, and fixtures referenced by this sprint | Product Mgmt · UX Guild | 2025-12-06 | DONE |
| 7 | Align sprint working directory to `src/Web/StellaOps.Web` and verify workspace present (was `src/UI/StellaOps.UI`) | UI Guild | 2025-12-05 | DONE (2025-12-04) |
| 8 | Refresh package-lock with new Storybook/a11y devDependencies (registry auth required) | UI Guild · DevEx | 2025-12-06 | DONE (2025-12-04) |
| 9 | Clean node_modules permissions and rerun Storybook + a11y smoke after wrapper addition | UI Guild · DevEx | 2025-12-07 | BLOCKED (requires Storybook Angular builder migration; node_modules reinstall succeeds only in clean temp copy) |
| 10 | Migrate Storybook to Angular builder per SB_FRAMEWORK_ANGULAR_0001 guidance | UI Guild | 2025-12-08 | TODO |
| 9 | Clean node_modules permissions and rerun Storybook + a11y smoke after wrapper addition | UI Guild · DevEx | 2025-12-07 | BLOCKED (Angular CLI commands hang after builder migration; need stable workspace run) |
| 10 | Migrate Storybook to Angular builder per SB_FRAMEWORK_ANGULAR_0001 guidance | UI Guild | 2025-12-08 | DOING (automigrate run; builder targets added; pending CLI hang fix and rerun) |
## Decisions & Risks
| Risk | Impact | Mitigation / Next Step |
@@ -99,6 +99,7 @@
| 2025-12-04 | Added motion token catalog (SCSS + TS), Storybook scaffolding with reduced-motion toggle, and Playwright a11y smoke harness. `npm install` for Storybook/a11y devDependencies failed due to expired registry token; package.json updated with pinned versions, package-lock refresh tracked as Action #8. | Implementer |
| 2025-12-04 | Resolved npm install by removing obsolete `@storybook/angular-renderer` dependency; refreshed `package-lock.json` with Storybook/a11y devDependencies. Storybook CLI still not runnable via `storybook` bin; requires direct node entrypoint (follow-up). | Implementer |
| 2025-12-04 | Added `scripts/storybook.js` wrapper and updated npm scripts. Clean install in temp copy succeeded; `storybook:build` now fails with SB_FRAMEWORK_ANGULAR_0001 (needs Angular Storybook builder migration) and `test:a11y` timed out waiting for dev server. Action #9 remains BLOCKED pending migration and rerun of Storybook + a11y smoke. | Implementer |
| 2025-12-04 | Ran Storybook automigrate in clean copy, applied Angular builder targets, updated stories glob, and added @storybook/test/@chromatic-com/storybook. Synced changes into workspace and ran `npm install`; however `ng run stellaops-web:build-storybook` still exits non-zero with no output (Angular CLI appears to hang in this environment). Action #10 remains DOING; tests still blocked. | Implementer |
| 2025-12-04 | Confirmed canonical Angular workspace is `src/Web/StellaOps.Web` (not `src/UI/StellaOps.UI`); updated working directory, blockers, and Action #7 accordingly. Graph blockers now tied to generated `graph:*` SDK scopes. | Project mgmt |
| 2025-12-04 | Published canonical UI Micro-Interactions advisory (`docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md`). UI-MICRO-GAPS-0209-011 remains BLOCKED pending motion token catalog + a11y/Storybook/Playwright harness in `src/Web/StellaOps.Web`. | Project mgmt |
| 2025-12-04 | Earlier note: UI-MICRO-GAPS-0209-011 was marked BLOCKED when advisory was still pending and `src/UI/StellaOps.UI` was empty; superseded by publication + path correction the same day. | Project mgmt |

36
docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
View File

@@ -34,17 +34,17 @@
| 2 | UI-LNM-22-003 | DONE (2025-12-04) | 1; align VEX tab with sprint 0215 schema | UI Guild; Excititor Guild (src/Web/StellaOps.Web) | Add VEX tab with status/justification summaries, conflict indicators, and export actions. Required for `DOCS-LNM-22-005` coverage of VEX evidence tab. |
| 3 | UI-LNM-22-004 | DONE (2025-12-04) | 2; confirm permalink format | UI Guild (src/Web/StellaOps.Web) | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. |
| 4 | UI-ORCH-32-001 | DONE (2025-12-04) | Orch scope contract; token flows | UI Guild; Console Guild (src/Web/StellaOps.Web) | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. |
| 5 | UI-POLICY-13-007 | TODO | Policy confidence metadata source | UI Guild (src/UI/StellaOps.UI) | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
| 6 | UI-POLICY-20-001 | TODO | 5; DSL schema for Monaco | UI Guild (src/UI/StellaOps.UI) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | TODO | 6; simulation inputs wired | UI Guild (src/UI/StellaOps.UI) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | TODO | 7; RBAC roles ready | UI Guild; Product Ops (src/UI/StellaOps.UI) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | TODO | 8; run viewer APIs | UI Guild; Observability Guild (src/UI/StellaOps.UI) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | TODO | 9; pack list contract | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | TODO | 10; schema + lints ready | UI Guild (src/UI/StellaOps.UI) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | TODO | 11; rule builder inputs | UI Guild (src/UI/StellaOps.UI) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 13 | UI-POLICY-23-004 | TODO | 12; approval routing | UI Guild (src/UI/StellaOps.UI) | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. |
| 14 | UI-POLICY-23-005 | TODO | 13; simulator services | UI Guild (src/UI/StellaOps.UI) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | TODO | 14; export targets confirmed | UI Guild (src/UI/StellaOps.UI) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
| 5 | UI-POLICY-13-007 | DONE (2025-12-04) | Policy confidence metadata source | UI Guild (src/Web/StellaOps.Web) | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
| 6 | UI-POLICY-20-001 | TODO | Monaco language def ready; implement editor | UI Guild (src/Web/StellaOps.Web) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | TODO | API client ready; wire simulation inputs | UI Guild (src/Web/StellaOps.Web) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | TODO | RBAC scopes/guards ready; implement workflow | UI Guild; Product Ops (src/Web/StellaOps.Web) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | TODO | API client ready; implement dashboards | UI Guild; Observability Guild (src/Web/StellaOps.Web) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | TODO | API client ready; implement workspace | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | TODO | Models ready; implement YAML editor | UI Guild (src/Web/StellaOps.Web) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | TODO | Models ready; implement rule builder | UI Guild (src/Web/StellaOps.Web) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 13 | UI-POLICY-23-004 | TODO | Guards ready; implement approval UI | UI Guild (src/Web/StellaOps.Web) | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. |
| 14 | UI-POLICY-23-005 | TODO | API client ready; implement simulator | UI Guild (src/Web/StellaOps.Web) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | TODO | Models ready; implement explain view | UI Guild (src/Web/StellaOps.Web) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
## Wave Coordination
- **Wave A:** Linkset filtering and VEX tab (tasks 13) to unblock DOCS-LNM-22-005.
@@ -57,9 +57,9 @@
- Wave C output: Monaco editor, simulator, approvals, dashboards, explain exports wired to policy evidence APIs.
## Interlocks
- VEX decision model and schemas from `SPRINT_0215_0001_0001_vuln_triage_ux.md` must stabilize before tasks 23.
- Orchestrator scope contract (`orch:read`, `Orch.Viewer`) required before task 4.
- Policy DSL schema and simulator APIs needed before tasks 67 and downstream Policy Studio tasks.
- ~~VEX decision model and schemas from `SPRINT_0215_0001_0001_vuln_triage_ux.md` must stabilize before tasks 23.~~ ✅ DONE (2025-12-04)
- ~~Orchestrator scope contract (`orch:read`, `Orch.Viewer`) required before task 4.~~ ✅ DONE (2025-12-04)
- ~~Policy DSL schema and simulator APIs needed before tasks 67 and downstream Policy Studio tasks.~~ ✅ DONE (2025-12-05) — Monaco language definition, RBAC scopes/guards, API client, and models created in `features/policy-studio/`.
## Upcoming Checkpoints
- None scheduled; add dates once UI Guild sets Wave A/B/C reviews.
@@ -70,13 +70,15 @@
## Decisions & Risks
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| VEX schema changes post-sprint 0215 | Rework of tasks 23 | Gate VEX tab behind feature flag; align early with sprint 0215 owners | UI Guild · VEX lead |
| `orch:read` scope contract slips | Task 4 blocked; dashboard gating incomplete | Coordinate with Orchestrator guild; mock scope locally until contract lands | UI Guild · Console Guild |
| Policy DSL/simulator API churn | Tasks 615 blocked or reworked | Freeze DSL schema before Monaco editor; stage simulator APIs with contract tests | UI Guild · Policy Guild |
| ~~VEX schema changes post-sprint 0215~~ | ~~Rework of tasks 23~~ | ✅ MITIGATED: VEX tab implemented, schema stable | UI Guild · VEX lead |
| ~~`orch:read` scope contract slips~~ | ~~Task 4 blocked~~ | ✅ MITIGATED: Scopes/guards implemented | UI Guild · Console Guild |
| ~~Policy DSL/simulator API churn~~ | ~~Tasks 615 blocked~~ | ✅ MITIGATED: Monaco language def, RBAC, API client, models created (2025-12-05) | UI Guild · Policy Guild |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
| 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |
| 2025-12-04 | UI-ORCH-32-001 DONE: Implemented Orchestrator RBAC surfacing. Added orch:read/operate/quota/backfill scopes to `scopes.ts`, ORCH_VIEWER/ORCH_OPERATOR/ORCH_ADMIN scope groups, scope labels. Added canViewOrchestrator/canOperateOrchestrator/canManageOrchestratorQuotas/canInitiateBackfill methods to AuthService. Created requireScopesGuard/requireAnyScopeGuard guard factories and requireOrchViewerGuard/requireOrchOperatorGuard/requireOrchQuotaGuard pre-built guards in `auth.guard.ts`. Added Orchestrator routes with guards and placeholder components in `features/orchestrator/`. Wave B complete. | Implementer |
| 2025-12-04 | UI-LNM-22-004 DONE: Implemented permalink with copy-to-clipboard in `evidence-panel.component.ts/html/scss`. Permalink format: `/evidence/{advisoryId}?tab={tab}&linkset={linksetId}&policy={policyId}`. Added Clipboard API with fallback, visually-hidden utility class for accessibility, and high-contrast theme support through semantic color usage. Wave A complete. | Implementer |
| 2025-12-04 | UI-LNM-22-003 DONE: Implemented VEX tab with status summary cards, conflict indicators, decision cards with justification/scope/validity/evidence display, and export actions (JSON/OpenVEX/CSAF). Added VexDecision/VexConflict/VexStatusSummary models to `evidence.models.ts`. | Implementer |

17
docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
View File

@@ -31,11 +31,11 @@
| 8 | DOCS-DEVPORT-62-001 | DONE (2025-11-25) | — | Docs Guild · Developer Portal Guild | Document `/docs/devportal/publishing.md` for build pipeline and offline bundle steps. |
| 9 | DOCS-CONSOLE-OBS-52-001 | BLOCKED (2025-11-25) | Need Observability Hub widget shots + deterministic sample payloads from Console Guild; require hash list for captures. | Docs Guild · Console Guild | `/docs/console/observability.md` (widgets, trace/log search, imposed rule banner, accessibility tips). |
| 10 | DOCS-CONSOLE-OBS-52-002 | BLOCKED (2025-11-25) | Depends on DOCS-CONSOLE-OBS-52-001 content/assets. | Docs Guild · Console Guild | `/docs/console/forensics.md` (timeline explorer, evidence viewer, attestation verifier, troubleshooting). |
| 11 | DOCS-EXC-25-001 | BLOCKED (2025-11-25) | Await governance exception lifecycle spec + examples from Governance Guild. | Docs Guild · Governance Guild | `/docs/governance/exceptions.md` (lifecycle, scope patterns, compliance checklist). |
| 12 | DOCS-EXC-25-002 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-001; needs routing matrix and MFA/audit rules from Authority Core. | Docs Guild · Authority Core | `/docs/governance/approvals-and-routing.md` (roles, routing, audit trails). |
| 13 | DOCS-EXC-25-003 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-002; waiting on exception API contract. | Docs Guild · BE-Base Platform Guild | `/docs/api/exceptions.md` (endpoints, payloads, errors, idempotency). |
| 14 | DOCS-EXC-25-005 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-003 UI payloads + accessibility guidance from UI Guild. | Docs Guild · UI Guild | `/docs/ui/exception-center.md` (UI walkthrough, badges, accessibility). |
| 15 | DOCS-EXC-25-006 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-005; needs CLI command shapes + exit codes from DevEx. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/exceptions.md` (commands and exit codes). |
| 11 | DOCS-EXC-25-001 | BLOCKED (2025-11-25) | Await governance exception lifecycle spec + examples from Governance Guild. Stub + hash index committed to reduce rework. | Docs Guild · Governance Guild | `/docs/governance/exceptions.md` (lifecycle, scope patterns, compliance checklist). |
| 12 | DOCS-EXC-25-002 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-001; needs routing matrix and MFA/audit rules from Authority Core. Stub + hash index committed. | Docs Guild · Authority Core | `/docs/governance/approvals-and-routing.md` (roles, routing, audit trails). |
| 13 | DOCS-EXC-25-003 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-002; waiting on exception API contract. Stub + hash index committed. | Docs Guild · BE-Base Platform Guild | `/docs/api/exceptions.md` (endpoints, payloads, errors, idempotency). |
| 14 | DOCS-EXC-25-005 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-003 UI payloads + accessibility guidance from UI Guild. Stub + hash index committed. | Docs Guild · UI Guild | `/docs/ui/exception-center.md` (UI walkthrough, badges, accessibility). |
| 15 | DOCS-EXC-25-006 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-005; needs CLI command shapes + exit codes from DevEx. Stub + hash index committed. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/exceptions.md` (commands and exit codes). |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -46,6 +46,11 @@
| 2025-11-25 | Delivered DOCS-DEVPORT-62-001 and DOCS-CONTRIB-62-001 (devportal publishing and API contracts docs). | Docs Guild |
| 2025-11-23 | Migrated completed work to archive (`docs/implplan/archived/tasks.md`); retained active items in sprint. | Docs Guild |
| 2025-11-18 | Imported task inventory from Md.II; flagged console observability and exceptions chain as BLOCKED awaiting upstream specs/assets. | Project Mgmt |
| 2025-12-04 | Added deterministic stubs for DOCS-CONSOLE-OBS-52-001 (`docs/console/observability.md`) and DOCS-CONSOLE-OBS-52-002 (`docs/console/forensics.md`) to lock outline and determinism checklist while awaiting assets/hashes; tasks remain BLOCKED. | Docs Guild |
| 2025-12-04 | Added `docs/console/SHA256SUMS` placeholder to record hashes once console captures/payloads arrive; keeps determinism workflow ready. | Docs Guild |
| 2025-12-05 | Recorded stub hash entries in `docs/console/SHA256SUMS` for observability/forensics outlines; replace with real asset hashes when provided. Tasks stay BLOCKED. | Docs Guild |
| 2025-12-05 | Created exception doc stubs + hash indexes: `docs/governance/exceptions.md`, `docs/governance/approvals-and-routing.md`, `docs/api/exceptions.md`, `docs/ui/exception-center.md`, `docs/modules/cli/guides/exceptions.md` with SHA256SUMS placeholders. Tasks remain BLOCKED pending contracts/assets. | Docs Guild |
| 2025-12-05 | Added asset directory `docs/ui/assets/exception-center/` and noted hash handling in exception-center stub; ready to drop captures when available. | Docs Guild |
## Decisions & Risks
### Decisions
@@ -56,7 +61,7 @@
### Risks
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Console observability assets (widgets, sample data, hash list) not yet delivered. | Blocks DOCS-CONSOLE-OBS-52-001/002; delays console doc set. | Request asset drop + hashes from Console Guild; keep BLOCKED until fixtures arrive. |
| Console observability assets (widgets, sample data, hash list) not yet delivered. | Blocks DOCS-CONSOLE-OBS-52-001/002; delays console doc set. | Request asset drop + hashes from Console Guild; outlines/stubs now in repo to reduce rework; keep BLOCKED until fixtures arrive. |
| Exception governance contract & routing matrix outstanding. | Blocks DOCS-EXC-25-001..006 chain; downstream CLI/UI/API docs stalled. | Ask Governance/Authority/Platform guilds for contract + API draft; keep tasks BLOCKED and mirror in `BLOCKED_DEPENDENCY_TREE.md` if escalated. |
## Next Checkpoints

13
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
View File

@@ -27,7 +27,9 @@
| 2 | AUTHORITY-ENG-0001 | DONE (2025-11-27) | Sprint readiness tracker added. | Module Team (`docs/modules/authority`) | Implementation plan readiness tracker mapped to epics/sprints (already delivered). |
| 3 | AUTHORITY-OPS-0001 | DONE (2025-11-30) | Add TASKS board + observability references. | Ops Guild (`docs/modules/authority`) | Ensure monitoring/backup/rotation runbooks are linked and offline-friendly; mirror status via TASKS. |
| 4 | AUTH-GAPS-314-004 | DONE (2025-12-04) | Gap remediation docs added under `docs/modules/authority/gaps/`; awaiting signing of artefacts when produced. | Product Mgmt · Authority Guild | Address auth gaps AU1AU10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: signed scope/role catalog + versioning, audience/tenant/binding enforcement matrix, DPoP/mTLS nonce policy, revocation/JWKS schema+freshness, key rotation governance, crypto-profile registry, offline verifier bundle, delegation quotas/alerts, ABAC schema/precedence, and auth conformance tests/metrics. |
| 5 | REKOR-RECEIPT-GAPS-314-005 | DONE (2025-12-04) | Gap remediation docs + layout published under `docs/modules/authority/gaps/`; artefact signing will follow policy/receipt generation. | Authority Guild · Attestor Guild · Sbomer Guild | Remediate RR1RR10: signed receipt schema + canonical hash, required fields (tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash), provenance (TUF snapshot, client version/flags), TSA/Fulcio chain, mirror metadata, repro inputs hash, offline verify script, storage/retention rules, metrics/alerts, and DSSE signing of schema/catalog. |
| 5 | REKOR-RECEIPT-GAPS-314-005 | DONE (2025-12-04) | Gap remediation docs + layout published under `docs/modules/authority/gaps/`; dev-smoke DSSE bundles exist. Production signing will follow once Authority key is available. | Authority Guild · Attestor Guild · Sbomer Guild | Remediate RR1RR10: signed receipt schema + canonical hash, required fields (tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash), provenance (TUF snapshot, client version/flags), TSA/Fulcio chain, mirror metadata, repro inputs hash, offline verify script, storage/retention rules, metrics/alerts, and DSSE signing of schema/catalog. |
| 6 | AUTH-GAPS-ARTEFACTS | DOING (2025-12-04) | Draft artefacts staged under `docs/modules/authority/gaps/artifacts/`; hashes in `gaps/SHA256SUMS`; waiting on Authority signing key to DSSE. | Docs Guild | Generate and sign AU1AU10 artefacts (catalog, schemas, bundle manifest, binding matrix, quotas, ABAC, conformance tests); append DSSE once signed. |
| 7 | REKOR-RECEIPT-ARTEFACTS | DOING (2025-12-04) | Draft artefacts staged under `docs/modules/authority/gaps/artifacts/`; hashes in `gaps/SHA256SUMS`; waiting on Authority signing key to DSSE. | Docs Guild · Attestor Guild · Sbomer Guild | Generate and sign RR1RR10 artefacts (receipt schema, policy, bundle manifest, error taxonomy); append DSSE once signed. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -40,13 +42,18 @@
| 2025-12-01 | Added REKOR-RECEIPT-GAPS-314-005 to track RR1RR10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending receipt schema/bundle updates. | Product Mgmt |
| 2025-12-04 | AUTH-GAPS-314-004 DONE: published gap remediation package `docs/modules/authority/gaps/2025-12-04-auth-gaps-au1-au10.md` + evidence map and SHA index stub. Linked from README. | Docs Guild |
| 2025-12-04 | REKOR-RECEIPT-GAPS-314-005 DONE: published RR1RR10 remediation doc `docs/modules/authority/gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md` with policy/schema/bundle layout and hashing/DSSE plan. | Docs Guild |
| 2025-12-04 | Drafted artefacts for AU1AU10 and RR1RR10 (catalogs, schemas, bundle manifests, matrices) under `docs/modules/authority/gaps/`; populated `SHA256SUMS`. All artefacts are unsigned and ready for DSSE once Authority key is available. | Docs Guild |
| 2025-12-05 | Added signing helper `tools/cosign/sign-authority-gaps.sh` for AU/RR artefacts; defaults to `docs/modules/authority/gaps/dsse/2025-12-04`; dev key allowed only via `COSIGN_ALLOW_DEV_KEY=1`. DSSE still pending Authority key. | Docs Guild |
| 2025-12-05 | Smoke-signed AU/RR artefacts with dev key into `docs/modules/authority/gaps/dev-smoke/2025-12-05/` using `sign-authority-gaps.sh` (COSIGN_ALLOW_DEV_KEY=1, no tlog). Production DSSE still pending real Authority key. | Docs Guild |
| 2025-12-05 | Recorded dev-smoke bundle hashes in `docs/modules/authority/gaps/dev-smoke/2025-12-05/SHA256SUMS`; kept main SHA256SUMS unchanged for production signing. | Docs Guild |
| 2025-12-05 | Added dev-smoke DSSE hash list for AU/RR artefacts (authority*, crypto profile, rekor receipt) to `dev-smoke/2025-12-05/SHA256SUMS`; production hash list remains in `gaps/SHA256SUMS` for future real signing. | Docs Guild |
## Decisions & Risks
- Offline posture must be preserved; dashboards stay JSON importable (no external datasources).
- Tenant-scope/Surface.Env/Surface.Secrets contracts must stay aligned with platform docs; update sprint/TASKS if they change.
- Keep sprint and TASKS mirrored to avoid drift.
- Rekor receipt schema/catalog changes (RR1RR10) must be signed and mirrored in Authority/Sbomer; track via REKOR-RECEIPT-GAPS-314-005. Docs landed; DSSE signing still pending once artefacts are generated.
- AU1AU10 docs landed; artefact generation/signing (catalog, schemas, bundle manifest) remain to be executed when inputs arrive. Keep SHA256SUMS/DSSE paths stable to avoid drift.
- Rekor receipt schema/catalog changes (RR1RR10) must be signed and mirrored in Authority/Sbomer; artefacts drafted and hashed (see `gaps/`), DSSE signing still pending once Authority key is available.
- AU1AU10 artefacts drafted and hashed; DSSE signing pending. Keep SHA256SUMS/DSSE paths stable to avoid drift.
## Next Checkpoints
- 2025-12-05 · Verify grafana-dashboard.json still matches current metrics contract; update runbooks if changes land. Owner: Ops Guild.

1
docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
View File

@@ -40,6 +40,7 @@
| 2025-11-26 | GRAPH-DOCS-0002 completed: added `architecture-index.md` plus README cross-link covering data model, ingestion pipeline, overlays, events, API/metrics pointers. | Docs Guild |
| 2025-11-26 | GRAPH-OPS-0001 completed: added ops/runbook guidance to `docs/modules/graph/README.md` (health checks, key metrics, alerts, triage steps) and linked Grafana dashboard import path. | Ops Guild |
| 2025-11-26 | Updated README to point to `docs/api/graph-gateway-spec-draft.yaml` (NDJSON tiles, budgets, overlays) to keep API docs discoverable from module front door. | Docs Guild |
| 2025-12-05 | Added placeholder `docs/modules/graph/prep/2025-12-05-ops-demo-placeholder.md` and hash index `docs/modules/graph/observability/SHA256SUMS` to capture next demo outputs and hashes when delivered; GRAPH-OPS-0001 remains TODO. | Docs Guild |
## Decisions & Risks
- Cross-links blocked on DOCS-GRAPH-24-003; track before marking GRAPH-DOCS-0002 done.

