stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Remove obsolete test projects and associated test files for StellaOps.Replay.Core and StellaOps.Gateway.WebService. This includes the deletion of various test classes, project files, and related resources to streamline the codebase and improve maintainability.

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 22:03:32 +02:00
parent 9a4cd2e0f7
commit 6af4e16d7c
531 changed files with 13000 additions and 15607 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_015_AI_zastava_companion.md Normal file
View File

@@ -0,0 +1,85 @@
# Sprint 20251226 · Zastava Companion (Evidence-Grounded Explainability)
## Topic & Scope
- Build AI-powered explanation service that answers "What is it?", "Why it matters here?", "What evidence supports exploitability?"
- All explanations must be anchored to evidence nodes (SBOM, reachability, runtime, VEX, patches)
- Produce OCI-attached "Explanation Attestation" with inputs' hashes + model digest for replayability
- **Working directory:** `src/AdvisoryAI/`, `src/Attestor/`, `src/Web/`
## Dependencies & Concurrency
- Depends on: Existing AdvisoryAI pipeline infrastructure (COMPLETE).
- Depends on: ProofChain library for attestation generation (COMPLETE).
- Can run in parallel with: SPRINT_20251226_016_AI_remedy_autopilot.
## Documentation Prerequisites
- `src/AdvisoryAI/AGENTS.md`
- `docs/modules/attestor/proof-chain-specification.md`
- AI Assistant Advisory (this sprint's source)
## Context: What Already Exists
The following components are **already implemented**:
| Component | Location | Status |
|-----------|----------|--------|
| Pipeline Orchestrator | `AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs` | COMPLETE |
| Guardrail Pipeline | `AdvisoryAI/Guardrails/AdvisoryGuardrailPipeline.cs` | COMPLETE |
| Inference Client | `AdvisoryAI/Inference/AdvisoryInferenceClient.cs` | COMPLETE |
| SBOM Context Retrieval | `AdvisoryAI/Retrievers/SbomContextRetriever.cs` | COMPLETE |
| Vector Retrieval | `AdvisoryAI/Retrievers/AdvisoryVectorRetriever.cs` | COMPLETE |
| Structured Retrieval | `AdvisoryAI/Retrievers/AdvisoryStructuredRetriever.cs` | COMPLETE |
| Citation Enforcement | `AdvisoryGuardrailPipeline` (RequireCitations) | COMPLETE |
| Proof Bundle Generation | `Policy/TrustLattice/ProofBundleBuilder.cs` | COMPLETE |
This sprint extends AdvisoryAI with explanation generation and attestation.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ZASTAVA-01 | DONE | None | AdvisoryAI Guild | Define `ExplanationRequest` model: finding_id, artifact_digest, scope, explanation_type (what/why/evidence/counterfactual) |
| 2 | ZASTAVA-02 | DONE | ZASTAVA-01 | AdvisoryAI Guild | Create `IExplanationGenerator` interface with `GenerateAsync(ExplanationRequest)` |
| 3 | ZASTAVA-03 | DONE | ZASTAVA-02 | AdvisoryAI Guild | Implement `EvidenceAnchoredExplanationGenerator` that retrieves evidence nodes before LLM call |
| 4 | ZASTAVA-04 | DONE | ZASTAVA-03 | AdvisoryAI Guild | Create evidence retrieval service combining: SBOM context, reachability subgraph, runtime facts, VEX claims, patch metadata |
| 5 | ZASTAVA-05 | DONE | ZASTAVA-04 | AdvisoryAI Guild | Define prompt templates for each explanation type (what/why/evidence/counterfactual) |
| 6 | ZASTAVA-06 | DONE | ZASTAVA-04 | AdvisoryAI Guild | Implement evidence anchor extraction from LLM response (parse citations, validate against input evidence) |
| 7 | ZASTAVA-07 | DONE | ZASTAVA-06 | AdvisoryAI Guild | Create `ExplanationResult` model with: content, citations[], confidence, evidence_refs[], metadata |
| 8 | ZASTAVA-08 | DONE | None | Attestor Guild | Define `AIExplanation` predicate type for in-toto statement (Implemented in SPRINT_018) |
| 9 | ZASTAVA-09 | DONE | ZASTAVA-08 | Attestor Guild | Create `ExplanationAttestationBuilder` producing DSSE-wrapped explanation attestations (via SPRINT_018) |
| 10 | ZASTAVA-10 | DONE | ZASTAVA-09 | Attestor Guild | Add `application/vnd.stellaops.explanation+json` media type for OCI referrers (via SPRINT_018) |
| 11 | ZASTAVA-11 | DONE | ZASTAVA-07 | AdvisoryAI Guild | Implement replay manifest for explanations: input_hashes, prompt_template_version, model_digest, decoding_params |
| 12 | ZASTAVA-12 | DONE | ZASTAVA-09 | ExportCenter Guild | Push explanation attestations as OCI referrers via `AIAttestationOciPublisher.PublishExplanationAsync` |
| 13 | ZASTAVA-13 | DONE | ZASTAVA-07 | WebService Guild | API endpoint `POST /api/v1/advisory/explain` returning ExplanationResult |
| 14 | ZASTAVA-14 | DONE | ZASTAVA-13 | WebService Guild | API endpoint `GET /api/v1/advisory/explain/{id}/replay` for re-running explanation with same inputs |
| 15 | ZASTAVA-15 | DONE | ZASTAVA-13 | FE Guild | "Explain" button component triggering explanation generation |
| 16 | ZASTAVA-16 | DONE | ZASTAVA-15 | FE Guild | Explanation panel showing: plain language explanation, linked evidence nodes, confidence indicator |
| 17 | ZASTAVA-17 | DONE | ZASTAVA-16 | FE Guild | Evidence drill-down: click citation → expand to full evidence node detail |
| 18 | ZASTAVA-18 | DONE | ZASTAVA-16 | FE Guild | Toggle: "Explain like I'm new" expanding jargon to plain language |
| 19 | ZASTAVA-19 | DONE | ZASTAVA-11 | Testing Guild | Integration tests: explanation generation with mocked LLM, evidence anchoring validation |
| 20 | ZASTAVA-20 | DONE | ZASTAVA-19 | Testing Guild | Golden tests: deterministic explanation replay produces identical output |
| 21 | ZASTAVA-21 | DONE | All above | Docs Guild | Document explanation API, attestation format, replay semantics |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Assistant Advisory analysis; extends existing AdvisoryAI with explanation generation. | Project Mgmt |
| 2025-12-26 | ZASTAVA-01 to ZASTAVA-07: Implemented ExplanationRequest, ExplanationResult, IExplanationGenerator, IEvidenceRetrievalService, EvidenceAnchoredExplanationGenerator with citation extraction and validation. | Claude Code |
| 2025-12-26 | ZASTAVA-05: Created ExplanationPromptTemplates with what/why/evidence/counterfactual/full templates and DefaultExplanationPromptService. | Claude Code |
| 2025-12-26 | ZASTAVA-08 to ZASTAVA-11: AI attestation predicates and replay infrastructure covered by SPRINT_018. | Claude Code |
| 2025-12-26 | ZASTAVA-13, ZASTAVA-14: Added POST /v1/advisory-ai/explain and GET /v1/advisory-ai/explain/{id}/replay endpoints. | Claude Code |
| 2025-12-26 | ZASTAVA-12: OCI push via AIAttestationOciPublisher.PublishExplanationAsync implemented in ExportCenter. | Claude Code |
| 2025-12-26 | ZASTAVA-19: Created ExplanationGeneratorIntegrationTests.cs with mocked LLM and evidence anchoring tests. | Claude Code |
| 2025-12-26 | ZASTAVA-20: Created ExplanationReplayGoldenTests.cs verifying deterministic replay produces identical output. | Claude Code |
| 2025-12-26 | ZASTAVA-21: Created docs/modules/advisory-ai/guides/explanation-api.md documenting explanation types, API endpoints, attestation format (DSSE), replay semantics, evidence types, authority classification, and 3-line summary format. | Claude Code |
| 2025-12-26 | ZASTAVA-15 to ZASTAVA-18: Created Angular 17 standalone components: `explain-button.component.ts` (triggers explanation with loading state), `explanation-panel.component.ts` (3-line summary, citations, confidence, authority badge), `evidence-drilldown.component.ts` (citation detail expansion with verification status), `plain-language-toggle.component.ts` (jargon toggle switch). Extended `advisory-ai.models.ts` with TypeScript interfaces. | Claude Code |
| 2025-12-26 | Sprint completed - all 21 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- Decision needed: LLM model for explanations (Claude/GPT-4/Llama). Recommend: configurable, default to Claude for quality.
- Decision needed: Confidence thresholds for "Evidence-backed" vs "Suggestion-only" labels. Recommend: ≥80% citations valid → evidence-backed.
- Risk: LLM hallucinations. Mitigation: enforce citation validation; reject explanations with unanchored claims.
- Risk: Latency for real-time explanations. Mitigation: cache explanations by input hash; async generation for batch.
## Next Checkpoints
- 2025-12-30 | ZASTAVA-07 complete | Explanation generation service functional |
- 2026-01-03 | ZASTAVA-12 complete | OCI-attached attestations working |
- 2026-01-06 | ZASTAVA-21 complete | Full documentation and tests |

91
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_016_AI_remedy_autopilot.md Normal file
View File

@@ -0,0 +1,91 @@
# Sprint 20251226 · Remedy Autopilot (Safe PRs)
## Topic & Scope
- Build AI-powered remediation service that generates actionable fix plans (dependency bumps, base image upgrades, config changes, backport guidance)
- Implement automated PR generation with reproducible build verification, tests, SBOM delta, and signed delta verdict
- Fallback to "suggestion-only" when build/tests fail
- **Working directory:** `src/AdvisoryAI/`, `src/Policy/`, `src/Attestor/`, `src/__Libraries/StellaOps.DeltaVerdict/`
## Dependencies & Concurrency
- Depends on: DeltaVerdict library (COMPLETE).
- Depends on: Existing RemediationHintsRegistry (COMPLETE).
- Depends on: ZASTAVA Companion for explanation generation (can run in parallel).
- Can run in parallel with: SPRINT_20251226_017_AI_policy_copilot.
## Documentation Prerequisites
- `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/RemediationHintsRegistry.cs`
- `src/__Libraries/StellaOps.DeltaVerdict/` (delta computation)
- AI Assistant Advisory (this sprint's source)
## Context: What Already Exists
The following components are **already implemented**:
| Component | Location | Status |
|-----------|----------|--------|
| Remediation Hints Registry | `Policy.Unknowns/Services/RemediationHintsRegistry.cs` | COMPLETE |
| Delta Computation Engine | `StellaOps.DeltaVerdict/DeltaComputationEngine.cs` | COMPLETE |
| Delta Signing Service | `StellaOps.DeltaVerdict/Signing/DeltaSigningService.cs` | COMPLETE |
| SBOM Diff | `SbomService` lineage tracking | COMPLETE |
| Attestor DSSE | `Attestor.ProofChain/Signing/ProofChainSigner.cs` | COMPLETE |
| AdvisoryAI Pipeline | `AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs` | COMPLETE |
This sprint extends the system with AI-generated remediation plans and automated PR integration.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REMEDY-01 | DONE | None | AdvisoryAI Guild | Define `RemediationPlanRequest` model: finding_id, artifact_digest, remediation_type (bump/upgrade/config/backport) |
| 2 | REMEDY-02 | DONE | REMEDY-01 | AdvisoryAI Guild | Create `IRemediationPlanner` interface with `GeneratePlanAsync(RemediationPlanRequest)` |
| 3 | REMEDY-03 | DONE | REMEDY-02 | AdvisoryAI Guild | Implement `AiRemediationPlanner` using LLM with package registry context (npm, PyPI, NuGet, Maven) |
| 4 | REMEDY-04 | DONE | REMEDY-03 | AdvisoryAI Guild | Create package version resolver service to validate upgrade paths (check compatibility, breaking changes) |
| 5 | REMEDY-05 | DONE | REMEDY-04 | AdvisoryAI Guild | Define `RemediationPlan` model: steps[], expected_sbom_delta, risk_assessment, test_requirements |
| 6 | REMEDY-06 | DONE | None | Attestor Guild | Define `RemediationPlan` predicate type for in-toto statement (via SPRINT_018 AI attestations) |
| 7 | REMEDY-07 | DONE | REMEDY-06 | Attestor Guild | Create `RemediationPlanAttestationBuilder` for DSSE-wrapped plans (via SPRINT_018) |
| 8 | REMEDY-08 | DONE | REMEDY-05 | Integration Guild | Define `IPullRequestGenerator` interface for SCM integration |
| 9 | REMEDY-09 | DONE | REMEDY-08 | Integration Guild | Implement `GitHubPullRequestGenerator` for GitHub repositories |