4
docs/implplan/SPRINT_0333_0001_0001_docs_modules_excititor.md
View File

@@ -37,9 +37,11 @@
| 2025-11-30 | Normalised sprint to standard template; renamed from `SPRINT_333_docs_modules_excititor.md`; added compatibility stub. | Docs Guild |
| 2025-11-07 | Marked EXCITOR-DOCS-0001/OPS-0001/ENG-0001 as DONE after README, runbook checklist, and implementation plan sync. | Module Team |
| 2025-11-19 | EXCITITOR-DOCS-0001 set to BLOCKED pending chunk API CI and OpenAPI freeze. | Docs Guild |
| 2025-12-05 | Added `docs/modules/excititor/OPENAPI_FREEZE_CHECKLIST.md` defining freeze gate (CI green, pinned OpenAPI, hashed samples) to unblock EXCITITOR-DOCS-0001. Tasks remain BLOCKED until criteria met. | Docs Guild |
| 2025-12-05 | Added stub paths for chunk API assets (`docs/modules/excititor/api/` with `SHA256SUMS` + `samples/`) so hashes can be recorded immediately when the OpenAPI freeze lands; EXCITITOR-DOCS-0001 still BLOCKED. | Docs Guild |
## Decisions & Risks
- EXCITITOR-DOCS-0001 blocked on chunk API CI validation and OpenAPI freeze; downstream ops/eng tasks stay TODO until resolved.
- EXCITITOR-DOCS-0001 blocked on chunk API CI validation and OpenAPI freeze; downstream ops/eng tasks stay TODO until resolved. Freeze gate captured in `docs/modules/excititor/OPENAPI_FREEZE_CHECKLIST.md` (CI green, pinned spec, hashed samples).
- Mirror statuses in `docs/modules/excititor/TASKS.md` to avoid drift between sprint and module board.
- Offline posture must be maintained; dashboards should remain importable without external services.

7
docs/implplan/SPRINT_0500_0001_0001_ops_offline.md
View File

@@ -16,7 +16,14 @@ This file now only tracks the Ops & Offline status snapshot. Active backlog live
| 190.D Samples | Samples Guild · Module Guilds requesting fixtures | Same as above | TODO | Large SBOM/VEX fixtures depend on Graph and Concelier schema updates; start after those land. |
| 190.E AirGap Controller | AirGap Controller Guild · DevOps Guild · Authority Guild | Same as above | TODO | Seal/unseal state machine should launch only after Attestor/Authority sealed-mode changes are confirmed in Ops Deployment. |
## Next Checkpoints
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Ops & Offline wave sync (Project PM) | Rebaseline waves 190.A/190.B/190.C using sprint-specific checkpoints (see sprints 05010508); align blocked items and upcoming drops. | Extend to 2025-12-13 if upstream signals still pending; keep waves gated. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Renamed to `SPRINT_0500_0001_0001_ops_offline.md` to match sprint filename template; no scope/status changes. | Project PM |
| 2025-12-05 | Cross-link scrub: all references to legacy ops sprint filenames updated to new IDs across implplan docs; no status changes. | Project PM |
| 2025-12-04 | Added cross-wave checkpoint (2025-12-10) to align Ops & Offline waves with downstream sprint checkpoints; no status changes. | Project PM |

8
docs/implplan/SPRINT_0501_0001_0001_ops_deployment_i.md
View File

@@ -46,6 +46,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Renamed from `SPRINT_501_ops_deployment_i.md` to template-compliant `SPRINT_0501_0001_0001_ops_deployment_i.md`; no task/status changes. | Project PM |
| 2025-12-04 | Added dated checkpoints (Dec-06 mirror signing, Dec-07 ledger path, Dec-10 rebaseline); no task/status changes. | Project PM |
| 2025-11-25 | Marked COMPOSE-44-001 BLOCKED: waiting on consolidated service list + version pins from upstream module releases before writing compose/quickstart bundle. | Project Mgmt |
| 2025-11-25 | Marked DEPLOY-AIRGAP-46-001 BLOCKED: waiting on Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) before authoring load scripts and offline kit guide updates. | Project Mgmt |
| 2025-11-25 | Ingested DEVOPS-MIRROR-23-001-REL from Concelier I sprint; track alongside DEPLOY-MIRROR-23-001 with same CI/signing dependencies. | Project Mgmt |
@@ -56,5 +57,8 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
- Findings Ledger deployment assets cannot be committed until DevOps assigns target directories to keep module boundaries clean.
## Next Checkpoints
- 2025-11-25: Review mirror signing secret readiness with Security/DevOps.
- 2025-11-26: Findings Ledger deployment path/backup runbook review with DevOps Guild.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-06 | Mirror signing secret + Attestor contract sync (Deployment + Security + DevOps) | Confirm `MIRROR_SIGN_KEY_B64` wiring and Attestor mirror contract to unblock DEPLOY-MIRROR-23-001 / DEVOPS-MIRROR-23-001-REL. | Escalate to steering on 2025-12-07; keep tasks BLOCKED. |
| 2025-12-07 | Findings Ledger deploy path review (Deployment + DevOps + Ledger Guild) | Assign target directories and backup/restore runbook path to unblock DEPLOY-LEDGER-29-009. | If undecided, reschedule to 2025-12-10 and log risk. |
| 2025-12-10 | Ops Deployment I rebaseline (Project PM) | Decide whether COMPOSE-44 chain can start (service list/version pins) and update statuses. | Extend to 2025-12-13 if inputs still missing. |

5
docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
View File

@@ -35,10 +35,13 @@
| --- | --- | --- |
| 2025-12-04 | Renamed from `SPRINT_502_ops_deployment_ii.md` to template-compliant `SPRINT_0502_0001_0001_ops_deployment_ii.md`; no task/status changes. | Project PM |
| 2025-12-02 | Normalized sprint file to standard template; no task status changes | StellaOps Agent |
| 2025-12-04 | Added dated planning checkpoint (Dec-10) to schedule HELM-45 and VEX/VULN deployment starts; no status changes. | Project PM |
## Decisions & Risks
- Dependencies between HELM-45 tasks enforce serial order; note in task sequencing.
- Risk: Offline kit instructions must avoid external image pulls; ensure pinned digests and air-gap copy steps.
## Next Checkpoints
- None scheduled; add dates when guild checkpoints are set.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Ops Deployment II planning sync (Deployment Guild) | Set start dates for HELM-45-001/002/003 and DEPLOY-VEX/VULN chains; confirm upstream artefacts. | If upstream inputs missing, extend to 2025-12-13 and log blockers. |

8
docs/implplan/SPRINT_0503_0001_0001_ops_devops_i.md
View File

@@ -57,6 +57,8 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Renamed from `SPRINT_503_ops_devops_i.md` to template-compliant `SPRINT_0503_0001_0001_ops_devops_i.md`; no task/status changes. | Project PM |
| 2025-12-05 | Cross-link scrub completed: all inbound references now point to `SPRINT_0503_0001_0001_ops_devops_i`; no status changes. | Project PM |
| 2025-12-04 | Added dated checkpoints (Dec-06 readiness sync, Dec-10 rebaseline); no status changes. | Project PM |
| 2025-11-30 | Completed DEVOPS-AIRGAP-58-002: added sealed-mode observability compose stack (Prometheus/Grafana/Tempo/Loki) with offline configs plus health script under `ops/devops/airgap/`; ready for sealed-mode bootstrap. | DevOps |
| 2025-11-30 | Completed DEVOPS-SBOM-23-001: added SBOM CI runner (`ops/devops/sbom-ci-runner/run-sbom-ci.sh`) with warmed-cache restore, binlog/TRX outputs, and NuGet cache hash evidence; documented in runner README. | DevOps |
| 2025-11-30 | Completed DEVOPS-SCANNER-CI-11-001: added offline-friendly Scanner CI runner (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`) and README; produces build binlog + TRX outputs from key test projects with warmed NuGet cache. | DevOps |
@@ -89,5 +91,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
- New CI-runner tasks must produce reproducible binlogs/TRX and cache hashes to keep offline posture intact.
## Next Checkpoints
- 2025-11-25: CI runner provisioning check for Concelier/Scanner/SBOM cache jobs.
- 2025-11-27: Sealed-mode fixture availability review (DEVOPS-AIRGAP-57-002).
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-06 | AOC/airgap readiness sync (DevOps Guild) | Confirm availability of DEVOPS-AIRGAP-57-002 fixtures and AOC analyzer/guard stages to unblock AOC-19-001/002/003. | If fixtures absent, reschedule for 2025-12-10 and keep AOC tasks BLOCKED. |
| 2025-12-10 | Ops DevOps I rebaseline (Project PM) | Re-assess blocked items (DEVOPS-AIAI-31-002, DEVOPS-AIRGAP-57-002, AOC-19-001/002/003, FEED remediation). | Extend to 2025-12-13 with blockade summary if still blocked. |

11
docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md
View File

@@ -1,4 +1,4 @@
# Sprint 0504 · Ops DevOps II (Ops & Offline 190.B)
# Sprint 0504_0001_0001 · Ops DevOps II (Ops & Offline 190.B)
## Topic & Scope
- Ops & Offline track focusing on DevOps phase II: container/CLI pipelines, air-gap packaging, and console delivery.
@@ -41,11 +41,13 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Updated title to match sprint filename; no task/status changes. | Project PM |
| 2025-12-03 | Normalised sprint structure (template alignment); added action tracker to Decisions/Risks; no status changes. | Planning |
| 2025-12-02 | Normalised sprint to standard template; renamed file to `SPRINT_0504_0001_0001_ops_devops_ii.md`; set DEVOPS-CONSOLE-23-002 to BLOCKED pending DEVOPS-CONSOLE-23-001. | Project Mgmt |
| 2025-11-24 | Updated DevOps CLI/Containers/Attest tasks to DONE; archived prior wave in `docs/implplan/archived/tasks.md`. | DevOps Guild |
| 2025-10-29 | Marked DEVOPS-EXPORT-35-001 BLOCKED pending exporter service inputs. | DevOps Guild |
| 2025-10-26 | Marked DEVOPS-CONSOLE-23-001 BLOCKED pending offline runner and artifact retention policy. | DevOps Guild |
| 2025-12-04 | Added dated checkpoints (Dec-06/07/10) for console runner decision and exporter schema sync; no status changes. | Project PM |
## Decisions & Risks
- DEVOPS-CONSOLE-23-002 cannot proceed until DEVOPS-CONSOLE-23-001 CI pipeline and offline runner spec are approved.
@@ -54,5 +56,8 @@
- Action: unblock console CI by providing offline runner and artifact retention specs (DEVOPS-CONSOLE-23-001). Status: BLOCKED; Owner: DevOps Guild / Console Guild.
## Next Checkpoints
- Unblock console CI (DEVOPS-CONSOLE-23-001) — assign offline runner + artifact retention policy; then start 23-002 build/Helm overlays.
- Receive exporter service schema/fixtures to start DEVOPS-EXPORT-35-001 CI pipeline definition.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-06 | Console CI runner/retention decision (DevOps + Console Guilds) | Approve offline runner profile and artifact retention so DEVOPS-CONSOLE-23-001 can move off BLOCKED. | Escalate to Ops steering on 2025-12-07; keep console tasks BLOCKED. |
| 2025-12-07 | Exporter schema/fixtures sync (DevOps + Exporter Guild) | Confirm availability of exporter service schema/fixtures to start DEVOPS-EXPORT-35-001 CI pipeline. | Log risk and reschedule for 2025-12-10; keep task BLOCKED. |
| 2025-12-10 | Rebaseline Ops DevOps II (Project PM) | Refresh statuses post-schema decisions; either start exporter CI or extend blockade summary. | Extend checkpoint to 2025-12-13 if still blocked. |

4
docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
View File

@@ -59,4 +59,6 @@
- Offline posture: ensure all deployment/CI assets use pinned digests and avoid live internet pulls for air-gapped kits.
## Next Checkpoints
- None scheduled; add dates when guild checkpoints are set.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Rebaseline Ops DevOps III (Project PM) | Confirm status of blocked LNM tooling/ledger OAS chains; decide whether to keep BLOCKED or schedule unblock actions. | Extend to 2025-12-13 if upstream artefacts still missing. |

7
docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
View File

@@ -82,6 +82,7 @@
- Surface.Secrets: provisioning playbook published; ensure Helm/Compose env stays in sync; offline kit bundles encrypted secrets—unpack path must match `*_SURFACE_SECRETS_ROOT`.
## Next Checkpoints
- Unblock DEVOPS-TEN-47-001/48-001 by landing Authority tenancy harness and tenant fixtures.
- Deliver AIRGAP-TIME-57-001 to unblock mirror signing follow-ons (MIRROR-CRT-57/58) and export provenance chain.
- Free runner disk space routinely using `scripts/devops/cleanup-workspace.sh` and docker prune to keep CI green.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Ops DevOps IV rebaseline (Project PM) | Check TEN-47/48 harness readiness and AIRGAP-TIME-57-001 availability; decide on moving blocked items or keeping them paused. | Push to 2025-12-13 if dependencies still absent; keep tasks BLOCKED. |
| Weekly | Runner hygiene (DevOps Guild) | Ensure disk space cleanup using `scripts/devops/cleanup-workspace.sh` to prevent CI failures. | Escalate to infra if recurring space issues remain. |

7
docs/implplan/SPRINT_0507_0001_0001_ops_devops_v.md
View File

@@ -60,6 +60,7 @@
- Surface.Secrets/Surface.Env alignment retained; validate offline kit unpack paths whenever images/paths change.
## Next Checkpoints
- Run TEN-48 harness once available to exercise tenant chaos/load assets end-to-end.
- Track service owner adoption of hardened Docker template via `ops/devops/docker/build-all.sh` and `verify_health_endpoints.sh`.
- Validate SBOM/attestation verification in CI with production image names/digests after new images are built from the matrix.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Tenant harness & Docker adoption sync (DevOps Guild) | Confirm TEN-48 harness availability; collect adoption status for hardened Docker template/health endpoints. | Extend to 2025-12-13; keep adoption tracking open. |
| 2025-12-12 | SBOM/attestation verification dry run (DevOps Guild) | Run CI verification with production image names/digests using DOCKER-44 matrix. | If images not ready, reschedule to 2025-12-15 and log risk. |

6
docs/implplan/SPRINT_0508_0001_0001_ops_offline_kit.md
View File

@@ -45,5 +45,7 @@
- Keep `test_build_offline_kit.py` updated when new artefact types are added to avoid silent omissions.
## Next Checkpoints
- Validate latest service releases still picked up automatically by offline kit script before next drop.
- Re-run offline kit tests when new artefact type is added (e.g., new service bundles) and refresh `docs/24_OFFLINE_KIT.md`.
| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
| --- | --- | --- | --- |
| 2025-12-10 | Offline kit pickup audit (Offline Kit Guild) | Verify latest service releases auto-pickup in offline kit; rerun `test_build_offline_kit.py`. | If artefacts missing, patch pickup rules and retest by 2025-12-13. |
| 2025-12-10 | Surface.Secrets/Env alignment check (DevOps + Offline Kit Guilds) | Confirm Surface.Secrets bundles still decrypt/unpack correctly in kit; validate doc paths. | If drift found, update docs/scripts and retest by 2025-12-13. |

42
docs/implplan/SPRINT_3409_0001_0001_issuer_directory_postgres.md Normal file
View File

@@ -0,0 +1,42 @@
# Sprint 3409 · Issuer Directory PostgreSQL Migration
## Topic & Scope
- Move Issuer Directory from MongoDB to PostgreSQL using approved schema (`docs/db/schemas/issuer.sql`).
- Deliver tenant-scoped issuers, keys, trust overrides, and audit on Postgres.
- **Working directory:** src/IssuerDirectory/StellaOps.IssuerDirectory
## Dependencies & Concurrency
- Foundations complete; shared Postgres infra available.
- No parallel dependency; can run independently now that conversion program is done.
## Documentation Prerequisites
- docs/db/schemas/issuer.sql
- docs/db/MIGRATION_STRATEGY.md
- docs/modules/issuer-directory/architecture.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ISSUER-PG-01 | DONE (2025-12-05) | None | Issuer Guild | Create `StellaOps.IssuerDirectory.Storage.Postgres` project + DataSource |
| 2 | ISSUER-PG-02 | DONE (2025-12-05) | ISSUER-PG-01 | Issuer Guild | Implement schema migration from `docs/db/schemas/issuer.sql` |
| 3 | ISSUER-PG-03 | TODO | ISSUER-PG-02 | Issuer Guild | Implement repositories (issuers, keys, trust_overrides, audit) |
| 4 | ISSUER-PG-04 | TODO | ISSUER-PG-03 | Issuer Guild | Add configuration switch (Persistence:IssuerDirectory) |
| 5 | ISSUER-PG-05 | TODO | ISSUER-PG-03 | Issuer Guild | Integration tests (CRUD, trust overrides, audit) |
| 6 | ISSUER-PG-06 | TODO | ISSUER-PG-05 | Issuer Guild | Backfill Mongo data to Postgres (issuers, keys, audit) or approve fresh-start |
| 7 | ISSUER-PG-07 | TODO | ISSUER-PG-06 | Issuer Guild | Verification report |
| 8 | ISSUER-PG-08 | TODO | ISSUER-PG-07 | Issuer Guild | Switch Issuer Directory to Postgres-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Sprint draft created, awaiting staffing. | PM |
| 2025-12-05 | Implemented ISSUER-PG-01: Created `StellaOps.IssuerDirectory.Storage.Postgres` project with `IssuerDirectoryDataSource` class extending `DataSourceBase`, added initial migration SQL (`001_initial_schema.sql`) with schema, tables (issuers, issuer_keys, trust_overrides, audit, schema_migrations), indexes, and triggers from `docs/db/schemas/issuer.sql`. Added `ServiceCollectionExtensions` for DI registration. Updated solution file. Also fixed pre-existing NU1510 issue in Core project (removed redundant System.Diagnostics.DiagnosticSource). Build verified (0 errors). | Issuer Guild |
## Decisions & Risks
- Decision needed: Backfill Mongo issuer data vs fresh-start with CSAF seed import only.
- Risk: Fingerprint uniqueness enforcement may reject malformed legacy keys; plan remediation script if backfilling.
- Audit log volume expected to be moderate; shared audit schema is available if centralization is desired.
## Next Checkpoints
- Staff and start ISSUER-PG-01..02.
- Clarify backfill vs fresh-start before ISSUER-PG-06.

4
docs/implplan/archived/SPRINT_0110_0001_0001_ingestion_evidence.md
View File

@@ -76,7 +76,7 @@
## Action Tracker
| ID | Status | Owner | Action | Due date |
| --- | --- | --- | --- | --- |
| — | — | — | Operational/CI actions reside in `SPRINT_506_ops_devops_iv.md`; feed remediation items live in `SPRINT_503_ops_devops_i.md` (moved 2025-11-25). Sprint 0110 tracks dev deliverables only. | — |
| — | — | — | Operational/CI actions reside in `SPRINT_0506_0001_0001_ops_devops_iv.md`; feed remediation items live in `SPRINT_0503_0001_0001_ops_devops_i.md` (moved 2025-11-25). Sprint 0110 tracks dev deliverables only. | — |
## Decisions & Risks
### Decisions in flight
@@ -103,7 +103,7 @@
| 2025-11-25 | Added `tools/run-airgap-bundle-tests.sh` to run the Airgap bundle determinism slice with TRX output (`TestResults/airgap-bundle.trx`) for CI runners with warmed NuGet cache; local runs still stall on this host. | Implementer |
| 2025-11-25 | Attempted local build/test via `tools/run-airgap-bundle-tests.sh`; restore/build stalled and was cancelled (~12s). Action: execute on CI runner with warmed NuGet cache to produce `TestResults/airgap-bundle.trx`. | Implementer |
| 2025-11-25 | Finalised air-gap bundle determinism: `AirgapBundleBuilder` now accepts injected `createdUtc` (default Unix epoch) and manifests/entry-traces are bit-for-bit stable across runs; CONCELIER-AIRGAP-56-001..58-001 dependencies (LNM schema + Evidence Locker contract) closed out. | Implementer |
| 2025-11-23 | Moved CI runner + mirror assembler promotion actions to `SPRINT_506_ops_devops_iv.md`; Sprint 0110 now tracks development deliverables only. | Project Mgmt |
| 2025-11-23 | Moved CI runner + mirror assembler promotion actions to `SPRINT_0506_0001_0001_ops_devops_iv.md`; Sprint 0110 now tracks development deliverables only. | Project Mgmt |
| 2025-11-23 | Normalised sections to template (added Wave Coordination/Detail Snapshots/Interlocks/Action Tracker; renamed Upcoming Checkpoints; no status changes.) | Project Mgmt |
| 2025-11-23 | Added Mongo2Go wrapper that prepends OpenSSL path inside the invoked binary and reran `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj -c Release --filter LinksetsEndpoint_SupportsCursorPagination` successfully (uses cached mongod 4.4.4). BUILD-TOOLING-110-001 marked DONE. | Implementer |
| 2025-11-23 | Relocated release-oriented tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) to SPRINT_0506_ops_devops_iv per directive; sprint retains development scope only. Remaining tasks (SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP/CONSOLE, FEEDCONN) remain blocked on upstream artefacts. | Implementer |

4
docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md
View File

@@ -38,7 +38,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Ops release lane DEVOPS-MIRROR-23-001-REL moved to `SPRINT_501_ops_deployment_i` (tracked with DEPLOY-MIRROR-23-001); removed from this sprint tracker; sprint archived. | Project Mgmt |
| 2025-11-25 | Ops release lane DEVOPS-MIRROR-23-001-REL moved to `SPRINT_0501_0001_0001_ops_deployment_i` (tracked with DEPLOY-MIRROR-23-001); removed from this sprint tracker; sprint archived. | Project Mgmt |
| 2025-11-25 | Exposed attestation request/validation contracts at `src/Concelier/StellaOps.Concelier.WebService/Contracts/AttestationContracts.cs`; WebServiceEndpointsTests rebuilt and targeted `HealthAndReadyEndpointsRespond` passes (`dotnet test ... --filter HealthAndReadyEndpointsRespond`). | Concelier Implementer |
| 2025-11-23 | Implemented deterministic chunk cache transparency headers (key hash, hit, ttl) in WebService; CONCELIER-CACHE-22-001 set to DONE. | Concelier Platform |
| 2025-11-23 | Split mirror work: 23-001-DEV remains here (schema/handlers/tests); release publishing moved to DEVOPS-MIRROR-23-001-REL (DevOps sprint, not a dev blocker). | Project Mgmt |
@@ -51,7 +51,7 @@
## Decisions & Risks
- Keep Concelier aggregation-only; no consensus merges.
- Cache determinism is critical; deviation breaks telemetry and advisory references.
- Mirror transparency metadata must stay aligned with Attestor; dev mirror complete, release publishing owned by `SPRINT_501_ops_deployment_i` (DEPLOY-MIRROR-23-001).
- Mirror transparency metadata must stay aligned with Attestor; dev mirror complete, release publishing owned by `SPRINT_0501_0001_0001_ops_deployment_i` (DEPLOY-MIRROR-23-001).
- Health/ready and attestation verification paths now green in WebService test harness; fallback to Mongo2Go remains for air-gapped runs.
## Next Checkpoints

4
docs/implplan/archived/SPRINT_0119_0001_0001_excititor_i.md
View File

@@ -49,7 +49,7 @@
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | DONE (2025-11-18; doc in `docs/modules/excititor/evidence-contract.md`) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | MOVED (2025-11-24 → `DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | MOVED (2025-11-24 → `DEVOPS-SPANSINK-31-003` in `SPRINT_0503_0001_0001_ops_devops_i`) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | DONE (2025-11-24; sealed-mode toggle/error catalog implemented) |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-24; manifest + EvidenceLocker path persisted with timeline events) |
| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | DONE (2025-11-17) |
@@ -95,7 +95,7 @@
| 2025-11-23 | Ran full Core UnitTests (`dotnet test -c Release --results-directory TestResults --logger trx`); 3 tests executed, all PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/TestResults/core-all.trx`). | Implementer |
| 2025-11-23 | Ran full WebService tests with TRX (`dotnet test -c Release --results-directory TestResults --logger trx`); 6 tests executed (airgap, attestation verify, chunk telemetry), all PASS. Chunk endpoint tests are not defined in the suite; no action required. TRX at `src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/TestResults/ws-all.trx`. | Implementer |
| 2025-11-24 | Completed EXCITITOR-AIRGAP-57-001 sealed-mode error catalog/toggle and EXCITITOR-AIRGAP-58-001 portable manifest + timeline linkage; updated evidence contract and WebService OpenAPI spec; `dotnet test ...WebService.Tests -c Release --no-build` passed (15 tests). | Implementer |
| 2025-11-24 | Moved observability span-sink work to Ops (`DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) per “ops tasks out of sprint” directive. | Project Mgmt |
| 2025-11-24 | Moved observability span-sink work to Ops (`DEVOPS-SPANSINK-31-003` in `SPRINT_0503_0001_0001_ops_devops_i`) per “ops tasks out of sprint” directive. | Project Mgmt |
## Decisions & Risks
- **Decisions**