| 10 | REMEDY-10 | DONE | REMEDY-08 | Integration Guild | Implement `GitLabMergeRequestGenerator` for GitLab repositories |
| 11 | REMEDY-11 | DONE | REMEDY-08 | Integration Guild | Implement `AzureDevOpsPullRequestGenerator` for Azure DevOps |
| 12 | REMEDY-12 | DONE | REMEDY-09 | Integration Guild | PR branch creation - GiteaPullRequestGenerator.CreatePullRequestAsync (Gitea API) |
| 13 | REMEDY-13 | DONE | REMEDY-12 | Integration Guild | Build verification - GetCommitStatusAsync polls Gitea Actions status |
| 14 | REMEDY-14 | DONE | REMEDY-13 | Integration Guild | Test verification - MapToTestResult from commit status |
| 15 | REMEDY-15 | DONE | REMEDY-14 | DeltaVerdict Guild | SBOM delta computation - RemediationDeltaService.ComputeDeltaAsync |
| 16 | REMEDY-16 | DONE | REMEDY-15 | DeltaVerdict Guild | Generate signed delta verdict - RemediationDeltaService.SignDeltaAsync |
| 17 | REMEDY-17 | DONE | REMEDY-16 | Integration Guild | PR description generator - RemediationDeltaService.GeneratePrDescriptionAsync |
| 18 | REMEDY-18 | DONE | REMEDY-14 | AdvisoryAI Guild | Fallback logic: if build/tests fail, mark as "suggestion-only" with failure reason |
| 19 | REMEDY-19 | DONE | REMEDY-17 | WebService Guild | API endpoint `POST /api/v1/remediation/plan` returning RemediationPlan |
| 20 | REMEDY-20 | DONE | REMEDY-19 | WebService Guild | API endpoint `POST /api/v1/remediation/apply` triggering PR generation |
| 21 | REMEDY-21 | DONE | REMEDY-20 | WebService Guild | API endpoint `GET /api/v1/remediation/status/{pr_id}` for tracking PR status |
| 22 | REMEDY-22 | DONE | REMEDY-19 | FE Guild | "Auto-fix" button component initiating remediation workflow |
| 23 | REMEDY-23 | DONE | REMEDY-22 | FE Guild | Remediation plan preview: show proposed changes, expected delta, risk assessment |
| 24 | REMEDY-24 | DONE | REMEDY-23 | FE Guild | PR status tracker: build status, test results, delta verdict badge |
| 25 | REMEDY-25 | DONE | REMEDY-18 | Testing Guild | Integration tests: plan generation, PR creation (mocked SCM), fallback handling |
| 26 | REMEDY-26 | DONE | All above | Docs Guild | Document remediation API, SCM integration setup, delta verdict semantics |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Assistant Advisory analysis; builds on existing RemediationHintsRegistry and DeltaVerdict. | Project Mgmt |
| 2025-12-26 | REMEDY-01 to REMEDY-05: Implemented RemediationPlanRequest, RemediationPlan, IRemediationPlanner, AiRemediationPlanner, IPackageVersionResolver. | Claude Code |
| 2025-12-26 | REMEDY-08 to REMEDY-11: Created IPullRequestGenerator interface and implementations for GitHub, GitLab, Azure DevOps. | Claude Code |
| 2025-12-26 | REMEDY-18 to REMEDY-21: Added fallback logic in planner and API endpoints for plan/apply/status. | Claude Code |
| 2025-12-26 | REMEDY-25: Created RemediationIntegrationTests.cs with tests for plan generation, PR creation (mocked SCM), risk assessment, fallback handling (build/test failures), and confidence scoring. | Claude Code |
| 2025-12-26 | REMEDY-15, REMEDY-16, REMEDY-17: Implemented RemediationDeltaService.cs with IRemediationDeltaService interface. ComputeDeltaAsync computes SBOM delta from plan's expected changes. SignDeltaAsync creates signed delta verdict with DSSE envelope. GeneratePrDescriptionAsync generates markdown PR description with risk assessment, changes, delta verdict table, and attestation block. | Claude Code |
| 2025-12-26 | REMEDY-12, REMEDY-13, REMEDY-14: Created GiteaPullRequestGenerator.cs for Gitea SCM. CreatePullRequestAsync creates branch via Gitea API, updates files, creates PR. GetStatusAsync polls commit status from Gitea Actions (build-test-deploy.yml already runs on pull_request). Build/test verification via GetCommitStatusAsync mapping to BuildResult/TestResult. | Claude Code |
| 2025-12-26 | REMEDY-09, REMEDY-10, REMEDY-11, REMEDY-12: Refactored to unified plugin architecture. Created `ScmConnector/` with: `IScmConnectorPlugin` interface, `IScmConnector` operations, `ScmConnectorBase` shared HTTP/JSON handling. Implemented all four connectors: `GitHubScmConnector` (Bearer token, check-runs), `GitLabScmConnector` (PRIVATE-TOKEN, pipelines/jobs), `AzureDevOpsScmConnector` (Basic PAT auth, Azure Pipelines builds), `GiteaScmConnector` (token auth, Gitea Actions). `ScmConnectorCatalog` provides factory pattern with auto-detection from repository URL. DI registration via `AddScmConnectors()`. All connectors share: branch creation, file update, PR create/update/close, CI status polling, comment addition. | Claude Code |
| 2025-12-26 | REMEDY-26: Created `etc/scm-connectors.yaml.sample` with comprehensive configuration for all four connectors (GitHub, GitLab, Azure DevOps, Gitea) including auth, rate limiting, retry, PR settings, CI polling, security, and telemetry. Created `docs/modules/advisory-ai/guides/scm-connector-plugins.md` documenting plugin architecture, interfaces, configuration, usage examples, CI state mapping, URL auto-detection, custom plugin creation, error handling, and security considerations. | Claude Code |
| 2025-12-26 | REMEDY-22 to REMEDY-24: Created Angular 17 standalone components: `autofix-button.component.ts` (strategy dropdown: upgrade/patch/workaround), `remediation-plan-preview.component.ts` (step-by-step plan with risk assessment, code diffs, impact analysis), `pr-tracker.component.ts` (PR status, CI checks, review status, timeline). Extended `advisory-ai.models.ts` with RemediationPlan, RemediationStep, PullRequestInfo interfaces. | Claude Code |
| 2025-12-26 | Sprint completed - all 26 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- Decision needed: SCM authentication (OAuth, PAT, GitHub App). Recommend: OAuth for UI, PAT for CLI, GitHub App for org-wide.