598
docs/implplan/tasks-all.md
View File

@@ -4,7 +4,7 @@
| MIRROR-COORD-55-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0100_0001_0001_program_management | Program Mgmt Guild · Mirror Creator Guild | | — | — | PGMI0101 |
| ELOCKER-CONTRACT-2001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0200_0001_0001_attestation_coord | Evidence Locker Guild | docs/modules/evidence-locker/prep/2025-11-24-evidence-locker-contract.md | — | — | ATEL0101 |
| ATTEST-PLAN-2001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0200_0001_0001_attestation_coord | Evidence Locker Guild · Excititor Guild | docs/modules/attestor/prep/2025-11-24-attest-plan-2001.md | ELOCKER-CONTRACT-2001 | ATEL0101 |
| FEED-REMEDIATION-1001 | BLOCKED (2025-11-24) | 2025-11-24 | SPRINT_503_ops_devops_i | Concelier Feed Owners | | Scope missing; needs remediation runbook from feed owners | — | FEFC0101 |
| FEED-REMEDIATION-1001 | BLOCKED (2025-11-24) | 2025-11-24 | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | Scope missing; needs remediation runbook from feed owners | — | FEFC0101 |
| MIRROR-DSSE-REV-1501 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0150_0001_0001_mirror_dsse | Mirror Creator Guild · Security Guild · Evidence Locker Guild | docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md | — | — | ATEL0101 |
| AIRGAP-TIME-CONTRACT-1501 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0150_0001_0002_mirror_time | AirGap Time Guild | docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md | — | — | ATMI0102 |
| EXPORT-MIRROR-ORCH-1501 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0150_0001_0003_mirror_orch | Exporter Guild · CLI Guild | docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md | — | — | ATMI0102 |
@@ -53,15 +53,15 @@
| 401-004 | BLOCKED | 2025-11-25 | SPRINT_0401_0001_0001_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Blocked: awaiting SGSI0101 runtime facts + CAS policy from GAP-REP-004 | RPRC0101 |
| BENCH-DETERMINISM-401-057 | DONE (2025-11-27) | 2025-11-27 | SPRINT_0512_0001_0001_bench | Bench Guild · Signals Guild · Policy Guild | src/Bench/StellaOps.Bench/Determinism | Determinism harness + mock scanner; manifests/results generated; CI workflow `bench-determinism` enforces threshold; defaults to 10 runs; supports frozen feed manifests via DET_EXTRA_INPUTS; offline runner available. | Feed-freeze hash + SBOM/VEX bundle list (SPRINT_0401) | |
| 41-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | Contract implemented per `docs/modules/taskrunner/architecture.md`; run API/storage/provenance ready. | ORTR0101 |
| 44-001 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | Waiting on consolidated service list/version pins from upstream module releases (mirrors Compose-44-001 block) | DVDO0103 |
| 44-002 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | 44-001 | Blocked until 44-001 unblocks | DVDO0103 |
| 44-003 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · Docs Guild (ops/deployment) | ops/deployment | 44-002 | Blocked until 44-002 unblocks | DVDO0103 |
| 45-001 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
| 45-002 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
| 45-003 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
| 44-001 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | Waiting on consolidated service list/version pins from upstream module releases (mirrors Compose-44-001 block) | DVDO0103 |
| 44-002 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | 44-001 | Blocked until 44-001 unblocks | DVDO0103 |
| 44-003 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Docs Guild (ops/deployment) | ops/deployment | 44-002 | Blocked until 44-002 unblocks | DVDO0103 |
| 45-001 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
| 45-002 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
| 45-003 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
| 50-002 | DONE (2025-11-27) | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
| 51-002 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | Waiting on OBS-50 baselines and ORCH-OBS-50-001 schemas | TLTY0101 |
| 54-001 | BLOCKED | 2025-11-25 | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
| 54-001 | BLOCKED | 2025-11-25 | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
| 56-001 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | Blocked: SGSI0101 provenance feed/contract pending | TLTY0101 |
| 58 series | BLOCKED | 2025-11-25 | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | Placeholder for LEDGER-AIRGAP-56/57/58 chain | Blocked on LEDGER-AIRGAP-56-002 staleness spec and AirGap time anchors | PLLG0102 |
| 61-001 | DONE | 2025-11-18 | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | Spectral config + CI lint job | — | APIG0101 |
@@ -87,7 +87,7 @@
| AIAI-31-006 | DONE | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild, Policy Guild (docs) | | — | — | DOAI0101 |
| AIAI-31-008 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Advisory AI Guild | | Remote inference packaging delivered with on-prem container + manifests. | AIAI-31-006; AIAI-31-007 | DOAI0101 |
| AIAI-31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. | — | DOAI0101 |
| AIRGAP-46-001 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | Waiting on Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | AGDP0101 |
| AIRGAP-46-001 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | Waiting on Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | AGDP0101 |
| AIRGAP-56 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap ingest parity delivered against frozen LNM schema. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-56-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | docs/modules/airgap/airgap-mode.md | Mirror import helpers and bundle catalog wired for sealed mode. | PROGRAM-STAFF-1001 | AGCO0101 |
| AIRGAP-56-001..58-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Concelier Core · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Deterministic bundle + manifest/entry-trace and sealed-mode deploy runbook shipped. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ELOCKER-CONTRACT-2001 | AGCO0101 |
@@ -96,7 +96,7 @@
| AIRGAP-56-004 | DONE | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-57 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap bundle timeline/hooks completed. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-57-001 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | src/Authority/StellaOps.Authority | | AUTH-AIRGAP-56-001; DEVOPS-AIRGAP-57-002 | KMSI0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
| AIRGAP-57-003 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild · CLI Guild | docs/modules/airgap | CLI & ops inputs | Blocked: waiting on CLI airgap contract (CLI-AIRGAP-56/57) and ops inputs | AIDG0101 |
| AIRGAP-57-004 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild · Ops Guild | docs/modules/airgap | AIRGAP-57-003 | Blocked: upstream AIRGAP-57-003 | AIDG0101 |
| AIRGAP-58 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Import/export automation delivered for frozen schema. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
@@ -116,7 +116,7 @@
| AIRGAP-IMP-57-002 | BLOCKED (2025-11-25 · disk full) | 2025-11-25 | SPRINT_510_airgap | AirGap Importer Guild · DevOps Guild | src/AirGap/StellaOps.AirGap.Importer | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. Dependencies: AIRGAP-IMP-57-001. | Blocked on disk space and controller telemetry | AGIM0101 |
| AIRGAP-IMP-58-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_510_airgap | AirGap Importer Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Importer | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. Dependencies: AIRGAP-IMP-57-002. | Blocked on 57-002 | AGIM0101 |
| AIRGAP-IMP-58-002 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_510_airgap | AirGap Importer Guild · Observability Guild | src/AirGap/StellaOps.AirGap.Importer | Emit timeline events (`airgap.import.started`. Dependencies: AIRGAP-IMP-58-001. | Blocked on 58-001 | AGIM0101 |
| AIRGAP-TIME-57-001 | DONE (2025-11-20) | 2025-11-20 | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | ATMI0102 |
| AIRGAP-TIME-57-001 | DONE (2025-11-20) | 2025-11-20 | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | ATMI0102 |
| AIRGAP-TIME-57-002 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_510_airgap | AirGap Time Guild · Observability Guild | src/AirGap/StellaOps.AirGap.Time | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. Dependencies: AIRGAP-TIME-57-001. | Blocked pending controller telemetry and disk space | AGTM0101 |
| AIRGAP-TIME-58-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. Dependencies: AIRGAP-TIME-57-002. | Blocked on 57-002 | AGTM0101 |
| AIRGAP-TIME-58-002 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_510_airgap | AirGap Time Guild, Notifications Guild (src/AirGap/StellaOps.AirGap.Time) | src/AirGap/StellaOps.AirGap.Time | Emit notifications and timeline events when staleness budgets breached or approaching. Dependencies: AIRGAP-TIME-58-001. | Blocked on 58-001 | AGTM0101 |
@@ -206,7 +206,7 @@
| AOC-19-002 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #1 | POLICY-AOC-19-001 | PLAO0101 |
| AOC-19-003 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #2 | POLICY-AOC-19-002 | PLAO0101 |
| AOC-19-004 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #3 | POLICY-AOC-19-003 | PLAO0101 |
| AOC-19-101 | TODO | 2025-10-28 | SPRINT_503_ops_devops_i | DevOps Guild | ops/devops | Needs helper definitions from PLAO0101 | Needs helper definitions from PLAO0101 | DVAO0101 |
| AOC-19-101 | TODO | 2025-10-28 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild | ops/devops | Needs helper definitions from PLAO0101 | Needs helper definitions from PLAO0101 | DVAO0101 |
| API-27-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Governance decision (APIG0101) | Governance decision (APIG0101) | PLAR0101 |
| API-27-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Depends on #1 | REGISTRY-API-27-001 | PLAR0101 |
| API-27-003 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Depends on #2 | REGISTRY-API-27-002 | PLAR0101 |
@@ -295,14 +295,14 @@
| CLI-401-021 | BLOCKED | 2025-11-25 | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | Awaiting reachability chain CI/attestor contract and fixtures | — | CLCI0101 |
| CLI-41-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | | Superseded by DOCS-CLI-41-001 scope; no separate definition provided. | Pending clarified scope | CLCI0101 |
| CLI-42-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild (docs) | | Superseded by DOCS-CLI-42-001; scope not defined separately. | Pending clarified scope | CLCI0101 |
| CLI-43-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-003 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-003 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-AIAI-31-001 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. | — | CLCI0101 |
| CLI-AIAI-31-002 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise explain` showing conflict narrative and structured rationale. Dependencies: CLI-AIAI-31-001. | — | CLCI0101 |
| CLI-AIRGAP-56-001 | BLOCKED | 2025-11-22 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella mirror create` for air-gap bootstrap. Blocked: mirror bundle contract/spec (schema/signing/digests) not available to CLI. | — | CLCI0102 |
| CLI-AIAI-31-003 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. Dependencies: CLI-AIAI-31-002. | — | CLCI0101 |
| CLI-AIAI-31-004 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. Dependencies: CLI-AIAI-31-003. | — | CLCI0102 |
| CLI-AIRGAP-56-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | ATMI0102 |
| CLI-AIRGAP-56-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | ATMI0102 |
| CLI-AIRGAP-56-002 | BLOCKED | 2025-11-25 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. Dependencies: CLI-AIRGAP-56-001. | Blocked: CLI-AIRGAP-56-001 waiting for mirror bundle contract/spec | CLCI0102 |
| CLI-AIRGAP-57-001 | BLOCKED | 2025-11-25 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. Dependencies: CLI-AIRGAP-56-002. | Blocked: upstream CLI-AIRGAP-56-002 | CLCI0102 |
| CLI-AIRGAP-57-002 | BLOCKED | 2025-11-25 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella airgap seal` helper. Dependencies: CLI-AIRGAP-57-001. | Blocked: upstream CLI-AIRGAP-57-001 | CLCI0102 |
@@ -343,7 +343,7 @@
| CLI-ORCH-34-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get. Dependencies: CLI-ORCH-33-001. | ORGR0102 API review | CLCI0105 |
| CLI-PACKS-42-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | — | CLCI0105 |
| CLI-PACKS-43-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). Dependencies: CLI-PACKS-42-001. | Offline kit schema sign-off | CLCI0105 |
| CLI-PACKS-43-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit Guild · Packs Registry Guild | ops/offline-kit | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | CLI-PACKS-43-001 | CLCI0105 |
| CLI-PACKS-43-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild · Packs Registry Guild | ops/offline-kit | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | CLI-PACKS-43-001 | CLCI0105 |
| CLI-PARITY-41-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | — | CLCI0106 |
| CLI-PARITY-41-002 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. Dependencies: CLI-PARITY-41-001. | — | CLCI0106 |
| CLI-POLICY-20-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella policy new | PLPE0101 completion | CLCI0106 |
@@ -384,9 +384,9 @@
| CLI-VULN-29-005 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. Dependencies: CLI-VULN-29-004. | CLI-VULN-29-004 | CLCI0107 |
| CLI-VULN-29-006 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild · Docs Guild | src/Cli/StellaOps.Cli | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. Dependencies: CLI-VULN-29-005. | CLI-VULN-29-005 | CLCI0108 |
| CLIENT-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild | `src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer` | Align with symbolizer regression fixtures | Align with symbolizer regression fixtures | RBSY0101 |
| COMPOSE-44-001 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild | ops/deployment | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Waiting on consolidated service list/version pins from upstream module releases | DVCP0101 |
| COMPOSE-44-002 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. Dependencies: COMPOSE-44-001. | Depends on #1 | DVCP0101 |
| COMPOSE-44-003 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. Dependencies: COMPOSE-44-002. | Needs RBRE0101 provenance | DVCP0101 |
| COMPOSE-44-001 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · DevEx Guild | ops/deployment | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Waiting on consolidated service list/version pins from upstream module releases | DVCP0101 |
| COMPOSE-44-002 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. Dependencies: COMPOSE-44-001. | Depends on #1 | DVCP0101 |
| COMPOSE-44-003 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. Dependencies: COMPOSE-44-002. | Needs RBRE0101 provenance | DVCP0101 |
| CONCELIER-AIAI-31-002 | DONE | 2025-11-18 | SPRINT_110_ingestion_evidence | Concelier Core · Concelier WebService Guilds | | Structured field/caching implementation gated on schema approval. | CONCELIER-GRAPH-21-001; CARTO-GRAPH-21-002 | DOAI0101 |
| CONCELIER-AIAI-31-003 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Docs Guild · Concelier Observability Guild | docs/modules/concelier/observability.md | Telemetry counters/histograms live for Advisory AI dashboards. | Summarize telemetry evidence | DOCO0101 |
| CONCELIER-AIRGAP-56-001 | DONE (2025-11-24) | | SPRINT_112_concelier_i | Concelier Core Guild | src/Concelier/StellaOps.Concelier.WebService/AirGap | Deterministic air-gap bundle builder with manifest + entry-trace hashes. | docs/runbooks/concelier-airgap-bundle-deploy.md | AGCN0101 |
@@ -495,12 +495,12 @@
| CORE-AOC-19-003 | TODO | | SPRINT_120_excititor_ii | Excititor Core Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Depends on #1 | Depends on #1 | EXAC0101 |
| CORE-AOC-19-004 | TODO | | SPRINT_120_excititor_ii | Excititor Core Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Depends on #2 | Depends on #2 | EXAC0101 |
| CORE-AOC-19-013 | TODO | | SPRINT_112_concelier_i | Concelier Core Guild + Excititor | src/Concelier/__Libraries/StellaOps.Concelier.Core | Needs CCAN0101 DSSE output | Needs CCAN0101 DSSE output | EXAC0101 |
| CRT-56-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Wait for PGMI0101 owner | Wait for PGMI0101 owner | MRCR0101 |
| CRT-56-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator · Security Guilds | | Depends on #1 | MIRROR-CRT-56-001; PROV-OBS-53-001 | MRCR0101 |
| CRT-57-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator · AirGap Time Guild | | Needs AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-57-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Depends on #3 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-58-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator + Evidence Locker | | Requires Evidence Locker contract | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-58-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator + Security Guild | | Depends on #5 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-56-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Wait for PGMI0101 owner | Wait for PGMI0101 owner | MRCR0101 |
| CRT-56-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator · Security Guilds | | Depends on #1 | MIRROR-CRT-56-001; PROV-OBS-53-001 | MRCR0101 |
| CRT-57-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator · AirGap Time Guild | | Needs AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-57-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Depends on #3 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-58-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator + Evidence Locker | | Requires Evidence Locker contract | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-58-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator + Security Guild | | Depends on #5 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRYPTO-90-001 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
| CRYPTO-90-002 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
| CRYPTO-90-003 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
@@ -527,104 +527,104 @@
| CTL-57-001 | TODO | | SPRINT_510_airgap | Controller + Time Guild | src/AirGap/StellaOps.AirGap.Controller | Needs AGTM time anchors | Needs AGTM time anchors | AGCT0102 |
| CTL-57-002 | TODO | | SPRINT_510_airgap | Controller + Observability Guild | src/AirGap/StellaOps.AirGap.Controller | Depends on #3 | Depends on #3 | AGCT0102 |
| CTL-58-001 | TODO | | SPRINT_510_airgap | Controller + Evidence Locker Guild | src/AirGap/StellaOps.AirGap.Controller | Depends on #4 | Depends on #4 | AGCT0102 |
| DEPLOY-AIAI-31-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Advisory AI Guild | ops/deployment | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Wait for DVCP0101 compose template | DVPL0101 |
| DEPLOY-AIRGAP-46-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Requires #1 artifacts | AGDP0101 |
| DEPLOY-CLI-41-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · CLI Guild | ops/deployment | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Wait for CLI observability schema (035_CLCI0105) | AGDP0101 |
| DEPLOY-COMPOSE-44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Depends on #1 | DVPL0101 |
| DEPLOY-EXPORT-35-001 | DONE | 2025-10-29 | SPRINT_501_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Helm overlay + docs + example secrets added (`deploy/helm/stellaops/values-export.yaml`, `ops/deployment/export/helm-overlays.md`, `ops/deployment/export/secrets-example.yaml`). | Need exporter DSSE API (002_ATEL0101) | AGDP0101 |
| DEPLOY-EXPORT-36-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. Dependencies: DEPLOY-EXPORT-35-001. | Depends on #4 deliverables | AGDP0101 |
| DEPLOY-HELM-45-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment + Security Guilds | ops/deployment | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Needs helm chart schema | DVPL0101 |
| DEPLOY-NOTIFY-38-001 | DONE | 2025-10-29 | SPRINT_501_ops_deployment_i | Deployment + Notify Guilds | ops/deployment | Notifier Helm overlay + secrets/rollout doc + example secrets added (`deploy/helm/stellaops/values-notify.yaml`, `ops/deployment/notify/helm-overlays.md`, `ops/deployment/notify/secrets-example.yaml`). | Depends on #3 | DVPL0101 |
| DEPLOY-ORCH-34-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Orchestrator Guild | ops/deployment | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Requires ORTR0101 readiness | AGDP0101 |
| DEPLOY-PACKS-42-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Packs Registry Guild | ops/deployment | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Wait for pack registry schema | AGDP0101 |
| DEPLOY-PACKS-43-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Task Runner Guild | ops/deployment | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. Dependencies: DEPLOY-PACKS-42-001. | Needs #7 artifacts | AGDP0101 |
| DEPLOY-POLICY-27-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Policy Registry Guild | ops/deployment | Produce Helm/Compose overlays for Policy Registry + simulation workers (migrations, buckets, signing keys, tenancy defaults). | WEPO0101 | DVPL0105 |
| DEPLOY-POLICY-27-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild · Policy Guild | ops/deployment | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze, evidence retrieval). | DEPLOY-POLICY-27-001 | DVPL0105 |
| DEPLOY-VEX-30-001 | TODO | | SPRINT_502_ops_deployment_ii | Deployment + VEX Lens Guild | ops/deployment | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Wait for CCWO0101 schema | DVPL0101 |
| DEPLOY-VEX-30-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild | ops/deployment | Package Issuer Directory deployment manifests, backups, and security hardening guidance. Dependencies: DEPLOY-VEX-30-001. | Depends on #5 | DVPL0101 |
| DEPLOY-VULN-29-001 | TODO | | SPRINT_502_ops_deployment_ii | Deployment + Vuln Guild | ops/deployment | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Needs CCWO0101 | DVPL0101 |
| DEPLOY-VULN-29-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild | ops/deployment | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. Dependencies: DEPLOY-VULN-29-001. | Depends on #7 | DVPL0101 |
| DEPLOY-AIAI-31-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Advisory AI Guild | ops/deployment | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Wait for DVCP0101 compose template | DVPL0101 |
| DEPLOY-AIRGAP-46-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Requires #1 artifacts | AGDP0101 |
| DEPLOY-CLI-41-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · CLI Guild | ops/deployment | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Wait for CLI observability schema (035_CLCI0105) | AGDP0101 |
| DEPLOY-COMPOSE-44-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Depends on #1 | DVPL0101 |
| DEPLOY-EXPORT-35-001 | DONE | 2025-10-29 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Helm overlay + docs + example secrets added (`deploy/helm/stellaops/values-export.yaml`, `ops/deployment/export/helm-overlays.md`, `ops/deployment/export/secrets-example.yaml`). | Need exporter DSSE API (002_ATEL0101) | AGDP0101 |
| DEPLOY-EXPORT-36-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. Dependencies: DEPLOY-EXPORT-35-001. | Depends on #4 deliverables | AGDP0101 |
| DEPLOY-HELM-45-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment + Security Guilds | ops/deployment | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Needs helm chart schema | DVPL0101 |
| DEPLOY-NOTIFY-38-001 | DONE | 2025-10-29 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment + Notify Guilds | ops/deployment | Notifier Helm overlay + secrets/rollout doc + example secrets added (`deploy/helm/stellaops/values-notify.yaml`, `ops/deployment/notify/helm-overlays.md`, `ops/deployment/notify/secrets-example.yaml`). | Depends on #3 | DVPL0101 |
| DEPLOY-ORCH-34-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Orchestrator Guild | ops/deployment | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Requires ORTR0101 readiness | AGDP0101 |
| DEPLOY-PACKS-42-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Packs Registry Guild | ops/deployment | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Wait for pack registry schema | AGDP0101 |
| DEPLOY-PACKS-43-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Task Runner Guild | ops/deployment | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. Dependencies: DEPLOY-PACKS-42-001. | Needs #7 artifacts | AGDP0101 |
| DEPLOY-POLICY-27-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Policy Registry Guild | ops/deployment | Produce Helm/Compose overlays for Policy Registry + simulation workers (migrations, buckets, signing keys, tenancy defaults). | WEPO0101 | DVPL0105 |
| DEPLOY-POLICY-27-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Policy Guild | ops/deployment | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze, evidence retrieval). | DEPLOY-POLICY-27-001 | DVPL0105 |
| DEPLOY-VEX-30-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment + VEX Lens Guild | ops/deployment | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Wait for CCWO0101 schema | DVPL0101 |
| DEPLOY-VEX-30-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild | ops/deployment | Package Issuer Directory deployment manifests, backups, and security hardening guidance. Dependencies: DEPLOY-VEX-30-001. | Depends on #5 | DVPL0101 |
| DEPLOY-VULN-29-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment + Vuln Guild | ops/deployment | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Needs CCWO0101 | DVPL0101 |
| DEPLOY-VULN-29-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild | ops/deployment | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. Dependencies: DEPLOY-VULN-29-001. | Depends on #7 | DVPL0101 |
| DETER-186-008 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild | `src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker` | Wait for RLRC0101 fixture | Wait for RLRC0101 fixture | SCDT0101 |
| DETER-186-009 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild · QA Guild | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Depends on #1 | Depends on #1 | SCDT0101 |
| DETER-186-010 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild · Export Center Guild | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md` | Depends on #2 | Depends on #2 | SCDT0101 |
| DETER-70-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | | Needs CASC0101 manifest | Needs CASC0101 manifest | SCDT0101 |
| DETER-70-003 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild · Scanner Guild | src/Cli/StellaOps.Cli | Depends on #4 | Depends on #4 | SCDT0101 |
| DETER-70-004 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Depends on #5 | Depends on #5 | SCDT0101 |
| DEVOPS-AIAI-31-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Advisory AI Guild (ops/devops) | ops/devops | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | — | DVDO0101 |
| DEVOPS-SPANSINK-31-003 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild · Observability Guild (ops/devops) | ops/devops | Deploy span sink/Signals pipeline for Excititor evidence APIs (31-003) and publish dashboards; unblock traces for `/v1/vex/observations/**`. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, AirGap Importer Guild (ops/devops) | ops/devops | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Dependencies: DEVOPS-AIRGAP-56-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-003 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Container Distribution Guild (ops/devops) | ops/devops | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Dependencies: DEVOPS-AIRGAP-56-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Mirror Creator Guild (ops/devops) | ops/devops | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Dependencies: DEVOPS-AIRGAP-56-003. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-002 | DONE | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | Sealed-mode smoke wired into CI (`.gitea/workflows/airgap-sealed-ci.yml`) running `ops/devops/airgap/sealed-ci-smoke.sh`. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Notifications Guild (ops/devops) | ops/devops | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | — | DVDO0101 |
| DEVOPS-AOC-19-001 | DONE | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild, Platform Guild (ops/devops) | ops/devops | AOC guard CI added (`.gitea/workflows/aoc-guard.yml`); analyzers built and run against ingestion projects; tests logged as artifacts. | CCAO0101 | DVDO0101 |
| DEVOPS-AOC-19-002 | DONE | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | AOC verify stage added to CI (`aoc-verify` job in `.gitea/workflows/aoc-guard.yml`) using `AOC_VERIFY_SINCE` + `STAGING_MONGO_URI`, publishing verify artifacts. | DEVOPS-AOC-19-001 | DVDO0101 |
| DEVOPS-AOC-19-003 | BLOCKED | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild, QA Guild (ops/devops) | ops/devops | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DEVOPS-AOC-19-002 | DVDO0102 |
| DEVOPS-AOC-19-101 | TODO | 2025-10-28 | SPRINT_503_ops_devops_i | DevOps Guild · Concelier Storage Guild | ops/devops | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. Dependencies: DEVOPS-AOC-19-003. | Align with CCOA0101 contract | DVDO0104 |
| DEVOPS-ATTEST-73-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Attestor Service Guild (ops/devops) | ops/devops | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | — | DVDO0102 |
| DEVOPS-ATTEST-73-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, KMS Guild (ops/devops) | ops/devops | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Dependencies: DEVOPS-ATTEST-73-001. | — | DVDO0102 |
| DEVOPS-ATTEST-74-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Transparency Guild (ops/devops) | ops/devops | Deploy transparency log witness infrastructure and monitoring. Dependencies: DEVOPS-ATTEST-73-002. | — | DVDO0102 |
| DEVOPS-ATTEST-74-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Export Attestation Guild (ops/devops) | ops/devops | Integrate attestation bundle builds into release/offline pipelines with checksum verification. Dependencies: DEVOPS-ATTEST-74-001. | — | DVDO0102 |
| DEVOPS-ATTEST-75-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | — | DVDO0102 |
| DEVOPS-CLI-41-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | — | DVDO0102 |
| DEVOPS-CLI-42-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild (ops/devops) | ops/devops | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | — | DVDO0102 |
| DEVOPS-CLI-43-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | — | DVDO0102 |
| DEVOPS-CLI-43-003 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | — | DVDO0102 |
| DEVOPS-CONSOLE-23-001 | DONE | 2025-10-26 | SPRINT_504_ops_devops_ii | DevOps Guild · Console Guild | ops/devops | Console CI contract + workflow added (`.gitea/workflows/console-ci.yml`); offline-first pnpm cache, lint/type/unit, Storybook a11y, Playwright, Lighthouse budgets, SBOM artifacts uploaded. | Needs CCWO0101 API schema | DVDO0104 |
| DEVOPS-CONSOLE-23-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. Dependencies: DEVOPS-CONSOLE-23-001. | Depends on #2 | DVDO0104 |
| DEVOPS-CONTAINERS-44-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | Wait for COWB0101 base image | DVDO0104 |
| DEVOPS-CONTAINERS-45-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. Dependencies: DEVOPS-CONTAINERS-44-001. | Depends on #4 | DVDO0104 |
| DEVOPS-CONTAINERS-46-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. Dependencies: DEVOPS-CONTAINERS-45-001. | Depends on #5 | DVDO0104 |
| DEVOPS-DEVPORT-63-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild · DevPortal Guild | ops/devops | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | Wait for API schema from CCWO0101 | DVDO0105 |
| DEVOPS-DEVPORT-64-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. Dependencies: DEVOPS-DEVPORT-63-001. | Depends on #1 | DVDO0105 |
| DEVOPS-AIAI-31-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Advisory AI Guild (ops/devops) | ops/devops | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | — | DVDO0101 |
| DEVOPS-SPANSINK-31-003 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild · Observability Guild (ops/devops) | ops/devops | Deploy span sink/Signals pipeline for Excititor evidence APIs (31-003) and publish dashboards; unblock traces for `/v1/vex/observations/**`. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, AirGap Importer Guild (ops/devops) | ops/devops | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Dependencies: DEVOPS-AIRGAP-56-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-003 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Container Distribution Guild (ops/devops) | ops/devops | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Dependencies: DEVOPS-AIRGAP-56-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Mirror Creator Guild (ops/devops) | ops/devops | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Dependencies: DEVOPS-AIRGAP-56-003. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-002 | DONE | 2025-11-08 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | Sealed-mode smoke wired into CI (`.gitea/workflows/airgap-sealed-ci.yml`) running `ops/devops/airgap/sealed-ci-smoke.sh`. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Notifications Guild (ops/devops) | ops/devops | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | — | DVDO0101 |
| DEVOPS-AOC-19-001 | DONE | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Platform Guild (ops/devops) | ops/devops | AOC guard CI added (`.gitea/workflows/aoc-guard.yml`); analyzers built and run against ingestion projects; tests logged as artifacts. | CCAO0101 | DVDO0101 |
| DEVOPS-AOC-19-002 | DONE | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | AOC verify stage added to CI (`aoc-verify` job in `.gitea/workflows/aoc-guard.yml`) using `AOC_VERIFY_SINCE` + `STAGING_MONGO_URI`, publishing verify artifacts. | DEVOPS-AOC-19-001 | DVDO0101 |
| DEVOPS-AOC-19-003 | BLOCKED | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, QA Guild (ops/devops) | ops/devops | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DEVOPS-AOC-19-002 | DVDO0102 |
| DEVOPS-AOC-19-101 | TODO | 2025-10-28 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild · Concelier Storage Guild | ops/devops | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. Dependencies: DEVOPS-AOC-19-003. | Align with CCOA0101 contract | DVDO0104 |
| DEVOPS-ATTEST-73-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Attestor Service Guild (ops/devops) | ops/devops | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | — | DVDO0102 |
| DEVOPS-ATTEST-73-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, KMS Guild (ops/devops) | ops/devops | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Dependencies: DEVOPS-ATTEST-73-001. | — | DVDO0102 |
| DEVOPS-ATTEST-74-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Transparency Guild (ops/devops) | ops/devops | Deploy transparency log witness infrastructure and monitoring. Dependencies: DEVOPS-ATTEST-73-002. | — | DVDO0102 |
| DEVOPS-ATTEST-74-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Export Attestation Guild (ops/devops) | ops/devops | Integrate attestation bundle builds into release/offline pipelines with checksum verification. Dependencies: DEVOPS-ATTEST-74-001. | — | DVDO0102 |
| DEVOPS-ATTEST-75-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | — | DVDO0102 |
| DEVOPS-CLI-41-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | — | DVDO0102 |
| DEVOPS-CLI-42-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild (ops/devops) | ops/devops | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | — | DVDO0102 |
| DEVOPS-CLI-43-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | — | DVDO0102 |
| DEVOPS-CLI-43-003 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | — | DVDO0102 |
| DEVOPS-CONSOLE-23-001 | DONE | 2025-10-26 | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild · Console Guild | ops/devops | Console CI contract + workflow added (`.gitea/workflows/console-ci.yml`); offline-first pnpm cache, lint/type/unit, Storybook a11y, Playwright, Lighthouse budgets, SBOM artifacts uploaded. | Needs CCWO0101 API schema | DVDO0104 |
| DEVOPS-CONSOLE-23-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. Dependencies: DEVOPS-CONSOLE-23-001. | Depends on #2 | DVDO0104 |
| DEVOPS-CONTAINERS-44-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | Wait for COWB0101 base image | DVDO0104 |
| DEVOPS-CONTAINERS-45-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. Dependencies: DEVOPS-CONTAINERS-44-001. | Depends on #4 | DVDO0104 |
| DEVOPS-CONTAINERS-46-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. Dependencies: DEVOPS-CONTAINERS-45-001. | Depends on #5 | DVDO0104 |
| DEVOPS-DEVPORT-63-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild · DevPortal Guild | ops/devops | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | Wait for API schema from CCWO0101 | DVDO0105 |
| DEVOPS-DEVPORT-64-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. Dependencies: DEVOPS-DEVPORT-63-001. | Depends on #1 | DVDO0105 |
| DEVOPS-DOCS-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Docs Guild | docs/modules/devops | See ./AGENTS.md | Needs CCSL0101 console docs | DVDO0105 |
| DEVOPS-ENG-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Engineering Guild | docs/modules/devops | Update status via ./AGENTS.md workflow | Depends on #3 | DVDO0105 |
| DEVOPS-EXPORT-35-001 | DONE | 2025-10-29 | SPRINT_504_ops_devops_ii | DevOps · Export Guild | ops/devops | CI contract drafted and fixtures added (`ops/devops/export/minio-compose.yml`, `seed-minio.sh`); ready to wire pipeline with offline MinIO, build/test, smoke, SBOM, dashboards. | Wait for DVPL0101 export deploy | DVDO0105 |
| DEVOPS-EXPORT-36-001 | DONE | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Export CI workflow added (`.gitea/workflows/export-ci.yml`) running build/test, MinIO fixture, Trivy/OCI smoke, SBOM artifacts. | Depends on #5 | DVDO0105 |
| DEVOPS-EXPORT-37-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Dependencies: DEVOPS-EXPORT-36-001. | Depends on #6 | DVDO0105 |
| DEVOPS-GRAPH-24-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Graph Guild | ops/devops | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | Wait for CCGH0101 endpoint | DVDO0106 |
| DEVOPS-GRAPH-24-002 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. Dependencies: DEVOPS-GRAPH-24-001. | Depends on #1 | DVDO0106 |
| DEVOPS-GRAPH-24-003 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Dependencies: DEVOPS-GRAPH-24-002. | Depends on #2 | DVDO0106 |
| DEVOPS-LNM-22-001 | DONE | 2025-10-27 | SPRINT_505_ops_devops_iii | DevOps · Concelier Guild | ops/devops | Backfill plan + validation scripts + dispatchable CI (`.gitea/workflows/lnm-backfill.yml`) added; ready to run on staging snapshot. | Needs CCLN0102 API | DVDO0106 |
| DEVOPS-LNM-22-002 | DONE | 2025-10-27 | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | VEX backfill dispatcher added (`.gitea/workflows/lnm-vex-backfill.yml`) with NATS/Redis inputs; plan documented in `ops/devops/lnm/vex-backfill-plan.md`. | Depends on #4 | DVDO0106 |
| DEVOPS-LNM-22-003 | DONE | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Metrics/alert scaffold plus CI check (`ops/devops/lnm/metrics-ci-check.sh`) added; ready for Grafana import. | Depends on #5 | DVDO0106 |
| DEVOPS-OAS-61-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | Wait for CCWO0101 spec | DVDO0106 |
| DEVOPS-OAS-61-002 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | Depends on #7 | DVDO0106 |
| DEVOPS-OBS-51-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Observability Guild | ops/devops | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | Wait for 045_DVDO0103 alert catalog | DVOB0101 |
| DEVOPS-OBS-52-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Timeline Indexer Guild | ops/devops | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | Needs #1 merged for shared correlation IDs | DVOB0101 |
| DEVOPS-OBS-53-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Evidence Locker Guild | ops/devops | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | Depends on DSSE API from 002_ATEL0101 | DVOB0101 |
| DEVOPS-OBS-54-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Security Guild | ops/devops | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. Dependencies: DEVOPS-OBS-53-001. | Requires security sign-off on cardinality budgets | DVOB0101 |
| DEVOPS-OBS-55-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Ops Guild | ops/devops | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | Relies on #4 to finalize alert dimensions | DVOB0101 |
| DEVOPS-OFFLINE-17-004 | DONE | 2025-11-23 | SPRINT_508_ops_offline_kit | DevOps Offline Guild | ops/offline-kit | Mirrored release debug store via `mirror_debug_store.py`; summary at `out/offline-kit/metadata/debug-store.json`. | Wait for DVPL0101 compose | DVDO0107 |
| DEVOPS-OFFLINE-34-006 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Depends on #1 | DVDO0107 |
| DEVOPS-OFFLINE-37-001 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Needs RBRE hashes | DVDO0107 |
| DEVOPS-OFFLINE-37-002 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Depends on #3 | DVDO0107 |
| DEVOPS-OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | Security + DevOps Guilds | ops/devops | Package the OpenSSL 1.1 shim (`tests/native/openssl-1.1/linux-x64`) into test harness output so Mongo2Go suites discover it automatically. | Wait for CRYO0101 artifacts | DVDO0107 |
| DEVOPS-OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Ensure CI runners and Docker images that execute Mongo2Go tests export `LD_LIBRARY_PATH` (or embed the shim) to unblock unattended pipelines. Dependencies: DEVOPS-OPENSSL-11-001. | Depends on #5 | DVDO0107 |
| DEVOPS-EXPORT-35-001 | DONE | 2025-10-29 | SPRINT_0504_0001_0001_ops_devops_ii | DevOps · Export Guild | ops/devops | CI contract drafted and fixtures added (`ops/devops/export/minio-compose.yml`, `seed-minio.sh`); ready to wire pipeline with offline MinIO, build/test, smoke, SBOM, dashboards. | Wait for DVPL0101 export deploy | DVDO0105 |
| DEVOPS-EXPORT-36-001 | DONE | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Export CI workflow added (`.gitea/workflows/export-ci.yml`) running build/test, MinIO fixture, Trivy/OCI smoke, SBOM artifacts. | Depends on #5 | DVDO0105 |
| DEVOPS-EXPORT-37-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Dependencies: DEVOPS-EXPORT-36-001. | Depends on #6 | DVDO0105 |
| DEVOPS-GRAPH-24-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Graph Guild | ops/devops | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | Wait for CCGH0101 endpoint | DVDO0106 |
| DEVOPS-GRAPH-24-002 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. Dependencies: DEVOPS-GRAPH-24-001. | Depends on #1 | DVDO0106 |
| DEVOPS-GRAPH-24-003 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Dependencies: DEVOPS-GRAPH-24-002. | Depends on #2 | DVDO0106 |
| DEVOPS-LNM-22-001 | DONE | 2025-10-27 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Concelier Guild | ops/devops | Backfill plan + validation scripts + dispatchable CI (`.gitea/workflows/lnm-backfill.yml`) added; ready to run on staging snapshot. | Needs CCLN0102 API | DVDO0106 |
| DEVOPS-LNM-22-002 | DONE | 2025-10-27 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | VEX backfill dispatcher added (`.gitea/workflows/lnm-vex-backfill.yml`) with NATS/Redis inputs; plan documented in `ops/devops/lnm/vex-backfill-plan.md`. | Depends on #4 | DVDO0106 |
| DEVOPS-LNM-22-003 | DONE | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Metrics/alert scaffold plus CI check (`ops/devops/lnm/metrics-ci-check.sh`) added; ready for Grafana import. | Depends on #5 | DVDO0106 |
| DEVOPS-OAS-61-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | Wait for CCWO0101 spec | DVDO0106 |
| DEVOPS-OAS-61-002 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | Depends on #7 | DVDO0106 |
| DEVOPS-OBS-51-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Observability Guild | ops/devops | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | Wait for 045_DVDO0103 alert catalog | DVOB0101 |
| DEVOPS-OBS-52-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Timeline Indexer Guild | ops/devops | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | Needs #1 merged for shared correlation IDs | DVOB0101 |
| DEVOPS-OBS-53-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Evidence Locker Guild | ops/devops | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | Depends on DSSE API from 002_ATEL0101 | DVOB0101 |
| DEVOPS-OBS-54-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Security Guild | ops/devops | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. Dependencies: DEVOPS-OBS-53-001. | Requires security sign-off on cardinality budgets | DVOB0101 |
| DEVOPS-OBS-55-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Ops Guild | ops/devops | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | Relies on #4 to finalize alert dimensions | DVOB0101 |
| DEVOPS-OFFLINE-17-004 | DONE | 2025-11-23 | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Offline Guild | ops/offline-kit | Mirrored release debug store via `mirror_debug_store.py`; summary at `out/offline-kit/metadata/debug-store.json`. | Wait for DVPL0101 compose | DVDO0107 |
| DEVOPS-OFFLINE-34-006 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Depends on #1 | DVDO0107 |
| DEVOPS-OFFLINE-37-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Needs RBRE hashes | DVDO0107 |
| DEVOPS-OFFLINE-37-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Depends on #3 | DVDO0107 |
| DEVOPS-OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | Security + DevOps Guilds | ops/devops | Package the OpenSSL 1.1 shim (`tests/native/openssl-1.1/linux-x64`) into test harness output so Mongo2Go suites discover it automatically. | Wait for CRYO0101 artifacts | DVDO0107 |
| DEVOPS-OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Ensure CI runners and Docker images that execute Mongo2Go tests export `LD_LIBRARY_PATH` (or embed the shim) to unblock unattended pipelines. Dependencies: DEVOPS-OPENSSL-11-001. | Depends on #5 | DVDO0107 |
| DEVOPS-OPS-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Ops Guild | docs/modules/devops | Sync outcomes back to ../.. | Depends on #1-6 | DVDO0107 |
| DEVOPS-ORCH-32-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · Orchestrator Guild | ops/devops | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | Wait for ORTR0102 API | DVDO0108 |
| DEVOPS-ORCH-33-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | Depends on #1 | DVDO0108 |
| DEVOPS-ORCH-34-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | Depends on #2 | DVDO0108 |
| DEVOPS-POLICY-27-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · CLI Guild | ops/devops | Add CI stages to run `stella policy lint/simulate`, enforce deterministic logs + caching. | CLPS0102 | DVPL0104 |
| DEVOPS-POLICY-27-002 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Policy Registry Guild | ops/devops | Provide optional batch simulation CI job that triggers registry run, polls results, posts markdown summary. | DEVOPS-POLICY-27-001 | DVPL0104 |
| DEVOPS-POLICY-27-003 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Security Guild | ops/devops | Manage signing key material for policy publish pipeline; rotate keys, add attestation verification stage. | DEVOPS-POLICY-27-002 | DVPL0104 |
| DEVOPS-POLICY-27-004 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Observability Guild | ops/devops | Create dashboards/alerts for policy compile latency, simulation queue depth, promotion outcomes. | DEVOPS-POLICY-27-003 | DVPL0104 |
| DEVOPS-REL-17-004 | DONE | 2025-11-23 | SPRINT_506_ops_devops_iv | DevOps Release Guild | ops/devops | Release workflow now uploads `out/release/debug` as a dedicated artifact and already fails if symbols are missing; build-id manifest enforced. | Needs DVPL0101 release artifacts | DVDO0108 |
| DEVOPS-RULES-33-001 | TODO | 2025-10-30 | SPRINT_506_ops_devops_iv | DevOps · Policy Guild | ops/devops | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | Wait for CCPR0101 policy logs | DVDO0109 |
| DEVOPS-SCAN-90-004 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Scanner Guild | ops/devops | Add a CI job that runs the scanner determinism harness against the release matrix (N runs per image), uploads `determinism.json`, and fails when score < threshold; publish artifact to release notes. Dependencies: SCAN-DETER-186-009/010. | Needs SCDT0101 fixtures | DVDO0109 |
| DEVOPS-SDK-63-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · SDK Guild | ops/devops | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | Depends on #2 | DVDO0109 |
| DEVOPS-SIG-26-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Signals Guild | ops/devops | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | Wait for SGSI0101 metrics | DVDO0110 |
| DEVOPS-SIG-26-002 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | Depends on #1 | DVDO0110 |
| DEVOPS-SYMS-90-005 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Symbols Guild | ops/devops | Deploy Symbols.Server (Helm/Terraform), manage MinIO/Mongo storage, configure tenant RBAC/quotas, and wire ingestion CLI into release pipelines with monitoring and backups. Dependencies: SYMS-SERVER-401-011/013. | Needs RBSY0101 bundle | DVDO0110 |
| DEVOPS-TEN-47-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · Policy Guild | ops/devops | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | Wait for CCPR0101 policy | DVDO0110 |
| DEVOPS-TEN-48-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | Depends on #4 | DVDO0110 |
| DEVOPS-TEN-49-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Dependencies: DEVOPS-TEN-48-001. | Depends on #5 | DVDO0110 |
| DEVOPS-VEX-30-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · VEX Lens Guild | ops/devops | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | — | PLVL0103 |
| DEVOPS-VULN-29-001 | TODO | | SPRINT_507_ops_devops_v | DevOps · Vuln Guild | ops/devops | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | Needs DVPL0101 deploy | DVDO0110 |
| DEVOPS-VULN-29-002 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | Depends on #7 | DVDO0110 |
| DEVOPS-VULN-29-003 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | Depends on #8 | DVDO0110 |
| DEVOPS-ORCH-32-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Orchestrator Guild | ops/devops | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | Wait for ORTR0102 API | DVDO0108 |
| DEVOPS-ORCH-33-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | Depends on #1 | DVDO0108 |
| DEVOPS-ORCH-34-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | Depends on #2 | DVDO0108 |
| DEVOPS-POLICY-27-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · CLI Guild | ops/devops | Add CI stages to run `stella policy lint/simulate`, enforce deterministic logs + caching. | CLPS0102 | DVPL0104 |
| DEVOPS-POLICY-27-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Policy Registry Guild | ops/devops | Provide optional batch simulation CI job that triggers registry run, polls results, posts markdown summary. | DEVOPS-POLICY-27-001 | DVPL0104 |
| DEVOPS-POLICY-27-003 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Security Guild | ops/devops | Manage signing key material for policy publish pipeline; rotate keys, add attestation verification stage. | DEVOPS-POLICY-27-002 | DVPL0104 |
| DEVOPS-POLICY-27-004 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Observability Guild | ops/devops | Create dashboards/alerts for policy compile latency, simulation queue depth, promotion outcomes. | DEVOPS-POLICY-27-003 | DVPL0104 |
| DEVOPS-REL-17-004 | DONE | 2025-11-23 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Release Guild | ops/devops | Release workflow now uploads `out/release/debug` as a dedicated artifact and already fails if symbols are missing; build-id manifest enforced. | Needs DVPL0101 release artifacts | DVDO0108 |
| DEVOPS-RULES-33-001 | TODO | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Policy Guild | ops/devops | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | Wait for CCPR0101 policy logs | DVDO0109 |
| DEVOPS-SCAN-90-004 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Scanner Guild | ops/devops | Add a CI job that runs the scanner determinism harness against the release matrix (N runs per image), uploads `determinism.json`, and fails when score < threshold; publish artifact to release notes. Dependencies: SCAN-DETER-186-009/010. | Needs SCDT0101 fixtures | DVDO0109 |
| DEVOPS-SDK-63-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · SDK Guild | ops/devops | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | Depends on #2 | DVDO0109 |
| DEVOPS-SIG-26-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Signals Guild | ops/devops | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | Wait for SGSI0101 metrics | DVDO0110 |
| DEVOPS-SIG-26-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | Depends on #1 | DVDO0110 |
| DEVOPS-SYMS-90-005 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Symbols Guild | ops/devops | Deploy Symbols.Server (Helm/Terraform), manage MinIO/Mongo storage, configure tenant RBAC/quotas, and wire ingestion CLI into release pipelines with monitoring and backups. Dependencies: SYMS-SERVER-401-011/013. | Needs RBSY0101 bundle | DVDO0110 |
| DEVOPS-TEN-47-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Policy Guild | ops/devops | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | Wait for CCPR0101 policy | DVDO0110 |
| DEVOPS-TEN-48-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | Depends on #4 | DVDO0110 |
| DEVOPS-TEN-49-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Dependencies: DEVOPS-TEN-48-001. | Depends on #5 | DVDO0110 |
| DEVOPS-VEX-30-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · VEX Lens Guild | ops/devops | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | — | PLVL0103 |
| DEVOPS-VULN-29-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps · Vuln Guild | ops/devops | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | Needs DVPL0101 deploy | DVDO0110 |
| DEVOPS-VULN-29-002 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | Depends on #7 | DVDO0110 |
| DEVOPS-VULN-29-003 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | Depends on #8 | DVDO0110 |
| DEVPORT-62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Select static site generator, integrate aggregate spec, build navigation + search scaffolding. | 62-001 | DEVL0101 |
| DEVPORT-62-002 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Implement schema viewer, example rendering, copy-curl snippets, and version selector UI. Dependencies: DEVPORT-62-001. | DEVPORT-62-001 | DEVL0101 |
| DEVPORT-63-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Add Try-It console pointing at sandbox environment with token onboarding and scope info. Dependencies: DEVPORT-62-002. | 63-001 | DEVL0101 |
@@ -633,9 +633,9 @@
| DEVPORT-64-002 | TODO | | SPRINT_206_devportal | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site) | src/DevPortal/StellaOps.DevPortal.Site | Add automated accessibility tests, link checker, and performance budgets. Dependencies: DEVPORT-64-001. | | DEVL0102 |
| DOC-008 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Reachability Guild | `docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md` | Wait for replay evidence from 100_RBBN0101 | Wait for replay evidence from 100_RBBN0101 | DORC0101 |
| DOC-70-001 | DONE | | SPRINT_170_notifications_telemetry | Docs Guild · Notifications Guild | docs | Gather notification doc references | Validate existing notifications doc and migrate notes | DOCP0101 |
| DOCKER-44-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · Service Owners | ops/devops | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | Wait for DVPL0101 compose merge | DVDO0111 |
| DOCKER-44-002 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | Depends on #1 | DVDO0111 |
| DOCKER-44-003 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitor. Dependencies: DOCKER-44-002. | Requires SBOM+scan workflow from 137_SCDT0101 | DVDO0111 |
| DOCKER-44-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · Service Owners | ops/devops | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | Wait for DVPL0101 compose merge | DVDO0111 |
| DOCKER-44-002 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | Depends on #1 | DVDO0111 |
| DOCKER-44-003 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitor. Dependencies: DOCKER-44-002. | Requires SBOM+scan workflow from 137_SCDT0101 | DVDO0111 |
| DOCS-0001 | DONE | 2025-11-05 | SPRINT_313_docs_modules_attestor | Docs Guild | docs/modules/attestor | Confirm attestor module doc publication | Confirm attestor module doc scope | DOCP0101 |
| DOCS-0002 | TODO | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild (docs/modules/graph) | docs/modules/graph | — | — | DOCL0102 |
| DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | — | — | DOCL0102 |
@@ -819,7 +819,7 @@
| DOCS-VULN-29-011 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
| DOCS-VULN-29-012 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
| DOCS-VULN-29-013 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
| DOWNLOADS-CONSOLE-23-001 | TODO | | SPRINT_502_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
| DOWNLOADS-CONSOLE-23-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
| DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 |
| DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 |
| DSSE-CLI-401-021 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | Ship a `stella attest` CLI (or sample `StellaOps.Attestor.Tool`) plus GitLab/GitHub workflow snippets that emit DSSE per build step (scan/package/push) using the new library and Authority keys. | Need CLI updates from latest DSSE release | DODS0101 |
@@ -1019,7 +1019,7 @@
| EXPORT-OAS-63 | TODO | | SPRINT_160_export_evidence | Exporter Service Guild · API Governance Guild | | Needs API governance sign-off (049_APIG0101) | Needs API governance sign-off (049_APIG0101) | AGEX0101 |
| EXPORT-OAS-63-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · SDK Guild | src/ExportCenter/StellaOps.ExportCenter | Implement deprecation headers and notifications for legacy export endpoints. Dependencies: EXPORT-OAS-62-001. | Requires #3 schema | AGEX0101 |
| EXPORT-OBS-50-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Observability Guild | src/ExportCenter/StellaOps.ExportCenter | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Wait for telemetry schema drop from 046_TLTY0101 | ECOB0101 |
| EXPORT-OBS-51-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Downstream automation awaiting assembler staffing outcome. | PROGRAM-STAFF-1001 | ECOB0101 |
| EXPORT-OBS-51-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Downstream automation awaiting assembler staffing outcome. | PROGRAM-STAFF-1001 | ECOB0101 |
| EXPORT-OBS-52-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild | src/ExportCenter/StellaOps.ExportCenter | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. Dependencies: EXPORT-OBS-51-001. | Requires shared middleware from task #1 | ECOB0101 |
| EXPORT-OBS-53-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Evidence Locker Guild | src/ExportCenter/StellaOps.ExportCenter | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. Dependencies: EXPORT-OBS-52-001. | Blocked on Evidence Locker DSSE API (002_ATEL0101) | ECOB0101 |
| EXPORT-OBS-54-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Provenance Guild | src/ExportCenter/StellaOps.ExportCenter | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. Dependencies: EXPORT-OBS-53-001. | PROGRAM-STAFF-1001; EXPORT-MIRROR-ORCH-1501 | ECOB0101 |
@@ -1047,8 +1047,8 @@
| FEEDCONN-CCCS-02-009 | TODO | | SPRINT_117_concelier_vi | Concelier Connector Guild CCCS (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys per the Link-Not-Merge schema/doc recipes. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-CERTBUND-02-010 | TODO | | SPRINT_117_concelier_vi | Concelier Connector Guild CertBund (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund | Translate CERT-Bund `product.Versions` phrases into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) while retaining localisation notes; update mapper/tests for Link-Not-Merge. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-CISCO-02-009 | DOING | 2025-11-08 | SPRINT_117_concelier_vi | Concelier Connector Guild Cisco (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco | Emit Cisco SemVer ranges into the new observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-ICSCISA-02-012 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | Overdue provenance refreshes require schedule from feed owners. | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-KISA-02-008 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-ICSCISA-02-012 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | Overdue provenance refreshes require schedule from feed owners. | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-KISA-02-008 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | FEFC0101 |
| FORENSICS-53-001 | TODO | | SPRINT_202_cli_ii | Forensics Guild | src/Cli/StellaOps.Cli | Replay data set | Replay data set | FONS0101 |
| FORENSICS-53-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Forensics Guild | | FORENSICS-53-001 | FORENSICS-53-001 | FONS0101 |
| FORENSICS-53-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Forensics Guild | | FORENSICS-53-001 | FORENSICS-53-001 | FONS0101 |
@@ -1108,10 +1108,10 @@
| GRAPH-INDEX-28-010 | TODO | | SPRINT_0140_0001_0001_runtime_signals | — | | Packaging/offline bundles paused until upstream graph jobs are available to embed. | — | ORGR0101 |
| GRAPH-INDEX-28-011 | TODO | 2025-11-04 | SPRINT_0207_0001_0001_graph | Graph Index Guild | src/Graph/StellaOps.Graph.Indexer | Wire SBOM ingest runtime to emit graph snapshot artifacts, add DI factory helpers, and document Mongo/snapshot environment guidance. Dependencies: GRAPH-INDEX-28-002..006. | GRSC0101 outputs | GRIX0101 |
| GRAPH-OPS-0001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_321_docs_modules_graph | Ops Guild | docs/modules/graph | Review graph observability dashboards/runbooks after the next sprint demo. | GRUI0101 | GRDG0101 |
| HELM-45-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | | | GRIX0101 |
| HELM-45-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild, Security Guild (ops/deployment) | ops/deployment | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. Dependencies: HELM-45-001. | | GRIX0101 |
| HELM-45-003 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild, Observability Guild (ops/deployment) | ops/deployment | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. Dependencies: HELM-45-002. | | GRIX0101 |
| ICSCISA-02-012 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | CCFD0101 |
| HELM-45-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | | | GRIX0101 |
| HELM-45-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild, Security Guild (ops/deployment) | ops/deployment | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. Dependencies: HELM-45-001. | | GRIX0101 |
| HELM-45-003 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild, Observability Guild (ops/deployment) | ops/deployment | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. Dependencies: HELM-45-002. | | GRIX0101 |
| ICSCISA-02-012 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | CCFD0101 |
| IMP-56-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | Harden base importer pipeline. | EXAG0101 | GRIX0101 |
| IMP-56-002 | TODO | | SPRINT_510_airgap | AirGap Importer + Security Guilds | src/AirGap/StellaOps.AirGap.Importer | IMP-56-001 | IMP-56-001 | IMIM0101 |
| IMP-57-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | IMP-56-002 | IMP-56-002 | IMIM0101 |
@@ -1133,7 +1133,7 @@
| INSTALL-46-001 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Security Guild | | INSTALL-45-001 | INSTALL-45-001 | INST0101 |
| INSTALL-50-001 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Support Guild | | INSTALL-44-001 | INSTALL-44-001 | INST0101 |
| KEV providers` | TODO | | SPRINT_115_concelier_iv | Concelier Core + Risk Engine Guilds (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | Surface vendor-provided CVSS/KEV/fix data exactly as published (with provenance anchors) through provider APIs so risk engines can reason about upstream intent. | ICSCISA-02-012 | CCFD0101 |
| KISA-02-008 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | | FEED-REMEDIATION-1001 | LATC0101 |
| KISA-02-008 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | | FEED-REMEDIATION-1001 | LATC0101 |
| KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
| KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