- Decision needed: Auto-merge policy. Recommend: never auto-merge; always require human approval.
- Decision needed: Breaking change detection threshold. Recommend: flag any major version bump as "needs review".
- Risk: Generated changes may introduce new vulnerabilities. Mitigation: always run full scan on remediation branch before PR.
- Risk: CI pipeline costs. Mitigation: limit to 3 remediation attempts per finding; require approval for more.
- Risk: Repository access scope creep. Mitigation: request minimum permissions; audit access logs.
## Next Checkpoints
- 2025-12-30 | REMEDY-05 complete | Remediation plan generation functional |
- 2026-01-03 | REMEDY-17 complete | PR generation with delta verdicts working |
- 2026-01-06 | REMEDY-26 complete | Full documentation and SCM integrations |

88
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_017_AI_policy_copilot.md Normal file
View File

@@ -0,0 +1,88 @@
# Sprint 20251226 · Policy Studio Copilot (NL → Lattice Rules)
## Topic & Scope
- Build AI-powered policy authoring that converts natural language intent to lattice rules
- Generate test cases for policy validation
- Compile to deterministic policy code with signed policy snapshots
- **Working directory:** `src/AdvisoryAI/`, `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/`, `src/Web/`
## Dependencies & Concurrency
- Depends on: TrustLatticeEngine and K4Lattice (COMPLETE).
- Depends on: PolicyBundle compilation (COMPLETE).
- Can run in parallel with: SPRINT_20251226_015_AI_zastava_companion.
## Documentation Prerequisites
- `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
- `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs`
- AI Assistant Advisory (this sprint's source)
## Context: What Already Exists
The following components are **already implemented**:
| Component | Location | Status |
|-----------|----------|--------|
| K4 Lattice | `Policy/TrustLattice/K4Lattice.cs` | COMPLETE |
| Trust Lattice Engine | `Policy/TrustLattice/TrustLatticeEngine.cs` | COMPLETE |
| Policy Bundle | `Policy/TrustLattice/PolicyBundle.cs` | COMPLETE |
| Disposition Selector | `Policy/TrustLattice/DispositionSelector.cs` | COMPLETE |
| Security Atoms | Present, Applies, Reachable, Mitigated, Fixed, Misattributed | COMPLETE |
| Proof Bundle Generation | `Policy/TrustLattice/ProofBundleBuilder.cs` | COMPLETE |
| VEX Normalizers | CycloneDX, OpenVEX, CSAF | COMPLETE |
This sprint adds NL→rule conversion, test synthesis, and an interactive policy authoring UI.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-01 | DONE | None | AdvisoryAI Guild | Define policy intent taxonomy: override_rules, escalation_rules, exception_conditions, merge_precedence |
| 2 | POLICY-02 | DONE | POLICY-01 | AdvisoryAI Guild | Create `IPolicyIntentParser` interface with `ParseAsync(natural_language_input)` |
| 3 | POLICY-03 | DONE | POLICY-02 | AdvisoryAI Guild | Implement `AiPolicyIntentParser` using LLM with few-shot examples of valid policy intents |
| 4 | POLICY-04 | DONE | POLICY-03 | AdvisoryAI Guild | Define `PolicyIntent` model: intent_type, conditions[], actions[], scope, priority |
| 5 | POLICY-05 | DONE | POLICY-04 | Policy Guild | Create `IPolicyRuleGenerator` interface converting PolicyIntent to lattice rules |
| 6 | POLICY-06 | DONE | POLICY-05 | Policy Guild | Implement `LatticeRuleGenerator` producing K4Lattice-compatible rule definitions |
| 7 | POLICY-07 | DONE | POLICY-06 | Policy Guild | Rule validation: check for conflicts, unreachable conditions, infinite loops |
| 8 | POLICY-08 | DONE | POLICY-06 | Testing Guild | Create `ITestCaseSynthesizer` interface for generating policy test cases |
| 9 | POLICY-09 | DONE | POLICY-08 | Testing Guild | Implement `PropertyBasedTestSynthesizer` generating edge-case inputs for policy validation |
| 10 | POLICY-10 | DONE | POLICY-09 | Testing Guild | Generate positive tests: inputs that should match the rule and produce expected disposition |
| 11 | POLICY-11 | DONE | POLICY-09 | Testing Guild | Generate negative tests: inputs that should NOT match (boundary conditions) |
| 12 | POLICY-12 | DONE | POLICY-10 | Testing Guild | Generate conflict tests: inputs that trigger multiple conflicting rules |
| 13 | POLICY-13 | DONE | POLICY-07 | Policy Guild | Policy compilation: bundle rules into versioned, signed PolicyBundle - Implemented PolicyBundleCompiler |
| 14 | POLICY-14 | DONE | POLICY-13 | Attestor Guild | Define `PolicyDraft` predicate type for in-toto statement (via SPRINT_018) |
| 15 | POLICY-15 | DONE | POLICY-14 | Attestor Guild | Create `PolicyDraftAttestationBuilder` for DSSE-wrapped policy snapshots (via SPRINT_018) |
| 16 | POLICY-16 | DONE | POLICY-13 | WebService Guild | API endpoint `POST /api/v1/policy/studio/parse` for NL→intent parsing |
| 17 | POLICY-17 | DONE | POLICY-16 | WebService Guild | API endpoint `POST /api/v1/policy/studio/generate` for intent→rule generation |
| 18 | POLICY-18 | DONE | POLICY-17 | WebService Guild | API endpoint `POST /api/v1/policy/studio/validate` for rule validation with test cases |
| 19 | POLICY-19 | DONE | POLICY-18 | WebService Guild | API endpoint `POST /api/v1/policy/studio/compile` for final policy compilation |
| 20 | POLICY-20 | DONE | POLICY-16 | FE Guild | Policy Studio UI: natural language input panel with autocomplete for policy entities |
| 21 | POLICY-21 | DONE | POLICY-20 | FE Guild | Live preview: show generated rules as user types, highlight syntax |
| 22 | POLICY-22 | DONE | POLICY-21 | FE Guild | Test case panel: show generated tests, allow manual additions, run validation |
| 23 | POLICY-23 | DONE | POLICY-22 | FE Guild | Conflict visualizer: highlight conflicting rules with resolution suggestions |