| LATTICE-401-023 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
@@ -1191,12 +1191,12 @@
| LNM-22-005 | BLOCKED (2025-10-27) | 2025-10-27 | SPRINT_305_docs_tasks_md_v | Docs + UI Guild | | Docs update for UI flows. | DOCS-LNM-22-004 | IMPT0101 |
| LNM-22-007 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Observability Guild | docs/modules/concelier/link-not-merge.md | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. Dependencies: DOCS-LNM-22-005. | DOCS-LNM-22-005 | DOLN0102 |
| LNM-22-008 | DONE | 2025-11-03 | SPRINT_117_concelier_vi | Docs Guild · DevOps Guild | docs/modules/concelier/link-not-merge.md | Document Link-Not-Merge migration playbook updates in `docs/migration/no-merge.md`, including rollback guidance. | LNM-22-007 | DOLN0102 |
| MIRROR-CRT-56-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. | PROGRAM-STAFF-1001 | ATMI0101 |
| MIRROR-CRT-56-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator · Security Guilds | | DSSE/TUF metadata follows assembler baseline. | MIRROR-CRT-56-001; MIRROR-DSSE-REV-1501; PROV-OBS-53-001 | ATMI0101 |
| MIRROR-CRT-57-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | OCI/time-anchor workstreams blocked pending assembler + time contract. | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-57-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-58-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | CLI + Export automation depends on assembler and DSSE/TUF track. | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-58-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-56-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. | PROGRAM-STAFF-1001 | ATMI0101 |
| MIRROR-CRT-56-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator · Security Guilds | | DSSE/TUF metadata follows assembler baseline. | MIRROR-CRT-56-001; MIRROR-DSSE-REV-1501; PROV-OBS-53-001 | ATMI0101 |
| MIRROR-CRT-57-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | OCI/time-anchor workstreams blocked pending assembler + time contract. | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-57-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-58-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | CLI + Export automation depends on assembler and DSSE/TUF track. | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-58-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MTLS-11-002 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild | src/Authority/StellaOps.Authority | Refresh grants enforce original client cert, tokens persist `x5t#S256` metadata, docs updated. | AUTH-DPOP-11-001 | AUIN0102 |
| NATIVE-401-015 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native` | Bootstrap Symbols.Native + CallGraph.Native scaffolding and coverage fixtures. | Needs replay requirements from DORR0101 | SCNA0101 |
| NOTIFY-38-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
@@ -1248,30 +1248,30 @@
| OBS-50-002 | DOING | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | Roll out Helm/collector bundles plus validation tests and DSSE artefacts for telemetry exporters. | OBS-50-001 | TLTY0102 |
| OBS-50-003 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | docs/observability | Publish `/docs/observability/collector-deploy.md` with telemetry baseline + offline flows. | OBS-50-001 | DOOB0102 |
| OBS-50-004 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | docs/observability | Document scrub policy/SOPs (`/docs/observability/scrub-policy.md`). | OBS-50-003 | DOOB0102 |
| OBS-51-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | ops/devops/telemetry | Build shared SLO bus (queue depth, time-anchor drift) feeding exporter/CLI dashboards. | PROGRAM-STAFF-1001 | OBAG0101 |
| OBS-51-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | ops/devops/telemetry | Build shared SLO bus (queue depth, time-anchor drift) feeding exporter/CLI dashboards. | PROGRAM-STAFF-1001 | OBAG0101 |
| OBS-51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | ops/devops/telemetry | Run shadow-mode evaluators + roll metrics into collectors + alert webhooks. | OBS-51-001 | OBAG0101 |
| OBS-52-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit ingest latency, queue depth, and AOC violation metrics with burn-rate alerts. | ATLN0101 | CNOB0103 |
| OBS-52-002 | TODO | | SPRINT_160_export_evidence | Timeline Indexer Guild | src/Timeline/StellaOps.TimelineIndexer | Configure streaming pipeline (retention/backpressure) for timeline events. | OBS-52-001 | TLIX0101 |
| OBS-52-003 | TODO | | SPRINT_160_export_evidence | Timeline Indexer Guild | src/Timeline/StellaOps.TimelineIndexer | Add CI validation + schema enforcement for timeline events. | OBS-52-002 | TLIX0101 |
| OBS-52-004 | TODO | | SPRINT_160_export_evidence | Timeline Indexer + Security Guilds | src/Timeline/StellaOps.TimelineIndexer | Harden streaming pipeline with auth/encryption + DSSE proofs. | OBS-52-003 | TLIX0101 |
| OBS-53-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | ops/devops/telemetry | Establish provenance SLO signals + exporter hooks. | PROGRAM-STAFF-1001 | PROB0102 |
| OBS-53-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | ops/devops/telemetry | Establish provenance SLO signals + exporter hooks. | PROGRAM-STAFF-1001 | PROB0102 |
| OBS-53-002 | TODO | | SPRINT_0513_0001_0001_provenance | Provenance + Security Guild | src/Provenance/StellaOps.Provenance.Attestation | Add attestation metrics + scrubbed logs referencing DSSE bundles. | OBS-53-001 | PROB0102 |
| OBS-53-003 | TODO | | SPRINT_0513_0001_0001_provenance | Provenance Guild | src/Provenance/StellaOps.Provenance.Attestation | Ship dashboards/tests proving attestation observability. | OBS-53-002 | PROB0102 |
| OBS-54-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Provenance Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Needs shared exporter from 1039_EXPORT-OBS-54-001 | Needs shared exporter from 1039_EXPORT-OBS-54-001 | CNOB0101 |
| OBS-54-002 | TODO | | SPRINT_161_evidencelocker | Evidence Locker Guild | src/EvidenceLocker/StellaOps.EvidenceLocker | Instrument Evidence Locker ingest/publish flows with metrics/logs + alerts. | OBS-53-002 | ELOC0102 |
| OBS-55-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core & DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Refresh ops automation/runbooks referencing new observability signals. | OBS-52-001 | CNOB0103 |
| OBS-56-001 | TODO | | SPRINT_174_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | Generate signed air-gap telemetry bundles + validation tests. | OBS-50-002 | TLTY0103 |
| OFFLINE-17-004 | BLOCKED | 2025-10-26 | SPRINT_508_ops_offline_kit | Offline Kit Guild · DevOps Guild | ops/offline-kit | Repackage release-17 bundle with DSSE receipts + verification logs. | PROGRAM-STAFF-1001 | OFFK0101 |
| OFFLINE-34-006 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Orchestrator Guild | ops/offline-kit | Add orchestrator automation + docs to Offline Kit release 34. | ATMI0102 | OFFK0101 |
| OFFLINE-37-001 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Exporter Guild | ops/offline-kit | Ship export evidence bundle + checksum manifests for release 37. | EXPORT-MIRROR-ORCH-1501 | OFFK0101 |
| OFFLINE-37-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Notifications Guild | ops/offline-kit | Package notifier templates/channel configs for offline ops (release 37). | NOTY0103 | OFFK0101 |
| OFFLINE-CONTAINERS-46-001 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Deployment Guild | ops/offline-kit | Include container air-gap bundle, verification docs, and mirrored registry instructions. | OFFLINE-37-001 | OFFK0101 |
| OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild · Build Infra Guild | ops/devops | Rebuild OpenSSL toolchain with sovereign crypto patches + publish reproducible logs. | KMSI0102 | OPEN0101 |
| OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild · CI Guild | ops/devops | Update CI/container images with new OpenSSL packages + smoke tests. | OPENSSL-11-001 | OPEN0101 |
| OFFLINE-17-004 | BLOCKED | 2025-10-26 | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild · DevOps Guild | ops/offline-kit | Repackage release-17 bundle with DSSE receipts + verification logs. | PROGRAM-STAFF-1001 | OFFK0101 |
| OFFLINE-34-006 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Orchestrator Guild | ops/offline-kit | Add orchestrator automation + docs to Offline Kit release 34. | ATMI0102 | OFFK0101 |
| OFFLINE-37-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Exporter Guild | ops/offline-kit | Ship export evidence bundle + checksum manifests for release 37. | EXPORT-MIRROR-ORCH-1501 | OFFK0101 |
| OFFLINE-37-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Notifications Guild | ops/offline-kit | Package notifier templates/channel configs for offline ops (release 37). | NOTY0103 | OFFK0101 |
| OFFLINE-CONTAINERS-46-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Deployment Guild | ops/offline-kit | Include container air-gap bundle, verification docs, and mirrored registry instructions. | OFFLINE-37-001 | OFFK0101 |
| OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Build Infra Guild | ops/devops | Rebuild OpenSSL toolchain with sovereign crypto patches + publish reproducible logs. | KMSI0102 | OPEN0101 |
| OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · CI Guild | ops/devops | Update CI/container images with new OpenSSL packages + smoke tests. | OPENSSL-11-001 | OPEN0101 |
| OPS-0001 | DONE | 2025-11-07 | SPRINT_333_docs_modules_excititor | Ops Guild (docs/modules/excitor) | docs/modules/excitor | | | |
| OPS-ENV-01 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · Scanner Guild | ops/devops | Update Helm/Compose manifests + docs to include Surface.Env variables for Scanner/Zastava. | SCSS0101 | DOPS0101 |
| OPS-SECRETS-01 | TODO | | SPRINT_507_ops_devops_v | DevOps + Security Guild | ops/devops | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | OPS-ENV-01 | DOPS0101 |
| OPS-SECRETS-02 | TODO | | SPRINT_507_ops_devops_v | DevOps + Offline Kit Guild | ops/devops | Embed Surface.Secrets bundles (encrypted) into Offline Kit packaging scripts. | OPS-SECRETS-01 | DOPS0101 |
| OPS-ENV-01 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · Scanner Guild | ops/devops | Update Helm/Compose manifests + docs to include Surface.Env variables for Scanner/Zastava. | SCSS0101 | DOPS0101 |
| OPS-SECRETS-01 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps + Security Guild | ops/devops | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | OPS-ENV-01 | DOPS0101 |
| OPS-SECRETS-02 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps + Offline Kit Guild | ops/devops | Embed Surface.Secrets bundles (encrypted) into Offline Kit packaging scripts. | OPS-SECRETS-01 | DOPS0101 |
| ORCH-32-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
| ORCH-32-002 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
| ORCH-33-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
@@ -1321,7 +1321,7 @@
| ORCH-OPS-0001 | DONE | | SPRINT_0323_0001_0001_docs_modules_orchestrator | Ops Guild | docs/modules/orchestrator | Review orchestrator runbooks/observability checklists after new demos. | ORSC0104 | DOOR0103 |
| PACKS-42-001 | TODO | | SPRINT_0121_0001_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestable exports for Task Pack simulation + CLI offline mode. | PLLG0103 | PKLD0101 |
| PACKS-43-001 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Packs Guild · Authority Guild | src/Authority/StellaOps.Authority | Finalized Pack release 43 (signing, release notes, artefacts). | AUTH-PACKS-41-001; TASKRUN-42-001; ORCH-SVC-42-101 | PACK0101 |
| PACKS-43-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit Guild, Packs Registry Guild (ops/offline-kit) | ops/offline-kit | Bundle packs registry artifacts, runbooks, and verification docs into Offline Kit release 43. | OFFLINE-37-001 | OFFK0101 |
| PACKS-43-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild, Packs Registry Guild (ops/offline-kit) | ops/offline-kit | Bundle packs registry artifacts, runbooks, and verification docs into Offline Kit release 43. | OFFLINE-37-001 | OFFK0101 |
| PACKS-REG-41-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Implement registry API/storage, version lifecycle, provenance export. | ORCH-SVC-42-101 | PKRG0101 |
| PACKS-REG-42-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Add tenant allowlists, signature rotation, audit logs, Offline Kit seed support. | PACKS-REG-41-001 | PKRG0101 |
| PACKS-REG-43-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Implement mirroring, pack signing policies, compliance dashboards, Export Center integration. | PACKS-REG-42-001 | PKRG0101 |
@@ -1508,7 +1508,7 @@
| REGISTRY-API-27-008 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history | REGISTRY-API-27-007 | |
| REGISTRY-API-27-009 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild, Observability Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Instrument metrics/logs/traces | REGISTRY-API-27-008 | |
| REGISTRY-API-27-010 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild, QA Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI | REGISTRY-API-27-009 | |
| REL-17-004 | BLOCKED | 2025-10-26 | SPRINT_506_ops_devops_iv | DevOps Guild (ops/devops) | ops/devops | | | |
| REL-17-004 | BLOCKED | 2025-10-26 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild (ops/devops) | ops/devops | | | |
| REP-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | | | |
| REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild, Platform Data Guild (docs) | | | | |
| REPLAY-185-004 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild (docs) | | | | |
@@ -1554,7 +1554,7 @@
| RISK-ENGINE-69-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Add telemetry | RISK-ENGINE-69-001 | |
| RISK-ENGINE-70-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Export Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Support offline provider bundles with manifest verification and missing-data reporting | RISK-ENGINE-69-002 | |
| RISK-ENGINE-70-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Integrate runtime evidence provider and reachability provider outputs with caching + TTL | RISK-ENGINE-70-001 | |
| RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_506_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops | | | |
| RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops | | | |
| RUNBOOK-401-017 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | | | |
| RUNBOOK-55-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) | | | | |
| RUNBOOK-REPLAY-187-004 | TODO | | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | | |
@@ -1584,7 +1584,7 @@
| SBOM-VULN-29-001 | TODO | | SPRINT_0140_0001_0001_runtime_signals | | | Inventory evidence feed deferred until projection schema + runtime align. | | |
| SBOM-VULN-29-002 | TODO | | SPRINT_0140_0001_0001_runtime_signals | | | Resolver feed requires 29-001 event payloads. | | |
| SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | | | |
| SCAN-90-004 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild, Scanner Guild (ops/devops) | ops/devops | | | |
| SCAN-90-004 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild, Scanner Guild (ops/devops) | ops/devops | | | |
| SCAN-DETER-186-008 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild · Provenance Guild | `src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker` | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | ENTROPY-186-012 & SCANNER-ENV-02 | SCDE0102 |
| SCAN-DETER-186-009 | DONE (2025-11-27) | | SPRINT_186_record_deterministic_execution | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | | |
| SCAN-DETER-186-010 | DONE (2025-11-27) | | SPRINT_186_record_deterministic_execution | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`) | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md` | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | | |
@@ -1928,7 +1928,7 @@
| SVC-43-001 | TODO | | SPRINT_164_exportcenter_iii | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter) | src/ExportCenter/StellaOps.ExportCenter | | | |
| SYM-007 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild & Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | | | |
| SYMS-70-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild, Symbols Guild (docs) | | | | |
| SYMS-90-005 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild, Symbols Guild (ops/devops) | ops/devops | | | |
| SYMS-90-005 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild, Symbols Guild (ops/devops) | ops/devops | | | |
| SYMS-BUNDLE-401-014 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · Ops | `src/Symbols/StellaOps.Symbols.Bundle`, `ops` | Produce deterministic symbol bundles for air-gapped installs (`symbols bundle create | Depends on #1 | RBSY0101 |
| SYMS-CLIENT-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · Scanner Guild | `src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer` | Ship `StellaOps.Symbols.Client` SDK (resolve/upload APIs, platform key derivation for ELF/PDB/Mach-O/JVM/Node, disk LRU cache) and integrate with Scanner.Symbolizer/runtime probes (ref. `docs/specs/SYMBOL_MANIFEST_v1.md`). | Depends on #3 | RBSY0101 |
| SYMS-INGEST-401-013 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · DevOps Guild | `src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md` | Build `symbols ingest` CLI to emit DSSE-signed `SymbolManifest v1`, upload blobs, and register Rekor entries; document GitLab/Gitea pipeline usage. | Needs manifest updates from #1 | RBSY0101 |
@@ -1965,7 +1965,7 @@
| TEN-49-001 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| TEST-186-006 | TODO | | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` | | | |
| TEST-62-001 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TIME-57-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-002 | TODO | | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
| TIME-58-001 | TODO | | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
| TIME-58-002 | TODO | | SPRINT_510_airgap | AirGap Time Guild · Notifications Guild | src/AirGap/StellaOps.AirGap.Time | TIME-58-001 | TIME-58-001 | AGTM0101 |
@@ -2221,7 +2221,7 @@
| MIRROR-COORD-55-001 | TODO | | SPRINT_100_program_management | Program Mgmt Guild · Mirror Creator Guild | | — | — | PGMI0101 |
| ELOCKER-CONTRACT-2001 | TODO | | SPRINT_200_attestation_coord | Evidence Locker Guild | | — | — | ATEL0101 |
| ATTEST-PLAN-2001 | TODO | | SPRINT_200_attestation_coord | Evidence Locker Guild · Excititor Guild | | — | — | ATEL0101 |
| FEED-REMEDIATION-1001 | TODO | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | — | — | FEFC0101 |
| FEED-REMEDIATION-1001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | — | — | FEFC0101 |
| MIRROR-DSSE-REV-1501 | TODO | | SPRINT_150_mirror_dsse | Mirror Creator Guild · Security Guild · Evidence Locker Guild | | — | — | ATEL0101 |
| AIRGAP-TIME-CONTRACT-1501 | TODO | | SPRINT_150_mirror_time | AirGap Time Guild | | — | — | ATMI0102 |
| EXPORT-MIRROR-ORCH-1501 | TODO | | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild | | — | — | ATMI0102 |
@@ -2268,15 +2268,15 @@
| 34-101 | DONE | 2025-11-22 | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
| 401-004 | BLOCKED | 2025-11-25 | SPRINT_0401_0001_0001_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Blocked: awaiting SGSI0101 runtime facts + CAS policy from GAP-REP-004 | RPRC0101 |
| 41-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | Contract landed via product advisory 2025-11-29; implemented per `docs/modules/taskrunner/architecture.md`. | ORTR0101 |
| 44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
| 44-002 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | 44-001 | 44-001 | DVDO0103 |
| 44-003 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Docs Guild (ops/deployment) | ops/deployment | 44-002 | 44-002 | DVDO0103 |
| 45-001 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
| 45-002 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
| 45-003 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
| 44-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
| 44-002 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | 44-001 | 44-001 | DVDO0103 |
| 44-003 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Docs Guild (ops/deployment) | ops/deployment | 44-002 | 44-002 | DVDO0103 |
| 45-001 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
| 45-002 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
| 45-003 | BLOCKED | 2025-11-25 | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
| 50-002 | DOING | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
| 51-002 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | Waiting on OBS-50 baselines and ORCH-OBS-50-001 schemas | TLTY0101 |
| 54-001 | BLOCKED | 2025-11-25 | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
| 54-001 | BLOCKED | 2025-11-25 | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
| 56-001 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | Blocked: SGSI0101 provenance feed/contract pending | TLTY0101 |
| 58 series | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 |
| 61-001 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 |
@@ -2302,7 +2302,7 @@
| AIAI-31-006 | DONE | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild, Policy Guild (docs) | | — | — | DOAI0101 |
| AIAI-31-008 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Advisory AI Guild | | Remote inference packaging delivered with on-prem container + manifests. | AIAI-31-006; AIAI-31-007 | DOAI0101 |
| AIAI-31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. | — | DOAI0101 |
| AIRGAP-46-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | AGDP0101 |
| AIRGAP-46-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | Needs Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) | AGDP0101 |
| AIRGAP-56 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap ingest parity delivered against frozen LNM schema. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-56-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | docs/modules/airgap/airgap-mode.md | Mirror import helpers and bundle catalog wired for sealed mode. | PROGRAM-STAFF-1001 | AGCO0101 |
| AIRGAP-56-001..58-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Concelier Core · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Deterministic bundle + manifest/entry-trace and sealed-mode deploy runbook shipped. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ELOCKER-CONTRACT-2001 | AGCO0101 |
@@ -2311,7 +2311,7 @@
| AIRGAP-56-004 | TODO | | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-57 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap bundle timeline/hooks completed. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-57-001 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | src/Authority/StellaOps.Authority | | AUTH-AIRGAP-56-001; DEVOPS-AIRGAP-57-002 | KMSI0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
| AIRGAP-57-003 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · CLI Guild | docs/modules/airgap | CLI & ops inputs | CLI & ops inputs | AIDG0101 |
| AIRGAP-57-004 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · Ops Guild | docs/modules/airgap | AIRGAP-57-003 | AIRGAP-57-003 | AIDG0101 |
| AIRGAP-58 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Import/export automation delivered for frozen schema. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
@@ -2331,7 +2331,7 @@
| AIRGAP-IMP-57-002 | TODO | | SPRINT_510_airgap | AirGap Importer Guild · DevOps Guild | src/AirGap/StellaOps.AirGap.Importer | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. Dependencies: AIRGAP-IMP-57-001. | 57-001 | AGIM0101 |
| AIRGAP-IMP-58-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Importer | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. Dependencies: AIRGAP-IMP-57-002. | CLI contract alignment | AGIM0101 |
| AIRGAP-IMP-58-002 | TODO | | SPRINT_510_airgap | AirGap Importer Guild · Observability Guild | src/AirGap/StellaOps.AirGap.Importer | Emit timeline events (`airgap.import.started. Dependencies: AIRGAP-IMP-58-001. | 58-001 observability | AGIM0101 |
| AIRGAP-TIME-57-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | ATMI0102 |
| AIRGAP-TIME-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | PROGRAM-STAFF-1001; AIRGAP-TIME-CONTRACT-1501 | ATMI0102 |
| AIRGAP-TIME-57-002 | TODO | | SPRINT_510_airgap | AirGap Time Guild · Observability Guild | src/AirGap/StellaOps.AirGap.Time | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. Dependencies: AIRGAP-TIME-57-001. | Controller schema | AGTM0101 |
| AIRGAP-TIME-58-001 | TODO | | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. Dependencies: AIRGAP-TIME-57-002. | 57-002 | AGTM0101 |
| AIRGAP-TIME-58-002 | TODO | | SPRINT_510_airgap | AirGap Time Guild, Notifications Guild (src/AirGap/StellaOps.AirGap.Time) | src/AirGap/StellaOps.AirGap.Time | Emit notifications and timeline events when staleness budgets breached or approaching. Dependencies: AIRGAP-TIME-58-001. | | AGTM0101 |
@@ -2420,7 +2420,7 @@
| AOC-19-002 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #1 | POLICY-AOC-19-001 | PLAO0101 |
| AOC-19-003 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #2 | POLICY-AOC-19-002 | PLAO0101 |
| AOC-19-004 | TODO | | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/__Libraries/StellaOps.Policy | Depends on #3 | POLICY-AOC-19-003 | PLAO0101 |
| AOC-19-101 | TODO | 2025-10-28 | SPRINT_503_ops_devops_i | DevOps Guild | ops/devops | Needs helper definitions from PLAO0101 | Needs helper definitions from PLAO0101 | DVAO0101 |
| AOC-19-101 | TODO | 2025-10-28 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild | ops/devops | Needs helper definitions from PLAO0101 | Needs helper definitions from PLAO0101 | DVAO0101 |
| API-27-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Governance decision (APIG0101) | Governance decision (APIG0101) | PLAR0101 |
| API-27-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Depends on #1 | REGISTRY-API-27-001 | PLAR0101 |
| API-27-003 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild | src/Policy/StellaOps.Policy.Registry | Depends on #2 | REGISTRY-API-27-002 | PLAR0101 |
@@ -2509,13 +2509,13 @@
| CLI-401-021 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | — | — | CLCI0101 |
| CLI-41-001 | TODO | | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | | — | — | CLCI0101 |
| CLI-42-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild (docs) | | Superseded by DOCS-CLI-42-001; scope not defined separately. | Pending clarified scope | CLCI0101 |
| CLI-43-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-003 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-43-003 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | — | — | CLCI0101 |
| CLI-AIAI-31-001 | BLOCKED | 2025-11-22 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. Blocked: upstream Scanner analyzers (Node/Java) fail to compile, preventing CLI tests. | — | CLCI0101 |
| CLI-AIAI-31-002 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise explain` showing conflict narrative and structured rationale. Dependencies: CLI-AIAI-31-001. | — | CLCI0101 |
| CLI-AIAI-31-003 | DONE | 2025-11-24 | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. Dependencies: CLI-AIAI-31-002. | — | CLCI0101 |
| CLI-AIAI-31-004 | TODO | | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. Dependencies: CLI-AIAI-31-003. | — | CLCI0102 |
| CLI-AIRGAP-56-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | ATMI0102 |
| CLI-AIRGAP-56-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | ATMI0102 |
| CLI-AIRGAP-56-002 | TODO | | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. Dependencies: CLI-AIRGAP-56-001. | — | CLCI0102 |
| CLI-AIRGAP-57-001 | TODO | | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. Dependencies: CLI-AIRGAP-56-002. | — | CLCI0102 |
| CLI-AIRGAP-57-002 | TODO | | SPRINT_0201_0001_0001_cli_i | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella airgap seal. Dependencies: CLI-AIRGAP-57-001. | — | CLCI0102 |
@@ -2557,7 +2557,7 @@
| CLI-ORCH-34-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get. Dependencies: CLI-ORCH-33-001. | ORGR0102 API review | CLCI0105 |
| CLI-PACKS-42-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | — | CLCI0105 |
| CLI-PACKS-43-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). Dependencies: CLI-PACKS-42-001. | Offline kit schema sign-off | CLCI0105 |
| CLI-PACKS-43-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit Guild · Packs Registry Guild | ops/offline-kit | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | CLI-PACKS-43-001 | CLCI0105 |
| CLI-PACKS-43-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild · Packs Registry Guild | ops/offline-kit | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | CLI-PACKS-43-001 | CLCI0105 |
| CLI-PARITY-41-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | — | CLCI0106 |
| CLI-PARITY-41-002 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. Dependencies: CLI-PARITY-41-001. | — | CLCI0106 |
| CLI-POLICY-20-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella policy new | PLPE0101 completion | CLCI0106 |
@@ -2598,9 +2598,9 @@
| CLI-VULN-29-005 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. Dependencies: CLI-VULN-29-004. | CLI-VULN-29-004 | CLCI0107 |
| CLI-VULN-29-006 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild · Docs Guild | src/Cli/StellaOps.Cli | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. Dependencies: CLI-VULN-29-005. | CLI-VULN-29-005 | CLCI0108 |
| CLIENT-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild | `src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer` | Align with symbolizer regression fixtures | Align with symbolizer regression fixtures | RBSY0101 |
| COMPOSE-44-001 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild | ops/deployment | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Waiting on consolidated service list/version pins from upstream module releases | DVCP0101 |
| COMPOSE-44-002 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. Dependencies: COMPOSE-44-001. | Depends on #1 | DVCP0101 |
| COMPOSE-44-003 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. Dependencies: COMPOSE-44-002. | Needs RBRE0101 provenance | DVCP0101 |
| COMPOSE-44-001 | BLOCKED | 2025-11-25 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · DevEx Guild | ops/deployment | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Waiting on consolidated service list/version pins from upstream module releases | DVCP0101 |
| COMPOSE-44-002 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. Dependencies: COMPOSE-44-001. | Depends on #1 | DVCP0101 |
| COMPOSE-44-003 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. Dependencies: COMPOSE-44-002. | Needs RBRE0101 provenance | DVCP0101 |
| CONCELIER-AIAI-31-002 | DONE | 2025-11-18 | SPRINT_110_ingestion_evidence | Concelier Core · Concelier WebService Guilds | | Structured field/caching implementation gated on schema approval. | CONCELIER-GRAPH-21-001; CARTO-GRAPH-21-002 | DOAI0101 |
| CONCELIER-AIAI-31-003 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Docs Guild · Concelier Observability Guild | docs/modules/concelier/observability.md | Telemetry counters/histograms live for Advisory AI dashboards. | Summarize telemetry evidence | DOCO0101 |
| CONCELIER-AIRGAP-56-001 | DONE (2025-11-24) | | SPRINT_112_concelier_i | Concelier Core Guild | src/Concelier/StellaOps.Concelier.WebService/AirGap | Deterministic air-gap bundle builder with manifest + entry-trace hashes. | docs/runbooks/concelier-airgap-bundle-deploy.md | AGCN0101 |
@@ -2709,12 +2709,12 @@
| CORE-AOC-19-003 | TODO | | SPRINT_120_excititor_ii | Excititor Core Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Depends on #1 | Depends on #1 | EXAC0101 |
| CORE-AOC-19-004 | TODO | | SPRINT_120_excititor_ii | Excititor Core Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Depends on #2 | Depends on #2 | EXAC0101 |
| CORE-AOC-19-013 | TODO | | SPRINT_112_concelier_i | Concelier Core Guild + Excititor | src/Concelier/__Libraries/StellaOps.Concelier.Core | Needs CCAN0101 DSSE output | Needs CCAN0101 DSSE output | EXAC0101 |
| CRT-56-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Wait for PGMI0101 owner | Wait for PGMI0101 owner | MRCR0101 |
| CRT-56-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator · Security Guilds | | Depends on #1 | MIRROR-CRT-56-001; PROV-OBS-53-001 | MRCR0101 |
| CRT-57-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | Needs AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-57-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Depends on #3 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-58-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator + Evidence Locker | | Requires Evidence Locker contract | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-58-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator + Security Guild | | Depends on #5 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-56-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Wait for PGMI0101 owner | Wait for PGMI0101 owner | MRCR0101 |
| CRT-56-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator · Security Guilds | | Depends on #1 | MIRROR-CRT-56-001; PROV-OBS-53-001 | MRCR0101 |
| CRT-57-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | Needs AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-57-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Depends on #3 | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | MRCR0101 |
| CRT-58-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator + Evidence Locker | | Requires Evidence Locker contract | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRT-58-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator + Security Guild | | Depends on #5 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MRCR0101 |
| CRYPTO-90-001 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
| CRYPTO-90-002 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
| CRYPTO-90-003 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | | | CRSA0101 |
@@ -2741,103 +2741,103 @@
| CTL-57-001 | TODO | | SPRINT_510_airgap | Controller + Time Guild | src/AirGap/StellaOps.AirGap.Controller | Needs AGTM time anchors | Needs AGTM time anchors | AGCT0102 |
| CTL-57-002 | TODO | | SPRINT_510_airgap | Controller + Observability Guild | src/AirGap/StellaOps.AirGap.Controller | Depends on #3 | Depends on #3 | AGCT0102 |
| CTL-58-001 | TODO | | SPRINT_510_airgap | Controller + Evidence Locker Guild | src/AirGap/StellaOps.AirGap.Controller | Depends on #4 | Depends on #4 | AGCT0102 |
| DEPLOY-AIAI-31-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Advisory AI Guild | ops/deployment | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Wait for DVCP0101 compose template | DVPL0101 |
| DEPLOY-AIRGAP-46-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Requires #1 artifacts | AGDP0101 |
| DEPLOY-CLI-41-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · CLI Guild | ops/deployment | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Wait for CLI observability schema (035_CLCI0105) | AGDP0101 |
| DEPLOY-COMPOSE-44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild | ops/deployment | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Depends on #1 | DVPL0101 |
| DEPLOY-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_501_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Need exporter DSSE API (002_ATEL0101) | AGDP0101 |
| DEPLOY-EXPORT-36-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. Dependencies: DEPLOY-EXPORT-35-001. | Depends on #4 deliverables | AGDP0101 |
| DEPLOY-HELM-45-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment + Security Guilds | ops/deployment | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Needs helm chart schema | DVPL0101 |
| DEPLOY-NOTIFY-38-001 | TODO | 2025-10-29 | SPRINT_501_ops_deployment_i | Deployment + Notify Guilds | ops/deployment | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Depends on #3 | DVPL0101 |
| DEPLOY-ORCH-34-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Orchestrator Guild | ops/deployment | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Requires ORTR0101 readiness | AGDP0101 |
| DEPLOY-PACKS-42-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Packs Registry Guild | ops/deployment | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Wait for pack registry schema | AGDP0101 |
| DEPLOY-PACKS-43-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Task Runner Guild | ops/deployment | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. Dependencies: DEPLOY-PACKS-42-001. | Needs #7 artifacts | AGDP0101 |
| DEPLOY-POLICY-27-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · Policy Registry Guild | ops/deployment | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Needs registry schema + secrets | AGDP0101 |
| DEPLOY-POLICY-27-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild · Policy Guild | ops/deployment | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under `/docs/runbooks/policy-incident.md`. Dependencies: DEPLOY-POLICY-27-001. | Depends on 27-001 | AGDP0101 |
| DEPLOY-VEX-30-001 | TODO | | SPRINT_502_ops_deployment_ii | Deployment + VEX Lens Guild | ops/deployment | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Wait for CCWO0101 schema | DVPL0101 |
| DEPLOY-VEX-30-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild | ops/deployment | Package Issuer Directory deployment manifests, backups, and security hardening guidance. Dependencies: DEPLOY-VEX-30-001. | Depends on #5 | DVPL0101 |
| DEPLOY-VULN-29-001 | TODO | | SPRINT_502_ops_deployment_ii | Deployment + Vuln Guild | ops/deployment | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Needs CCWO0101 | DVPL0101 |
| DEPLOY-VULN-29-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild | ops/deployment | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. Dependencies: DEPLOY-VULN-29-001. | Depends on #7 | DVPL0101 |
| DEPLOY-AIAI-31-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Advisory AI Guild | ops/deployment | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Wait for DVCP0101 compose template | DVPL0101 |
| DEPLOY-AIRGAP-46-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Offline Kit Guild | ops/deployment | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Requires #1 artifacts | AGDP0101 |
| DEPLOY-CLI-41-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · CLI Guild | ops/deployment | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Wait for CLI observability schema (035_CLCI0105) | AGDP0101 |
| DEPLOY-COMPOSE-44-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild | ops/deployment | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Depends on #1 | DVPL0101 |
| DEPLOY-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Need exporter DSSE API (002_ATEL0101) | AGDP0101 |
| DEPLOY-EXPORT-36-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Export Center Guild | ops/deployment | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. Dependencies: DEPLOY-EXPORT-35-001. | Depends on #4 deliverables | AGDP0101 |
| DEPLOY-HELM-45-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment + Security Guilds | ops/deployment | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Needs helm chart schema | DVPL0101 |
| DEPLOY-NOTIFY-38-001 | TODO | 2025-10-29 | SPRINT_0501_0001_0001_ops_deployment_i | Deployment + Notify Guilds | ops/deployment | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Depends on #3 | DVPL0101 |
| DEPLOY-ORCH-34-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Orchestrator Guild | ops/deployment | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Requires ORTR0101 readiness | AGDP0101 |
| DEPLOY-PACKS-42-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Packs Registry Guild | ops/deployment | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Wait for pack registry schema | AGDP0101 |
| DEPLOY-PACKS-43-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Task Runner Guild | ops/deployment | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. Dependencies: DEPLOY-PACKS-42-001. | Needs #7 artifacts | AGDP0101 |
| DEPLOY-POLICY-27-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild · Policy Registry Guild | ops/deployment | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Needs registry schema + secrets | AGDP0101 |
| DEPLOY-POLICY-27-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild · Policy Guild | ops/deployment | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under `/docs/runbooks/policy-incident.md`. Dependencies: DEPLOY-POLICY-27-001. | Depends on 27-001 | AGDP0101 |
| DEPLOY-VEX-30-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment + VEX Lens Guild | ops/deployment | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Wait for CCWO0101 schema | DVPL0101 |
| DEPLOY-VEX-30-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild | ops/deployment | Package Issuer Directory deployment manifests, backups, and security hardening guidance. Dependencies: DEPLOY-VEX-30-001. | Depends on #5 | DVPL0101 |
| DEPLOY-VULN-29-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment + Vuln Guild | ops/deployment | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Needs CCWO0101 | DVPL0101 |
| DEPLOY-VULN-29-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild | ops/deployment | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. Dependencies: DEPLOY-VULN-29-001. | Depends on #7 | DVPL0101 |
| DETER-186-008 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild | `src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker` | Wait for RLRC0101 fixture | Wait for RLRC0101 fixture | SCDT0101 |
| DETER-186-009 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild · QA Guild | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Depends on #1 | Depends on #1 | SCDT0101 |
| DETER-186-010 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild · Export Center Guild | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md` | Depends on #2 | Depends on #2 | SCDT0101 |
| DETER-70-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | | Needs CASC0101 manifest | Needs CASC0101 manifest | SCDT0101 |
| DETER-70-003 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild · Scanner Guild | src/Cli/StellaOps.Cli | Depends on #4 | Depends on #4 | SCDT0101 |
| DETER-70-004 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Depends on #5 | Depends on #5 | SCDT0101 |
| DEVOPS-AIAI-31-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Advisory AI Guild (ops/devops) | ops/devops | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | — | DVDO0101 |
| DEVOPS-AIRGAP-56-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, AirGap Importer Guild (ops/devops) | ops/devops | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Dependencies: DEVOPS-AIRGAP-56-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-003 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Container Distribution Guild (ops/devops) | ops/devops | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Dependencies: DEVOPS-AIRGAP-56-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Mirror Creator Guild (ops/devops) | ops/devops | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Dependencies: DEVOPS-AIRGAP-56-003. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). Dependencies: DEVOPS-AIRGAP-57-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Notifications Guild (ops/devops) | ops/devops | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | — | DVDO0101 |
| DEVOPS-AOC-19-001 | BLOCKED | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild, Platform Guild (ops/devops) | ops/devops | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | CCAO0101 | DVDO0101 |
| DEVOPS-AOC-19-002 | BLOCKED | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. Dependencies: DEVOPS-AOC-19-001. | DEVOPS-AOC-19-001 | DVDO0101 |
| DEVOPS-AOC-19-003 | BLOCKED | 2025-10-26 | SPRINT_503_ops_devops_i | DevOps Guild, QA Guild (ops/devops) | ops/devops | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DEVOPS-AOC-19-002 | DVDO0102 |
| DEVOPS-AOC-19-101 | TODO | 2025-10-28 | SPRINT_503_ops_devops_i | DevOps Guild · Concelier Storage Guild | ops/devops | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. Dependencies: DEVOPS-AOC-19-003. | Align with CCOA0101 contract | DVDO0104 |
| DEVOPS-ATTEST-73-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Attestor Service Guild (ops/devops) | ops/devops | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | — | DVDO0102 |
| DEVOPS-ATTEST-73-002 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, KMS Guild (ops/devops) | ops/devops | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Dependencies: DEVOPS-ATTEST-73-001. | — | DVDO0102 |
| DEVOPS-ATTEST-74-001 | TODO | | SPRINT_503_ops_devops_i | DevOps Guild, Transparency Guild (ops/devops) | ops/devops | Deploy transparency log witness infrastructure and monitoring. Dependencies: DEVOPS-ATTEST-73-002. | — | DVDO0102 |
| DEVOPS-ATTEST-74-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Export Attestation Guild (ops/devops) | ops/devops | Integrate attestation bundle builds into release/offline pipelines with checksum verification. Dependencies: DEVOPS-ATTEST-74-001. | — | DVDO0102 |
| DEVOPS-ATTEST-75-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | — | DVDO0102 |
| DEVOPS-CLI-41-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | — | DVDO0102 |
| DEVOPS-CLI-42-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild (ops/devops) | ops/devops | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | — | DVDO0102 |
| DEVOPS-CLI-43-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | — | DVDO0102 |
| DEVOPS-CLI-43-003 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | — | DVDO0102 |
| DEVOPS-CONSOLE-23-001 | TODO | 2025-10-26 | SPRINT_504_ops_devops_ii | DevOps Guild · Console Guild | ops/devops | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | Needs CCWO0101 API schema | DVDO0104 |
| DEVOPS-CONSOLE-23-002 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. Dependencies: DEVOPS-CONSOLE-23-001. | Depends on #2 | DVDO0104 |
| DEVOPS-CONTAINERS-44-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | Wait for COWB0101 base image | DVDO0104 |
| DEVOPS-CONTAINERS-45-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. Dependencies: DEVOPS-CONTAINERS-44-001. | Depends on #4 | DVDO0104 |
| DEVOPS-CONTAINERS-46-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. Dependencies: DEVOPS-CONTAINERS-45-001. | Depends on #5 | DVDO0104 |
| DEVOPS-DEVPORT-63-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild · DevPortal Guild | ops/devops | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | Wait for API schema from CCWO0101 | DVDO0105 |
| DEVOPS-DEVPORT-64-001 | TODO | | SPRINT_504_ops_devops_ii | DevOps Guild | ops/devops | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. Dependencies: DEVOPS-DEVPORT-63-001. | Depends on #1 | DVDO0105 |
| DEVOPS-AIAI-31-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Advisory AI Guild (ops/devops) | ops/devops | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | — | DVDO0101 |
| DEVOPS-AIRGAP-56-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, AirGap Importer Guild (ops/devops) | ops/devops | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Dependencies: DEVOPS-AIRGAP-56-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-56-003 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Container Distribution Guild (ops/devops) | ops/devops | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Dependencies: DEVOPS-AIRGAP-56-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Mirror Creator Guild (ops/devops) | ops/devops | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Dependencies: DEVOPS-AIRGAP-56-003. | — | DVDO0101 |
| DEVOPS-AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). Dependencies: DEVOPS-AIRGAP-57-001. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Notifications Guild (ops/devops) | ops/devops | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | — | DVDO0101 |
| DEVOPS-AIRGAP-58-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | — | DVDO0101 |
| DEVOPS-AOC-19-001 | BLOCKED | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Platform Guild (ops/devops) | ops/devops | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | CCAO0101 | DVDO0101 |
| DEVOPS-AOC-19-002 | BLOCKED | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild (ops/devops) | ops/devops | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. Dependencies: DEVOPS-AOC-19-001. | DEVOPS-AOC-19-001 | DVDO0101 |
| DEVOPS-AOC-19-003 | BLOCKED | 2025-10-26 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, QA Guild (ops/devops) | ops/devops | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DEVOPS-AOC-19-002 | DVDO0102 |
| DEVOPS-AOC-19-101 | TODO | 2025-10-28 | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild · Concelier Storage Guild | ops/devops | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. Dependencies: DEVOPS-AOC-19-003. | Align with CCOA0101 contract | DVDO0104 |
| DEVOPS-ATTEST-73-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Attestor Service Guild (ops/devops) | ops/devops | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | — | DVDO0102 |
| DEVOPS-ATTEST-73-002 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, KMS Guild (ops/devops) | ops/devops | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Dependencies: DEVOPS-ATTEST-73-001. | — | DVDO0102 |
| DEVOPS-ATTEST-74-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | DevOps Guild, Transparency Guild (ops/devops) | ops/devops | Deploy transparency log witness infrastructure and monitoring. Dependencies: DEVOPS-ATTEST-73-002. | — | DVDO0102 |
| DEVOPS-ATTEST-74-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Export Attestation Guild (ops/devops) | ops/devops | Integrate attestation bundle builds into release/offline pipelines with checksum verification. Dependencies: DEVOPS-ATTEST-74-001. | — | DVDO0102 |
| DEVOPS-ATTEST-75-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Observability Guild (ops/devops) | ops/devops | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | — | DVDO0102 |
| DEVOPS-CLI-41-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | — | DVDO0102 |
| DEVOPS-CLI-42-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild (ops/devops) | ops/devops | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | — | DVDO0102 |
| DEVOPS-CLI-43-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, Task Runner Guild (ops/devops) | ops/devops | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | — | DVDO0102 |
| DEVOPS-CLI-43-003 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild, DevEx/CLI Guild (ops/devops) | ops/devops | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | — | DVDO0102 |
| DEVOPS-CONSOLE-23-001 | TODO | 2025-10-26 | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild · Console Guild | ops/devops | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | Needs CCWO0101 API schema | DVDO0104 |
| DEVOPS-CONSOLE-23-002 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. Dependencies: DEVOPS-CONSOLE-23-001. | Depends on #2 | DVDO0104 |
| DEVOPS-CONTAINERS-44-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | Wait for COWB0101 base image | DVDO0104 |
| DEVOPS-CONTAINERS-45-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. Dependencies: DEVOPS-CONTAINERS-44-001. | Depends on #4 | DVDO0104 |
| DEVOPS-CONTAINERS-46-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. Dependencies: DEVOPS-CONTAINERS-45-001. | Depends on #5 | DVDO0104 |
| DEVOPS-DEVPORT-63-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild · DevPortal Guild | ops/devops | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | Wait for API schema from CCWO0101 | DVDO0105 |
| DEVOPS-DEVPORT-64-001 | TODO | | SPRINT_0504_0001_0001_ops_devops_ii | DevOps Guild | ops/devops | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. Dependencies: DEVOPS-DEVPORT-63-001. | Depends on #1 | DVDO0105 |
| DEVOPS-DOCS-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Docs Guild | docs/modules/devops | See ./AGENTS.md | Needs CCSL0101 console docs | DVDO0105 |
| DEVOPS-ENG-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Engineering Guild | docs/modules/devops | Update status via ./AGENTS.md workflow | Depends on #3 | DVDO0105 |
| DEVOPS-EXPORT-35-001 | TODO | 2025-10-29 | SPRINT_504_ops_devops_ii | DevOps · Export Guild | ops/devops | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | Wait for DVPL0101 export deploy | DVDO0105 |
| DEVOPS-EXPORT-36-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Integrate Trivy compatibility validation, cosign signature checks, `trivy module db import` smoke tests, OCI distribution verification, and throughput/error dashboards. Dependencies: DEVOPS-EXPORT-35-001. | Depends on #5 | DVDO0105 |
| DEVOPS-EXPORT-37-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Dependencies: DEVOPS-EXPORT-36-001. | Depends on #6 | DVDO0105 |
| DEVOPS-GRAPH-24-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Graph Guild | ops/devops | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | Wait for CCGH0101 endpoint | DVDO0106 |
| DEVOPS-GRAPH-24-002 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. Dependencies: DEVOPS-GRAPH-24-001. | Depends on #1 | DVDO0106 |
| DEVOPS-GRAPH-24-003 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Dependencies: DEVOPS-GRAPH-24-002. | Depends on #2 | DVDO0106 |
| DEVOPS-LNM-22-001 | TODO | 2025-10-27 | SPRINT_505_ops_devops_iii | DevOps · Concelier Guild | ops/devops | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. | Needs CCLN0102 API | DVDO0106 |
| DEVOPS-LNM-22-002 | TODO | 2025-10-27 | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. Dependencies: DEVOPS-LNM-22-001. | Depends on #4 | DVDO0106 |
| DEVOPS-LNM-22-003 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. Dependencies: DEVOPS-LNM-22-002. | Depends on #5 | DVDO0106 |
| DEVOPS-OAS-61-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | Wait for CCWO0101 spec | DVDO0106 |
| DEVOPS-OAS-61-002 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | Depends on #7 | DVDO0106 |
| DEVOPS-OBS-51-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Observability Guild | ops/devops | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | Wait for 045_DVDO0103 alert catalog | DVOB0101 |
| DEVOPS-OBS-52-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Timeline Indexer Guild | ops/devops | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | Needs #1 merged for shared correlation IDs | DVOB0101 |
| DEVOPS-OBS-53-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Evidence Locker Guild | ops/devops | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | Depends on DSSE API from 002_ATEL0101 | DVOB0101 |
| DEVOPS-OBS-54-001 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild · Security Guild | ops/devops | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. Dependencies: DEVOPS-OBS-53-001. | Requires security sign-off on cardinality budgets | DVOB0101 |
| DEVOPS-OBS-55-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Ops Guild | ops/devops | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | Relies on #4 to finalize alert dimensions | DVOB0101 |
| DEVOPS-OFFLINE-17-004 | TODO | 2025-11-23 | SPRINT_508_ops_offline_kit | DevOps Offline Guild | ops/offline-kit | Release workflow now publishes `out/release/debug`; run `mirror_debug_store.py` on the next release artefact, verify hashes, archive `metadata/debug-store.json` into the Offline Kit. | Wait for DVPL0101 compose | DVDO0107 |
| DEVOPS-OFFLINE-34-006 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Depends on #1 | DVDO0107 |
| DEVOPS-OFFLINE-37-001 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Needs RBRE hashes | DVDO0107 |
| DEVOPS-OFFLINE-37-002 | TODO | | SPRINT_508_ops_offline_kit | DevOps Guild | ops/offline-kit | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Depends on #3 | DVDO0107 |
| DEVOPS-OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | Security + DevOps Guilds | ops/devops | Package the OpenSSL 1.1 shim (`tests/native/openssl-1.1/linux-x64`) into test harness output so Mongo2Go suites discover it automatically. | Wait for CRYO0101 artifacts | DVDO0107 |
| DEVOPS-OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild | ops/devops | Ensure CI runners and Docker images that execute Mongo2Go tests export `LD_LIBRARY_PATH` (or embed the shim) to unblock unattended pipelines. Dependencies: DEVOPS-OPENSSL-11-001. | Depends on #5 | DVDO0107 |
| DEVOPS-EXPORT-35-001 | TODO | 2025-10-29 | SPRINT_0504_0001_0001_ops_devops_ii | DevOps · Export Guild | ops/devops | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | Wait for DVPL0101 export deploy | DVDO0105 |
| DEVOPS-EXPORT-36-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Integrate Trivy compatibility validation, cosign signature checks, `trivy module db import` smoke tests, OCI distribution verification, and throughput/error dashboards. Dependencies: DEVOPS-EXPORT-35-001. | Depends on #5 | DVDO0105 |
| DEVOPS-EXPORT-37-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Dependencies: DEVOPS-EXPORT-36-001. | Depends on #6 | DVDO0105 |
| DEVOPS-GRAPH-24-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Graph Guild | ops/devops | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | Wait for CCGH0101 endpoint | DVDO0106 |
| DEVOPS-GRAPH-24-002 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. Dependencies: DEVOPS-GRAPH-24-001. | Depends on #1 | DVDO0106 |
| DEVOPS-GRAPH-24-003 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Dependencies: DEVOPS-GRAPH-24-002. | Depends on #2 | DVDO0106 |
| DEVOPS-LNM-22-001 | TODO | 2025-10-27 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Concelier Guild | ops/devops | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. | Needs CCLN0102 API | DVDO0106 |
| DEVOPS-LNM-22-002 | TODO | 2025-10-27 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. Dependencies: DEVOPS-LNM-22-001. | Depends on #4 | DVDO0106 |
| DEVOPS-LNM-22-003 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. Dependencies: DEVOPS-LNM-22-002. | Depends on #5 | DVDO0106 |
| DEVOPS-OAS-61-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | Wait for CCWO0101 spec | DVDO0106 |
| DEVOPS-OAS-61-002 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | Depends on #7 | DVDO0106 |
| DEVOPS-OBS-51-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Observability Guild | ops/devops | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | Wait for 045_DVDO0103 alert catalog | DVOB0101 |
| DEVOPS-OBS-52-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Timeline Indexer Guild | ops/devops | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | Needs #1 merged for shared correlation IDs | DVOB0101 |
| DEVOPS-OBS-53-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Evidence Locker Guild | ops/devops | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | Depends on DSSE API from 002_ATEL0101 | DVOB0101 |
| DEVOPS-OBS-54-001 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Security Guild | ops/devops | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. Dependencies: DEVOPS-OBS-53-001. | Requires security sign-off on cardinality budgets | DVOB0101 |
| DEVOPS-OBS-55-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Ops Guild | ops/devops | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | Relies on #4 to finalize alert dimensions | DVOB0101 |
| DEVOPS-OFFLINE-17-004 | TODO | 2025-11-23 | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Offline Guild | ops/offline-kit | Release workflow now publishes `out/release/debug`; run `mirror_debug_store.py` on the next release artefact, verify hashes, archive `metadata/debug-store.json` into the Offline Kit. | Wait for DVPL0101 compose | DVDO0107 |
| DEVOPS-OFFLINE-34-006 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Depends on #1 | DVDO0107 |
| DEVOPS-OFFLINE-37-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Needs RBRE hashes | DVDO0107 |
| DEVOPS-OFFLINE-37-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | DevOps Guild | ops/offline-kit | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Depends on #3 | DVDO0107 |
| DEVOPS-OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | Security + DevOps Guilds | ops/devops | Package the OpenSSL 1.1 shim (`tests/native/openssl-1.1/linux-x64`) into test harness output so Mongo2Go suites discover it automatically. | Wait for CRYO0101 artifacts | DVDO0107 |
| DEVOPS-OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild | ops/devops | Ensure CI runners and Docker images that execute Mongo2Go tests export `LD_LIBRARY_PATH` (or embed the shim) to unblock unattended pipelines. Dependencies: DEVOPS-OPENSSL-11-001. | Depends on #5 | DVDO0107 |
| DEVOPS-OPS-0001 | TODO | | SPRINT_318_docs_modules_devops | DevOps Ops Guild | docs/modules/devops | Sync outcomes back to ../.. | Depends on #1-6 | DVDO0107 |
| DEVOPS-ORCH-32-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · Orchestrator Guild | ops/devops | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | Wait for ORTR0102 API | DVDO0108 |
| DEVOPS-ORCH-33-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | Depends on #1 | DVDO0108 |
| DEVOPS-ORCH-34-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | Depends on #2 | DVDO0108 |
| DEVOPS-POLICY-27-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · CLI Guild | ops/devops | Add CI pipeline stages to run `stella policy lint | Needs CLI lint output | DVDO0108 |
| DEVOPS-POLICY-27-002 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Policy Registry Guild | ops/devops | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. | Depends on 27-001 | DVDO0108 |
| DEVOPS-POLICY-27-003 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Security Guild | ops/devops | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. | Needs 27-002 pipeline | DVDO0108 |
| DEVOPS-POLICY-27-004 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Observability Guild | ops/devops | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. | Depends on 27-003 | DVDO0108 |
| DEVOPS-REL-17-004 | DONE | 2025-11-23 | SPRINT_506_ops_devops_iv | DevOps Release Guild | ops/devops | Release workflow now uploads `out/release/debug` as a dedicated artifact and already fails if symbols are missing; build-id manifest enforced. | Needs DVPL0101 release artifacts | DVDO0108 |
| DEVOPS-RULES-33-001 | TODO | 2025-10-30 | SPRINT_506_ops_devops_iv | DevOps · Policy Guild | ops/devops | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | Wait for CCPR0101 policy logs | DVDO0109 |
| DEVOPS-SCAN-90-004 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Scanner Guild | ops/devops | Add a CI job that runs the scanner determinism harness against the release matrix (N runs per image), uploads `determinism.json`, and fails when score < threshold; publish artifact to release notes. Dependencies: SCAN-DETER-186-009/010. | Needs SCDT0101 fixtures | DVDO0109 |
| DEVOPS-SDK-63-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · SDK Guild | ops/devops | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | Depends on #2 | DVDO0109 |
| DEVOPS-SIG-26-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild · Signals Guild | ops/devops | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | Wait for SGSI0101 metrics | DVDO0110 |
| DEVOPS-SIG-26-002 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | Depends on #1 | DVDO0110 |
| DEVOPS-SYMS-90-005 | TODO | | SPRINT_505_ops_devops_iii | DevOps · Symbols Guild | ops/devops | Deploy Symbols.Server (Helm/Terraform), manage MinIO/Mongo storage, configure tenant RBAC/quotas, and wire ingestion CLI into release pipelines with monitoring and backups. Dependencies: SYMS-SERVER-401-011/013. | Needs RBSY0101 bundle | DVDO0110 |
| DEVOPS-TEN-47-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps · Policy Guild | ops/devops | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | Wait for CCPR0101 policy | DVDO0110 |
| DEVOPS-TEN-48-001 | TODO | | SPRINT_506_ops_devops_iv | DevOps Guild | ops/devops | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | Depends on #4 | DVDO0110 |
| DEVOPS-TEN-49-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Dependencies: DEVOPS-TEN-48-001. | Depends on #5 | DVDO0110 |
| DEVOPS-VEX-30-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · VEX Lens Guild | ops/devops | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | — | PLVL0103 |
| DEVOPS-VULN-29-001 | TODO | | SPRINT_507_ops_devops_v | DevOps · Vuln Guild | ops/devops | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | Needs DVPL0101 deploy | DVDO0110 |
| DEVOPS-VULN-29-002 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | Depends on #7 | DVDO0110 |
| DEVOPS-VULN-29-003 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | Depends on #8 | DVDO0110 |
| DEVOPS-ORCH-32-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Orchestrator Guild | ops/devops | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | Wait for ORTR0102 API | DVDO0108 |
| DEVOPS-ORCH-33-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | Depends on #1 | DVDO0108 |
| DEVOPS-ORCH-34-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | Depends on #2 | DVDO0108 |