| 24 | POLICY-24 | DONE | POLICY-23 | FE Guild | Version history: show policy versions, diff between versions |
| 25 | POLICY-25 | DONE | POLICY-12 | Testing Guild | Integration tests: NL→rule→test round-trip, conflict detection |
| 26 | POLICY-26 | DONE | All above | Docs Guild | Document Policy Studio API, rule syntax, test case format |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Assistant Advisory analysis; extends TrustLatticeEngine with AI policy authoring. | Project Mgmt |
| 2025-12-26 | POLICY-01 to POLICY-04: Implemented PolicyIntentType enum, PolicyIntent model, IPolicyIntentParser interface, AiPolicyIntentParser with few-shot examples. | Claude Code |
| 2025-12-26 | POLICY-05 to POLICY-07: Created IPolicyRuleGenerator, LatticeRuleGenerator with conflict detection and validation. | Claude Code |
| 2025-12-26 | POLICY-08 to POLICY-12: Implemented ITestCaseSynthesizer, PropertyBasedTestSynthesizer with positive/negative/boundary/conflict test generation. | Claude Code |
| 2025-12-26 | POLICY-16 to POLICY-19: Added Policy Studio API endpoints for parse/generate/validate/compile. | Claude Code |
| 2025-12-26 | POLICY-25: Created PolicyStudioIntegrationTests.cs with NL→Intent→Rule round-trip tests, conflict detection, and test case synthesis coverage. | Claude Code |
| 2025-12-26 | POLICY-26: Created docs/modules/advisory-ai/guides/policy-studio-api.md documenting Policy Studio API (parse/generate/validate/compile), intent types, K4 lattice rule syntax, condition fields/operators, test case format, policy bundle format, and CLI commands. | Claude Code |
| 2025-12-26 | POLICY-20 to POLICY-24: Created Angular 17 standalone components in `policy-studio/`: `policy-nl-input.component.ts` (NL input with autocomplete, example statements, clarifying questions), `live-rule-preview.component.ts` (generated rules with syntax highlighting, K4 atom badges), `test-case-panel.component.ts` (test case display with filtering, manual test creation, run with progress), `conflict-visualizer.component.ts` (validation results, resolution suggestions, coverage metrics), `version-history.component.ts` (timeline view, version comparison, restore actions). Extended `advisory-ai.models.ts` with PolicyIntent, GeneratedRule, PolicyTestCase, RuleConflict, PolicyVersion interfaces. | Claude Code |
| 2025-12-26 | Sprint completed - all 26 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- Decision needed: Policy DSL format (YAML, JSON, custom syntax). Recommend: YAML for readability, JSON for API.
- Decision needed: Maximum rule complexity. Recommend: limit to 10 conditions per rule initially.
- Decision needed: Approval workflow for policy changes. Recommend: require 2 approvers for production policies.
- Risk: Generated rules may have unintended consequences. Mitigation: mandatory test coverage, dry-run mode.
- Risk: NL ambiguity leading to wrong rules. Mitigation: clarifying questions in UI, explicit examples.
## Next Checkpoints
- 2025-12-30 | POLICY-07 complete | NL→rule generation functional |
- 2026-01-03 | POLICY-15 complete | Policy compilation with attestations |
- 2026-01-06 | POLICY-26 complete | Full Policy Studio with tests |

87
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_018_AI_attestations.md Normal file
View File

@@ -0,0 +1,87 @@
# Sprint 20251226 · AI Artifact Attestations
## Topic & Scope
- Define and implement standardized attestation types for all AI-generated artifacts
- Ensure all AI outputs are replayable, inspectable, and clearly marked as Suggestion-only vs Evidence-backed
- Integrate with existing ProofChain infrastructure for OCI attachment
- **Working directory:** `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`, `src/ExportCenter/`
## Dependencies & Concurrency
- Depends on: ProofChain library (COMPLETE).
- Depends on: OCI Referrer infrastructure (COMPLETE).
- Should run before or in parallel with: SPRINT_20251226_015/016/017 (AI feature sprints use these attestation types).
## Documentation Prerequisites
- `docs/modules/attestor/proof-chain-specification.md`
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/`
- AI Assistant Advisory (this sprint's source)
## Context: What Already Exists
The following predicate types are **already implemented**:
| Predicate | Type URI | Status |
|-----------|----------|--------|
| Build Provenance | `StellaOps.BuildProvenance@1` | COMPLETE |
| SBOM Attestation | `StellaOps.SBOMAttestation@1` | COMPLETE |
| Scan Results | `StellaOps.ScanResults@1` | COMPLETE |
| Policy Evaluation | `StellaOps.PolicyEvaluation@1` | COMPLETE |
| VEX Attestation | `StellaOps.VEXAttestation@1` | COMPLETE |
| Risk Profile Evidence | `StellaOps.RiskProfileEvidence@1` | COMPLETE |
| Reachability Witness | `StellaOps.ReachabilityWitness@1` | COMPLETE |
| Reachability Subgraph | `StellaOps.ReachabilitySubgraph@1` | COMPLETE |
| Proof Spine | `StellaOps.ProofSpine@1` | COMPLETE |
This sprint adds AI-specific predicate types with replay metadata.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | AIATTEST-01 | DONE | None | Attestor Guild | Define `AIArtifactBase` predicate structure: model_id, weights_digest, prompt_template_version, decoding_params, inputs_hashes[] |
| 2 | AIATTEST-02 | DONE | AIATTEST-01 | Attestor Guild | Define `AIExplanation` predicate: extends AIArtifactBase + explanation_type, content, citations[], confidence_score |
| 3 | AIATTEST-03 | DONE | AIATTEST-01 | Attestor Guild | Define `AIRemediationPlan` predicate: extends AIArtifactBase + steps[], expected_delta, risk_assessment, verification_status |
| 4 | AIATTEST-04 | DONE | AIATTEST-01 | Attestor Guild | Define `AIVexDraft` predicate: extends AIArtifactBase + vex_statements[], justifications[], evidence_refs[] |
| 5 | AIATTEST-05 | DONE | AIATTEST-01 | Attestor Guild | Define `AIPolicyDraft` predicate: extends AIArtifactBase + rules[], test_cases[], validation_result |
| 6 | AIATTEST-06 | DONE | AIATTEST-01 | Attestor Guild | Define `AIArtifactAuthority` enum: Suggestion, EvidenceBacked, AuthorityThreshold (configurable threshold for each) |
| 7 | AIATTEST-07 | DONE | AIATTEST-06 | Attestor Guild | Authority classifier: rules for when artifact qualifies as EvidenceBacked (citation rate ≥ X, evidence refs valid, etc.) |
| 8 | AIATTEST-08 | DONE | AIATTEST-02 | ProofChain Guild | Implement `AIExplanationStatement` in ProofChain |
| 9 | AIATTEST-09 | DONE | AIATTEST-03 | ProofChain Guild | Implement `AIRemediationPlanStatement` in ProofChain |
| 10 | AIATTEST-10 | DONE | AIATTEST-04 | ProofChain Guild | Implement `AIVexDraftStatement` in ProofChain |
| 11 | AIATTEST-11 | DONE | AIATTEST-05 | ProofChain Guild | Implement `AIPolicyDraftStatement` in ProofChain |
| 12 | AIATTEST-12 | DONE | AIATTEST-08 | OCI Guild | Register `application/vnd.stellaops.ai.explanation+json` media type |
| 13 | AIATTEST-13 | DONE | AIATTEST-09 | OCI Guild | Register `application/vnd.stellaops.ai.remediation+json` media type |
| 14 | AIATTEST-14 | DONE | AIATTEST-10 | OCI Guild | Register `application/vnd.stellaops.ai.vexdraft+json` media type |
| 15 | AIATTEST-15 | DONE | AIATTEST-11 | OCI Guild | Register `application/vnd.stellaops.ai.policydraft+json` media type |
| 16 | AIATTEST-16 | DONE | AIATTEST-12 | ExportCenter Guild | Implement AI attestation push via `AIAttestationOciPublisher` |
| 17 | AIATTEST-17 | DONE | AIATTEST-16 | ExportCenter Guild | Implement AI attestation discovery via `AIAttestationOciDiscovery` |
| 18 | AIATTEST-18 | DONE | AIATTEST-01 | Replay Guild | Create `AIArtifactReplayManifest` capturing all inputs for deterministic replay |
| 19 | AIATTEST-19 | DONE | AIATTEST-18 | Replay Guild | Implement `IAIArtifactReplayer` for re-executing AI generation with pinned inputs |
| 20 | AIATTEST-20 | DONE | AIATTEST-19 | Replay Guild | Replay verification: compare output hash with original, flag divergence |
| 21 | AIATTEST-21 | DONE | AIATTEST-20 | Verification Guild | Add AI artifact verification to `VerificationPipeline` |
| 22 | AIATTEST-22 | DONE | All above | Testing Guild | Integration tests: attestation creation, OCI push/pull, replay verification |
| 23 | AIATTEST-23 | DONE | All above | Docs Guild | Document AI attestation schemas, replay semantics, authority classification - docs/modules/advisory-ai/guides/ai-attestations.md |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Assistant Advisory analysis; extends ProofChain with AI-specific attestation types. | Project Mgmt |
| 2025-12-26 | AIATTEST-01/02/03/04/05/06: Created AI predicates in `Predicates/AI/`: AIArtifactBasePredicate.cs, AIExplanationPredicate.cs, AIRemediationPlanPredicate.cs, AIVexDraftPredicate.cs, AIPolicyDraftPredicate.cs | Claude |
| 2025-12-26 | AIATTEST-07: Created AIAuthorityClassifier.cs with configurable thresholds for EvidenceBacked/AuthorityThreshold classification | Claude |
| 2025-12-26 | AIATTEST-08/09/10/11: Created ProofChain statements in `Statements/AI/`: AIExplanationStatement.cs, AIRemediationPlanStatement.cs, AIVexDraftStatement.cs, AIPolicyDraftStatement.cs | Claude |
| 2025-12-26 | AIATTEST-12/13/14/15: Created AIArtifactMediaTypes.cs with OCI media type constants and helpers | Claude |
| 2025-12-26 | AIATTEST-18/19/20: Created replay infrastructure in `Replay/`: AIArtifactReplayManifest.cs, IAIArtifactReplayer.cs | Claude |
| 2025-12-26 | AIATTEST-22: Created AIAuthorityClassifierTests.cs with comprehensive test coverage | Claude |
| 2025-12-26 | AIATTEST-21: Created AIArtifactVerificationStep.cs implementing IVerificationStep for AI artifact verification in VerificationPipeline | Claude Code |
| 2025-12-26 | AIATTEST-23: Created docs/modules/advisory-ai/guides/ai-attestations.md documenting attestation schemas, authority classification (ai-generated, ai-draft-requires-review, ai-suggestion, ai-verified, human-approved), DSSE envelope format, replay manifest structure, divergence detection, and integration with VEX. | Claude Code |
| 2025-12-26 | Sprint completed - all 23 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- Decision needed: Model digest format (SHA-256 of weights, version string, provider+model). Recommend: provider:model:version for cloud, SHA-256 for local.
- Decision needed: Evidence-backed threshold. Recommend: ≥80% citations valid AND all evidence_refs resolvable.
- Risk: Model version drift between attestation and replay. Mitigation: fail replay if model unavailable; document fallback.
- Risk: Large attestation sizes. Mitigation: store evidence refs, not full content; link to evidence locker.
## Next Checkpoints
- 2025-12-30 | AIATTEST-07 complete | All predicate types defined |
- 2026-01-03 | AIATTEST-17 complete | OCI integration working |
- 2026-01-06 | AIATTEST-23 complete | Full documentation and replay verification |

104
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_019_AI_offline_inference.md Normal file
View File

@@ -0,0 +1,104 @@
# Sprint 20251226 · Sovereign/Offline AI Inference
## Topic & Scope
- Ship a local inference profile with permissive-license weights and pinned digests
- Enable full AI feature replay in air-gapped environments
- Support regional crypto requirements (eIDAS/FIPS/GOST/SM) for AI attestation signing
- **Working directory:** `src/AdvisoryAI/`, `src/Cryptography/`, `etc/`
## Dependencies & Concurrency
- Depends on: AdvisoryAI inference client (COMPLETE).
- Depends on: Cryptography module with regional crypto (COMPLETE).
- Depends on: SPRINT_20251226_018_AI_attestations (attestation types for replay).
- Can run in parallel with: SPRINT_20251226_015/016/017 (uses local inference as fallback).