| DEVOPS-POLICY-27-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · CLI Guild | ops/devops | Add CI pipeline stages to run `stella policy lint | Needs CLI lint output | DVDO0108 |
| DEVOPS-POLICY-27-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Policy Registry Guild | ops/devops | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. | Depends on 27-001 | DVDO0108 |
| DEVOPS-POLICY-27-003 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Security Guild | ops/devops | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. | Needs 27-002 pipeline | DVDO0108 |
| DEVOPS-POLICY-27-004 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Observability Guild | ops/devops | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. | Depends on 27-003 | DVDO0108 |
| DEVOPS-REL-17-004 | DONE | 2025-11-23 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Release Guild | ops/devops | Release workflow now uploads `out/release/debug` as a dedicated artifact and already fails if symbols are missing; build-id manifest enforced. | Needs DVPL0101 release artifacts | DVDO0108 |
| DEVOPS-RULES-33-001 | TODO | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Policy Guild | ops/devops | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | Wait for CCPR0101 policy logs | DVDO0109 |
| DEVOPS-SCAN-90-004 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Scanner Guild | ops/devops | Add a CI job that runs the scanner determinism harness against the release matrix (N runs per image), uploads `determinism.json`, and fails when score < threshold; publish artifact to release notes. Dependencies: SCAN-DETER-186-009/010. | Needs SCDT0101 fixtures | DVDO0109 |
| DEVOPS-SDK-63-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · SDK Guild | ops/devops | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | Depends on #2 | DVDO0109 |
| DEVOPS-SIG-26-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild · Signals Guild | ops/devops | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | Wait for SGSI0101 metrics | DVDO0110 |
| DEVOPS-SIG-26-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | Depends on #1 | DVDO0110 |
| DEVOPS-SYMS-90-005 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps · Symbols Guild | ops/devops | Deploy Symbols.Server (Helm/Terraform), manage MinIO/Mongo storage, configure tenant RBAC/quotas, and wire ingestion CLI into release pipelines with monitoring and backups. Dependencies: SYMS-SERVER-401-011/013. | Needs RBSY0101 bundle | DVDO0110 |
| DEVOPS-TEN-47-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps · Policy Guild | ops/devops | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | Wait for CCPR0101 policy | DVDO0110 |
| DEVOPS-TEN-48-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild | ops/devops | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | Depends on #4 | DVDO0110 |
| DEVOPS-TEN-49-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Dependencies: DEVOPS-TEN-48-001. | Depends on #5 | DVDO0110 |
| DEVOPS-VEX-30-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · VEX Lens Guild | ops/devops | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | — | PLVL0103 |
| DEVOPS-VULN-29-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps · Vuln Guild | ops/devops | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | Needs DVPL0101 deploy | DVDO0110 |
| DEVOPS-VULN-29-002 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | Depends on #7 | DVDO0110 |
| DEVOPS-VULN-29-003 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | Depends on #8 | DVDO0110 |
| DEVPORT-62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Select static site generator, integrate aggregate spec, build navigation + search scaffolding. | 62-001 | DEVL0101 |
| DEVPORT-62-002 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Implement schema viewer, example rendering, copy-curl snippets, and version selector UI. Dependencies: DEVPORT-62-001. | DEVPORT-62-001 | DEVL0101 |
| DEVPORT-63-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | Add Try-It console pointing at sandbox environment with token onboarding and scope info. Dependencies: DEVPORT-62-002. | 63-001 | DEVL0101 |
@@ -2846,9 +2846,9 @@
| DEVPORT-64-002 | TODO | | SPRINT_206_devportal | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site) | src/DevPortal/StellaOps.DevPortal.Site | Add automated accessibility tests, link checker, and performance budgets. Dependencies: DEVPORT-64-001. | | DEVL0102 |
| DOC-008 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Reachability Guild | `docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md` | Wait for replay evidence from 100_RBBN0101 | Wait for replay evidence from 100_RBBN0101 | DORC0101 |
| DOC-70-001 | DONE | | SPRINT_170_notifications_telemetry | Docs Guild · Notifications Guild | docs | Gather notification doc references | Validate existing notifications doc and migrate notes | DOCP0101 |
| DOCKER-44-001 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · Service Owners | ops/devops | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | Wait for DVPL0101 compose merge | DVDO0111 |
| DOCKER-44-002 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | Depends on #1 | DVDO0111 |
| DOCKER-44-003 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild | ops/devops | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitor. Dependencies: DOCKER-44-002. | Requires SBOM+scan workflow from 137_SCDT0101 | DVDO0111 |
| DOCKER-44-001 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · Service Owners | ops/devops | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | Wait for DVPL0101 compose merge | DVDO0111 |
| DOCKER-44-002 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | Depends on #1 | DVDO0111 |
| DOCKER-44-003 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild | ops/devops | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitor. Dependencies: DOCKER-44-002. | Requires SBOM+scan workflow from 137_SCDT0101 | DVDO0111 |
| DOCS-0001 | DONE | 2025-11-05 | SPRINT_313_docs_modules_attestor | Docs Guild | docs/modules/attestor | Confirm attestor module doc publication | Confirm attestor module doc scope | DOCP0101 |
| DOCS-0002 | TODO | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild (docs/modules/graph) | docs/modules/graph | — | — | DOCL0102 |
| DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | — | — | DOCL0102 |
@@ -3036,7 +3036,7 @@
| DOCS-VULN-29-011 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
| DOCS-VULN-29-012 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
| DOCS-VULN-29-013 | TODO | | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
| DOWNLOADS-CONSOLE-23-001 | TODO | | SPRINT_502_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
| DOWNLOADS-CONSOLE-23-001 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
| DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 |
| DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 |
| DSSE-CLI-401-021 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | Ship a `stella attest` CLI (or sample `StellaOps.Attestor.Tool`) plus GitLab/GitHub workflow snippets that emit DSSE per build step (scan/package/push) using the new library and Authority keys. | Need CLI updates from latest DSSE release | DODS0101 |
@@ -3242,7 +3242,7 @@
| EXPORT-OAS-63 | TODO | | SPRINT_160_export_evidence | Exporter Service Guild · API Governance Guild | | Needs API governance sign-off (049_APIG0101) | Needs API governance sign-off (049_APIG0101) | AGEX0101 |
| EXPORT-OAS-63-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · SDK Guild | src/ExportCenter/StellaOps.ExportCenter | Implement deprecation headers and notifications for legacy export endpoints. Dependencies: EXPORT-OAS-62-001. | Requires #3 schema | AGEX0101 |
| EXPORT-OBS-50-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Observability Guild | src/ExportCenter/StellaOps.ExportCenter | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Wait for telemetry schema drop from 046_TLTY0101 | ECOB0101 |
| EXPORT-OBS-51-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Downstream automation awaiting assembler staffing outcome. | PROGRAM-STAFF-1001 | ECOB0101 |
| EXPORT-OBS-51-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Downstream automation awaiting assembler staffing outcome. | PROGRAM-STAFF-1001 | ECOB0101 |
| EXPORT-OBS-52-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild | src/ExportCenter/StellaOps.ExportCenter | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. Dependencies: EXPORT-OBS-51-001. | Requires shared middleware from task #1 | ECOB0101 |
| EXPORT-OBS-53-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Evidence Locker Guild | src/ExportCenter/StellaOps.ExportCenter | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. Dependencies: EXPORT-OBS-52-001. | Blocked on Evidence Locker DSSE API (002_ATEL0101) | ECOB0101 |
| EXPORT-OBS-54-001 | TODO | | SPRINT_163_exportcenter_ii | Exporter Service Guild · Provenance Guild | src/ExportCenter/StellaOps.ExportCenter | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. Dependencies: EXPORT-OBS-53-001. | PROGRAM-STAFF-1001; EXPORT-MIRROR-ORCH-1501 | ECOB0101 |
@@ -3270,8 +3270,8 @@
| FEEDCONN-CCCS-02-009 | TODO | | SPRINT_117_concelier_vi | Concelier Connector Guild CCCS (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys per the Link-Not-Merge schema/doc recipes. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-CERTBUND-02-010 | TODO | | SPRINT_117_concelier_vi | Concelier Connector Guild CertBund (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund | Translate CERT-Bund `product.Versions` phrases into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) while retaining localisation notes; update mapper/tests for Link-Not-Merge. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-CISCO-02-009 | DOING | 2025-11-08 | SPRINT_117_concelier_vi | Concelier Connector Guild Cisco (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco) | src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco | Emit Cisco SemVer ranges into the new observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. Depends on CONCELIER-LNM-21-001. | — | FEFC0101 |
| FEEDCONN-ICSCISA-02-012 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | Overdue provenance refreshes require schedule from feed owners. | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-KISA-02-008 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-ICSCISA-02-012 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | Overdue provenance refreshes require schedule from feed owners. | FEED-REMEDIATION-1001 | FEFC0101 |
| FEEDCONN-KISA-02-008 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | FEFC0101 |
| FORENSICS-53-001 | TODO | | SPRINT_202_cli_ii | Forensics Guild | src/Cli/StellaOps.Cli | Replay data set | Replay data set | FONS0101 |
| FORENSICS-53-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Forensics Guild | | FORENSICS-53-001 | FORENSICS-53-001 | FONS0101 |
| FORENSICS-53-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Forensics Guild | | FORENSICS-53-001 | FORENSICS-53-001 | FONS0101 |
@@ -3326,10 +3326,10 @@
| GRAPH-INDEX-28-010 | TODO | | SPRINT_0140_0001_0001_runtime_signals | — | | Packaging/offline bundles paused until upstream graph jobs are available to embed. | — | ORGR0101 |
| GRAPH-INDEX-28-011 | TODO | 2025-11-04 | SPRINT_0207_0001_0001_graph | Graph Index Guild | src/Graph/StellaOps.Graph.Indexer | Wire SBOM ingest runtime to emit graph snapshot artifacts, add DI factory helpers, and document Mongo/snapshot environment guidance. Dependencies: GRAPH-INDEX-28-002..006. | GRSC0101 outputs | GRIX0101 |
| GRAPH-OPS-0001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_321_docs_modules_graph | Ops Guild | docs/modules/graph | Review graph observability dashboards/runbooks after the next sprint demo. | GRUI0101 | GRDG0101 |
| HELM-45-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | | | GRIX0101 |
| HELM-45-002 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild, Security Guild (ops/deployment) | ops/deployment | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. Dependencies: HELM-45-001. | | GRIX0101 |
| HELM-45-003 | TODO | | SPRINT_502_ops_deployment_ii | Deployment Guild, Observability Guild (ops/deployment) | ops/deployment | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. Dependencies: HELM-45-002. | | GRIX0101 |
| ICSCISA-02-012 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | CCFD0101 |
| HELM-45-001 | TODO | | SPRINT_0501_0001_0001_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | | | GRIX0101 |
| HELM-45-002 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild, Security Guild (ops/deployment) | ops/deployment | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. Dependencies: HELM-45-001. | | GRIX0101 |
| HELM-45-003 | TODO | | SPRINT_0502_0001_0001_ops_deployment_ii | Deployment Guild, Observability Guild (ops/deployment) | ops/deployment | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. Dependencies: HELM-45-002. | | GRIX0101 |
| ICSCISA-02-012 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | FEED-REMEDIATION-1001 | FEED-REMEDIATION-1001 | CCFD0101 |
| IMP-56-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | Harden base importer pipeline. | EXAG0101 | GRIX0101 |
| IMP-56-002 | TODO | | SPRINT_510_airgap | AirGap Importer + Security Guilds | src/AirGap/StellaOps.AirGap.Importer | IMP-56-001 | IMP-56-001 | IMIM0101 |
| IMP-57-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | IMP-56-002 | IMP-56-002 | IMIM0101 |
@@ -3351,7 +3351,7 @@
| INSTALL-46-001 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Security Guild | | INSTALL-45-001 | INSTALL-45-001 | INST0101 |
| INSTALL-50-001 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Support Guild | | INSTALL-44-001 | INSTALL-44-001 | INST0101 |
| KEV providers` | TODO | | SPRINT_115_concelier_iv | Concelier Core + Risk Engine Guilds (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | src/Concelier/__Libraries/StellaOps.Concelier.Core | Surface vendor-provided CVSS/KEV/fix data exactly as published (with provenance anchors) through provider APIs so risk engines can reason about upstream intent. | ICSCISA-02-012 | CCFD0101 |
| KISA-02-008 | BLOCKED | | SPRINT_503_ops_devops_i | Concelier Feed Owners | | | FEED-REMEDIATION-1001 | LATC0101 |
| KISA-02-008 | BLOCKED | | SPRINT_0503_0001_0001_ops_devops_i | Concelier Feed Owners | | | FEED-REMEDIATION-1001 | LATC0101 |
| KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
| KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
| LATTICE-401-023 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
@@ -3409,12 +3409,12 @@
| LNM-22-005 | BLOCKED (2025-10-27) | 2025-10-27 | SPRINT_305_docs_tasks_md_v | Docs + UI Guild | | Docs update for UI flows. | DOCS-LNM-22-004 | IMPT0101 |
| LNM-22-007 | TODO | | SPRINT_305_docs_tasks_md_v | Docs Guild · Observability Guild | docs/modules/concelier/link-not-merge.md | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. Dependencies: DOCS-LNM-22-005. | DOCS-LNM-22-005 | DOLN0102 |
| LNM-22-008 | DONE | 2025-11-03 | SPRINT_117_concelier_vi | Docs Guild · DevOps Guild | docs/modules/concelier/link-not-merge.md | Document Link-Not-Merge migration playbook updates in `docs/migration/no-merge.md`, including rollback guidance. | LNM-22-007 | DOLN0102 |
| MIRROR-CRT-56-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild | | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. | PROGRAM-STAFF-1001 | ATMI0101 |
| MIRROR-CRT-56-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator · Security Guilds | | DSSE/TUF metadata follows assembler baseline. | MIRROR-CRT-56-001; MIRROR-DSSE-REV-1501; PROV-OBS-53-001 | ATMI0101 |
| MIRROR-CRT-57-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | OCI/time-anchor workstreams blocked pending assembler + time contract. | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-57-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-58-001 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | CLI + Export automation depends on assembler and DSSE/TUF track. | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-58-002 | TODO | | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-56-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild | | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. | PROGRAM-STAFF-1001 | ATMI0101 |
| MIRROR-CRT-56-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator · Security Guilds | | DSSE/TUF metadata follows assembler baseline. | MIRROR-CRT-56-001; MIRROR-DSSE-REV-1501; PROV-OBS-53-001 | ATMI0101 |
| MIRROR-CRT-57-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | OCI/time-anchor workstreams blocked pending assembler + time contract. | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-57-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · AirGap Time Guild | | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | MIRROR-CRT-56-001; AIRGAP-TIME-CONTRACT-1501; AIRGAP-TIME-57-001 | ATMI0101 |
| MIRROR-CRT-58-001 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | CLI + Export automation depends on assembler and DSSE/TUF track. | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MIRROR-CRT-58-002 | TODO | | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild | | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
| MTLS-11-002 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild | src/Authority/StellaOps.Authority | Refresh grants enforce original client cert, tokens persist `x5t#S256` metadata, docs updated. | AUTH-DPOP-11-001 | AUIN0102 |
| NATIVE-401-015 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native` | Bootstrap Symbols.Native + CallGraph.Native scaffolding and coverage fixtures. | Needs replay requirements from DORR0101 | SCNA0101 |
| NOTIFY-38-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
@@ -3466,30 +3466,30 @@
| OBS-50-002 | DOING | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | | Roll out collectors/helm overlays + regression tests for exporters. | Needs 50-001 baseline in main | |
| OBS-50-003 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | | Update collector deployment + metrics catalog docs. | Needs scrubber decisions from TLTY0102 | |
| OBS-50-004 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | | Add SOP for telemetry scrub policies + troubleshooting. | Requires 50-003 outline | |
| OBS-51-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Build SLO bus + queue depth metrics feeding CLI/exporter dashboards. | PROGRAM-STAFF-1001 | |
| OBS-51-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Build SLO bus + queue depth metrics feeding CLI/exporter dashboards. | PROGRAM-STAFF-1001 | |
| OBS-51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | | Enable shadow-mode evaluators + roll into main collectors. | Depends on 51-001 shadow mode | |
| OBS-52-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit ingest latency/queue/AOC metrics with burn-rate alerts. | Needs ATLN0101 schema | |
| OBS-52-002 | TODO | | SPRINT_160_export_evidence | Timeline Indexer Guild | | Configure streaming pipeline (retention/partitioning/backpressure). | Needs Concelier metrics | |
| OBS-52-003 | TODO | | SPRINT_160_export_evidence | Timeline Indexer Guild | | Add CI validation + schema enforcement for timeline events. | Depends on 52-002 | |
| OBS-52-004 | TODO | | SPRINT_160_export_evidence | Timeline Indexer + Security Guilds | | Harden stream (auth, encryption) + produce DSSE proofs. | Requires 52-003 outputs | |
| OBS-53-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Establish provenance SLO signals + exporter hooks. | PROGRAM-STAFF-1001 | |
| OBS-53-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Establish provenance SLO signals + exporter hooks. | PROGRAM-STAFF-1001 | |
| OBS-53-002 | TODO | | SPRINT_0513_0001_0001_provenance | Provenance + Security Guild | src/Provenance/StellaOps.Provenance.Attestation | Add attestation metrics/log scrubbers in Provenance.Attestation. | Depends on 53-001 | |
| OBS-53-003 | TODO | | SPRINT_0513_0001_0001_provenance | Provenance Guild | src/Provenance/StellaOps.Provenance.Attestation | Ship dashboards/tests proving attestation observability. | Requires 53-002 outputs | |
| OBS-54-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Provenance Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Needs shared exporter from 1039_EXPORT-OBS-54-001 | Needs shared exporter from 1039_EXPORT-OBS-54-001 | CNOB0101 |
| OBS-54-002 | TODO | | SPRINT_161_evidencelocker | Evidence Locker Guild | `src/EvidenceLocker/StellaOps.EvidenceLocker` | Add metrics/logs/alerts for Evidence Locker flows. | Needs provenance metrics | |
| OBS-55-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core & DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Refresh ops automation/runbooks referencing new metrics. | Depends on 52-001 outputs | |
| OBS-56-001 | TODO | | SPRINT_174_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | Produce air-gap collector bundle + signed configs/tests. | Needs telemetry baseline from TLTY0102 | |
| OFFLINE-17-004 | BLOCKED | 2025-10-26 | SPRINT_508_ops_offline_kit | Offline Kit Guild · DevOps Guild | ops/offline-kit | Repackage release-17 bundle with new DSSE receipts + verification logs. | Needs PROGRAM-STAFF-1001 approvals | |
| OFFLINE-34-006 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Orchestrator Guild | ops/offline-kit | Add orchestrator automation bundle + docs to kit. | Requires mirror time anchors | |
| OFFLINE-37-001 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Exporter Guild | ops/offline-kit | Ship export evidence bundle + checksum manifests. | Depends on Export Center artefacts | |
| OFFLINE-37-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Notifications Guild | ops/offline-kit | Bundle notifier templates + channel configs for offline ops. | Needs notifier templates from NOIA0101 | |
| OFFLINE-CONTAINERS-46-001 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit + Deployment Guild | ops/offline-kit | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Requires container hardening guidance | |
| OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild · Build Infra Guild | ops/devops | Rebuild OpenSSL libs + publish reproducible logs/tarballs. | Needs patched toolchain spec | |
| OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_505_ops_devops_iii | DevOps Guild · CI Guild | ops/devops | Update CI images + pipelines with new OpenSSL packages and smoke tests. | Depends on 11-001 artefacts | |
| OFFLINE-17-004 | BLOCKED | 2025-10-26 | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild · DevOps Guild | ops/offline-kit | Repackage release-17 bundle with new DSSE receipts + verification logs. | Needs PROGRAM-STAFF-1001 approvals | |
| OFFLINE-34-006 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Orchestrator Guild | ops/offline-kit | Add orchestrator automation bundle + docs to kit. | Requires mirror time anchors | |
| OFFLINE-37-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Exporter Guild | ops/offline-kit | Ship export evidence bundle + checksum manifests. | Depends on Export Center artefacts | |
| OFFLINE-37-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Notifications Guild | ops/offline-kit | Bundle notifier templates + channel configs for offline ops. | Needs notifier templates from NOIA0101 | |
| OFFLINE-CONTAINERS-46-001 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit + Deployment Guild | ops/offline-kit | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Requires container hardening guidance | |
| OPENSSL-11-001 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · Build Infra Guild | ops/devops | Rebuild OpenSSL libs + publish reproducible logs/tarballs. | Needs patched toolchain spec | |
| OPENSSL-11-002 | TODO | 2025-11-06 | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild · CI Guild | ops/devops | Update CI images + pipelines with new OpenSSL packages and smoke tests. | Depends on 11-001 artefacts | |
| OPS-0001 | DONE | 2025-11-07 | SPRINT_333_docs_modules_excititor | Ops Guild (docs/modules/excitor) | docs/modules/excitor | | | |
| OPS-ENV-01 | TODO | | SPRINT_507_ops_devops_v | DevOps Guild · Scanner Guild | ops/devops | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | Needs finalized Surface.Env schema | |
| OPS-SECRETS-01 | TODO | | SPRINT_507_ops_devops_v | DevOps + Security Guild | ops/devops | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | Depends on env updates | |
| OPS-SECRETS-02 | TODO | | SPRINT_507_ops_devops_v | DevOps + Offline Kit Guild | ops/devops | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. Dependencies: OPS-SECRETS-01. | Requires 01 workflow | |
| OPS-ENV-01 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps Guild · Scanner Guild | ops/devops | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | Needs finalized Surface.Env schema | |
| OPS-SECRETS-01 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps + Security Guild | ops/devops | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | Depends on env updates | |
| OPS-SECRETS-02 | TODO | | SPRINT_0507_0001_0001_ops_devops_v | DevOps + Offline Kit Guild | ops/devops | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. Dependencies: OPS-SECRETS-01. | Requires 01 workflow | |
| ORCH-32-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
| ORCH-32-002 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
| ORCH-33-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | — | — | ORGR0102 |
@@ -3523,7 +3523,7 @@
| ORCH-OPS-0001 | DONE | | SPRINT_0323_0001_0001_docs_modules_orchestrator | Ops Guild | docs/modules/orchestrator | Review orchestrator runbooks/observability checklists post-demo. | Requires obs/export docs | |
| PACKS-42-001 | TODO | | SPRINT_0121_0001_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs, digestable exports for pack simulation + CLI offline mode. | Needs ORSC0104 event IDs | |
| PACKS-43-001 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Packs Guild · Authority Guild | src/Authority/StellaOps.Authority | Canonical pack bundle + docs for release 43. | AUTH-PACKS-41-001; TASKRUN-42-001; ORCH-SVC-42-101 | |
| PACKS-43-002 | TODO | | SPRINT_508_ops_offline_kit | Offline Kit Guild, Packs Registry Guild (ops/offline-kit) | ops/offline-kit | | | |
| PACKS-43-002 | TODO | | SPRINT_0508_0001_0001_ops_offline_kit | Offline Kit Guild, Packs Registry Guild (ops/offline-kit) | ops/offline-kit | | | |
| PACKS-REG-41-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Implement registry service, migrations for `packs_index`, `parity_matrix`, provenance docs; support pack upload/list/get, signature verification, RBAC enforcement, and provenance manifest storage. | Needs ORSC0104 event feeds | |
| PACKS-REG-42-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Add version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, and Offline Kit seed support. Dependencies: PACKS-REG-41-001. | Depends on 41-001 | |
| PACKS-REG-43-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0154_0001_0001_packsregistry | Packs Registry Guild | src/PacksRegistry/StellaOps.PacksRegistry | Implement registry mirroring, pack signing policies, attestation integration, and compliance dashboards; integrate with Export Center. Dependencies: PACKS-REG-42-001. | Needs 42-001 | |
@@ -3709,7 +3709,7 @@
| REGISTRY-API-27-008 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history | REGISTRY-API-27-007 | |
| REGISTRY-API-27-009 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild, Observability Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Instrument metrics/logs/traces | REGISTRY-API-27-008 | |
| REGISTRY-API-27-010 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Registry Guild, QA Guild / src/Policy/StellaOps.Policy.Registry | src/Policy/StellaOps.Policy.Registry | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI | REGISTRY-API-27-009 | |
| REL-17-004 | BLOCKED | 2025-10-26 | SPRINT_506_ops_devops_iv | DevOps Guild (ops/devops) | ops/devops | | | |
| REL-17-004 | BLOCKED | 2025-10-26 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild (ops/devops) | ops/devops | | | |
| REP-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | | | |
| REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild, Platform Data Guild (docs) | | | | |
| REPLAY-185-004 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild (docs) | | | | |
@@ -3755,7 +3755,7 @@
| RISK-ENGINE-69-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Add telemetry | RISK-ENGINE-69-001 | |
| RISK-ENGINE-70-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Export Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Support offline provider bundles with manifest verification and missing-data reporting | RISK-ENGINE-69-002 | |
| RISK-ENGINE-70-002 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Integrate runtime evidence provider and reachability provider outputs with caching + TTL | RISK-ENGINE-70-001 | |
| RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_506_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops | | | |
| RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops | | | |
| RUNBOOK-401-017 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | | | |
| RUNBOOK-55-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) | | | | |
| RUNBOOK-REPLAY-187-004 | TODO | | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | | |
@@ -3784,7 +3784,7 @@
| SBOM-VULN-29-001 | TODO | | SPRINT_0140_0001_0001_runtime_signals | | | Inventory evidence feed deferred until projection schema + runtime align. | | |
| SBOM-VULN-29-002 | TODO | | SPRINT_0140_0001_0001_runtime_signals | | | Resolver feed requires 29-001 event payloads. | | |
| SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | | | |
| SCAN-90-004 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild, Scanner Guild (ops/devops) | ops/devops | | | |
| SCAN-90-004 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild, Scanner Guild (ops/devops) | ops/devops | | | |
| SCAN-DETER-186-008 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild · Provenance Guild | `src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker` | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | ENTROPY-186-012 & SCANNER-ENV-02 | SCDE0102 |
| SCAN-DETER-186-009 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | | |
| SCAN-DETER-186-010 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`) | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md` | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | | |
@@ -4128,7 +4128,7 @@
| SVC-43-001 | TODO | | SPRINT_164_exportcenter_iii | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter) | src/ExportCenter/StellaOps.ExportCenter | | | |
| SYM-007 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild & Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | | | |
| SYMS-70-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild, Symbols Guild (docs) | | | | |
| SYMS-90-005 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild, Symbols Guild (ops/devops) | ops/devops | | | |
| SYMS-90-005 | TODO | | SPRINT_0505_0001_0001_ops_devops_iii | DevOps Guild, Symbols Guild (ops/devops) | ops/devops | | | |
| SYMS-BUNDLE-401-014 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · Ops | `src/Symbols/StellaOps.Symbols.Bundle`, `ops` | Produce deterministic symbol bundles for air-gapped installs (`symbols bundle create | Depends on #1 | RBSY0101 |
| SYMS-CLIENT-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · Scanner Guild | `src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer` | Ship `StellaOps.Symbols.Client` SDK (resolve/upload APIs, platform key derivation for ELF/PDB/Mach-O/JVM/Node, disk LRU cache) and integrate with Scanner.Symbolizer/runtime probes (ref. `docs/specs/SYMBOL_MANIFEST_v1.md`). | Depends on #3 | RBSY0101 |
| SYMS-INGEST-401-013 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild · DevOps Guild | `src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md` | Build `symbols ingest` CLI to emit DSSE-signed `SymbolManifest v1`, upload blobs, and register Rekor entries; document GitLab/Gitea pipeline usage. | Needs manifest updates from #1 | RBSY0101 |
@@ -4162,7 +4162,7 @@
| TEN-49-001 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| TEST-186-006 | TODO | | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` | | | |
| TEST-62-001 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TIME-57-001 | TODO | | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-002 | TODO | | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
| TIME-58-001 | TODO | | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
| TIME-58-002 | TODO | | SPRINT_510_airgap | AirGap Time Guild · Notifications Guild | src/AirGap/StellaOps.AirGap.Time | TIME-58-001 | TIME-58-001 | AGTM0101 |