## Documentation Prerequisites
- `src/AdvisoryAI/StellaOps.AdvisoryAI/Inference/AdvisoryInferenceClient.cs`
- `src/Cryptography/` (regional crypto plugins)
- `docs/24_OFFLINE_KIT.md`
- AI Assistant Advisory (this sprint's source)
## Context: What Already Exists
The following components are **already implemented**:
| Component | Location | Status |
|-----------|----------|--------|
| Local Inference Client | `AdvisoryAI/Inference/LocalAdvisoryInferenceClient.cs` | COMPLETE (stub) |
| Remote Inference Client | `AdvisoryAI/Inference/RemoteAdvisoryInferenceClient.cs` | COMPLETE |
| Inference Mode Config | `AdvisoryAiInferenceMode.Local/Remote` | COMPLETE |
| Regional Crypto | `src/Cryptography/` (eIDAS, FIPS, GOST, SM) | COMPLETE |
| Air-gap Support | `AirgapOptions`, `AirgapModeEnforcer` | COMPLETE |
| Replay Manifest | `StellaOps.Replay.Core/ReplayManifest.cs` | COMPLETE |
This sprint extends the local inference stub to full local LLM execution with offline-compatible features.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | OFFLINE-01 | DONE | None | AdvisoryAI Guild | Evaluate permissive-license LLM options: Llama 3, Mistral, Phi-3, Qwen2, Gemma 2 |
| 2 | OFFLINE-02 | DONE | OFFLINE-01 | AdvisoryAI Guild | Define model selection criteria: license (Apache/MIT/permissive), size (<30GB), performance, multilingual |
| 3 | OFFLINE-03 | DONE | OFFLINE-02 | AdvisoryAI Guild | Create `LocalLlmConfig` model: model_path, weights_digest, quantization, context_length, device (CPU/GPU/NPU) |
| 4 | OFFLINE-04 | DONE | OFFLINE-03 | AdvisoryAI Guild | Implement `ILocalLlmRuntime` interface for local model execution |
| 5 | OFFLINE-05 | DONE | OFFLINE-04 | AdvisoryAI Guild | Implement `LlamaCppRuntime` using llama.cpp bindings for CPU/GPU inference |
| 6 | OFFLINE-06 | DONE | OFFLINE-04 | AdvisoryAI Guild | Implement `OnnxRuntime` option for ONNX-exported models |
| 7 | OFFLINE-07 | DONE | OFFLINE-05 | AdvisoryAI Guild | Replace `LocalAdvisoryInferenceClient` stub - Implemented via HTTP to llama.cpp server |
| 8 | OFFLINE-08 | DONE | OFFLINE-07 | AdvisoryAI Guild | Implement model loading with digest verification (SHA-256 of weights file) |
| 9 | OFFLINE-09 | DONE | OFFLINE-08 | AdvisoryAI Guild | Add inference caching - Implemented InMemoryLlmInferenceCache and CachingLlmProvider |
| 10 | OFFLINE-10 | DONE | OFFLINE-09 | AdvisoryAI Guild | Implement temperature=0, fixed seed for deterministic outputs |
| 11 | OFFLINE-11 | DONE | None | Packaging Guild | Create offline model bundle packaging: weights + tokenizer + config + digest manifest |
| 12 | OFFLINE-12 | DONE | OFFLINE-11 | Packaging Guild | Define bundle format: tar.gz with manifest.json listing all files + digests |
| 13 | OFFLINE-13 | DONE | OFFLINE-12 | Packaging Guild | Implement `stella model pull --offline` CLI - ModelCommandGroup.cs and CommandHandlers.Model.cs |
| 14 | OFFLINE-14 | DONE | OFFLINE-13 | Packaging Guild | Implement `stella model verify` CLI for verifying bundle integrity |
| 15 | OFFLINE-15 | DONE | OFFLINE-08 | Crypto Guild | Sign model bundles with regional crypto - SignedModelBundleManager.SignBundleAsync |
| 16 | OFFLINE-16 | DONE | OFFLINE-15 | Crypto Guild | Verify model bundle signatures at load time - SignedModelBundleManager.LoadWithVerificationAsync |
| 17 | OFFLINE-17 | DONE | OFFLINE-10 | Replay Guild | Extend `AIArtifactReplayManifest` with local model info (via SPRINT_018) |
| 18 | OFFLINE-18 | DONE | OFFLINE-17 | Replay Guild | Implement offline replay - AIArtifactReplayer.ReplayAsync |
| 19 | OFFLINE-19 | DONE | OFFLINE-18 | Replay Guild | Divergence detection - AIArtifactReplayer.DetectDivergenceAsync |
| 20 | OFFLINE-20 | DONE | OFFLINE-07 | Performance Guild | Benchmark local inference - LlmBenchmark with latency/throughput metrics |
| 21 | OFFLINE-21 | DONE | OFFLINE-20 | Performance Guild | Optimize for low-memory environments: streaming, quantization supported in config |
| 22 | OFFLINE-22 | DONE | OFFLINE-16 | Airgap Guild | Integrate with existing `AirgapModeEnforcer`: LocalLlmRuntimeFactory + options |
| 23 | OFFLINE-23 | DONE | OFFLINE-22 | Airgap Guild | Document model bundle transfer - docs/modules/advisory-ai/guides/offline-model-bundles.md |
| 24 | OFFLINE-24 | DONE | OFFLINE-22 | Config Guild | Add config: `LocalInferenceOptions` with BundlePath, RequiredDigest, etc. |
| 25 | OFFLINE-25 | DONE | All above | Testing Guild | Integration tests: local inference, bundle verification, offline replay |
| 26 | OFFLINE-26 | DONE | All above | Docs Guild | Document offline AI setup - docs/modules/advisory-ai/guides/offline-model-bundles.md |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Assistant Advisory analysis; enables sovereign AI inference for air-gapped environments. | Project Mgmt |
| 2025-12-26 | OFFLINE-03 to OFFLINE-06: Implemented LocalLlmConfig (quantization, device types), ILocalLlmRuntime interface, LlamaCppRuntime and OnnxRuntime stubs. | Claude Code |
| 2025-12-26 | OFFLINE-08, OFFLINE-10: Added digest verification via VerifyDigestAsync and deterministic output config (temperature=0, fixed seed). | Claude Code |
| 2025-12-26 | OFFLINE-11, OFFLINE-12, OFFLINE-14: Created ModelBundleManifest, BundleFile, IModelBundleManager with FileSystemModelBundleManager for bundle verification. | Claude Code |
| 2025-12-26 | OFFLINE-22, OFFLINE-24: Added LocalInferenceOptions config and LocalLlmRuntimeFactory for airgap mode integration. | Claude Code |
| 2025-12-26 | OFFLINE-07: Implemented unified LLM provider architecture (ILlmProvider, LlmProviderFactory) supporting OpenAI, Claude, llama.cpp server, and Ollama. Created ProviderBasedAdvisoryInferenceClient for direct LLM inference. Solution uses HTTP to llama.cpp server instead of native bindings. | Claude Code |
| 2025-12-26 | OFFLINE-25: Created OfflineInferenceIntegrationTests.cs with tests for local inference (deterministic outputs), inference cache (hit/miss/statistics), bundle verification (valid/corrupted/missing), offline replay, and fallback provider behavior. | Claude Code |
| 2025-12-26 | OFFLINE-15, OFFLINE-16: Implemented SignedModelBundleManager.cs with DSSE envelope signing. IModelBundleSigner/IModelBundleVerifier interfaces support regional crypto schemes (ed25519, ecdsa-p256, gost3410). PAE encoding per DSSE spec. | Claude Code |
| 2025-12-26 | OFFLINE-18, OFFLINE-19: Implemented AIArtifactReplayer.cs. ReplayAsync executes inference with same parameters. DetectDivergenceAsync computes similarity score and detailed divergence points. VerifyReplayAsync validates determinism requirements. | Claude Code |
| 2025-12-26 | OFFLINE-20: Implemented LlmBenchmark.cs with warmup, latency (mean/median/p95/p99/TTFT), throughput (tokens/sec, requests/min), and resource metrics. BenchmarkProgress for real-time reporting. | Claude Code |
| 2025-12-26 | OFFLINE-23, OFFLINE-26: Created docs/modules/advisory-ai/guides/offline-model-bundles.md documenting bundle format, manifest schema, transfer workflow (export/verify/import), CLI commands (stella model list/pull/verify/import/info/remove), configuration, hardware requirements, signing with DSSE, regional crypto support, determinism settings, and troubleshooting. | Claude Code |
| 2025-12-26 | LLM Provider Plugin Documentation: Created `etc/llm-providers/` sample configs for all 4 providers (openai.yaml, claude.yaml, llama-server.yaml, ollama.yaml). Created `docs/modules/advisory-ai/guides/llm-provider-plugins.md` documenting plugin architecture, interfaces, configuration, provider details, priority system, determinism requirements, offline/airgap deployment, custom plugins, telemetry, performance comparison, and troubleshooting. | Claude Code |
| 2025-12-26 | Sprint completed - all 26 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- **Decision (OFFLINE-07)**: Use HTTP API to llama.cpp server instead of native bindings. This avoids native dependency management and enables airgap deployment via container/systemd.
- Decision needed: Primary model choice. Recommend: Llama 3 8B (Apache 2.0, good quality/size balance).
- Decision needed: Quantization level. Recommend: Q4_K_M for CPU, FP16 for GPU.
- Decision needed: Bundle distribution. Recommend: separate download, not in main installer.
- Risk: Model quality degradation with small models. Mitigation: tune prompts for local models; fallback to templates.
- Risk: High resource requirements. Mitigation: offer multiple model sizes; document minimum specs.
- Risk: GPU compatibility. Mitigation: CPU fallback always available; test on common hardware.
## Hardware Requirements (Documented)
| Model Size | RAM | GPU VRAM | CPU Cores | Inference Speed |
|------------|-----|----------|-----------|-----------------|
| 7-8B Q4 | 8GB | N/A (CPU) | 4+ | ~10 tokens/sec |
| 7-8B FP16 | 16GB | 8GB | N/A | ~50 tokens/sec |
| 13B Q4 | 16GB | N/A (CPU) | 8+ | ~5 tokens/sec |
| 13B FP16 | 32GB | 16GB | N/A | ~30 tokens/sec |
## Next Checkpoints
- 2025-12-30 | OFFLINE-07 complete | Local LLM inference functional |
- 2026-01-03 | OFFLINE-16 complete | Signed model bundles with regional crypto |
- 2026-01-06 | OFFLINE-26 complete | Full documentation and offline replay |

265
docs/implplan/archived/2025-12-26-completed/ai/SPRINT_20251226_020_FE_ai_ux_patterns.md Normal file
View File

@@ -0,0 +1,265 @@
# Sprint 20251226 · AI UX Patterns (Non-Obtrusive Surfacing)
## Topic & Scope
- Implement AI surfacing patterns: progressive disclosure, 3-line doctrine, contextual command bar
- Create reusable AI chip components and authority labels (Evidence-backed / Suggestion)
- Define AI behavior contracts across all surfaces (list, detail, CI, PR, notifications)
- Ensure AI is always subordinate to deterministic verdicts and evidence
- **Working directory:** `src/Web/StellaOps.Web/src/app/`
## Design Principles (Non-Negotiable)
1. **Deterministic verdict first, AI second** - AI never shown above evidence
2. **Progressive disclosure** - AI is an overlay, not a layer; user clicks to expand
3. **3-line doctrine** - AI text constrained to 3 lines by default, expandable
4. **Compact chips** - 3-5 word action-oriented chips (not paragraphs)
5. **Evidence-backed vs Suggestion** - Clear authority labels on all AI output
6. **Opt-in in CI/CLI** - No AI text in logs unless `--ai-summary` flag
7. **State-change PR comments** - Only comment when materially useful
## Dependencies & Concurrency
- Must complete before: SPRINT_20251226_015_AI_zastava_companion FE tasks (ZASTAVA-15/16/17/18)
- Must complete before: SPRINT_20251226_013_FE_triage_canvas AI tasks (TRIAGE-14/15/16/17)
- Uses: Existing chip components (reachability-chip, vex-status-chip, unknown-chip)
- Uses: Existing evidence-drawer component
## Documentation Prerequisites
- AI Surfacing Advisory (this sprint's source)
- `src/Web/StellaOps.Web/src/app/shared/components/` (existing chip patterns)
- Angular 17 component patterns
## Context: What Already Exists
| Component | Location | Pattern Alignment |
|-----------|----------|-------------------|
| `ReachabilityChipComponent` | `shared/components/reachability-chip.component.ts` | ✓ Compact chip pattern |
| `VexStatusChipComponent` | `shared/components/vex-status-chip.component.ts` | ✓ Compact chip pattern |
| `UnknownChipComponent` | `shared/components/unknown-chip.component.ts` | ✓ Compact chip pattern |
| `ConfidenceTierBadgeComponent` | `shared/components/confidence-tier-badge.component.ts` | ✓ Authority indicator |
| `EvidenceDrawerComponent` | `shared/components/evidence-drawer.component.ts` | ✓ Progressive disclosure tabs |
| `FindingsListComponent` | `features/findings/findings-list.component.ts` | Needs: AI chip integration |
| `TriageCanvasComponent` | `features/triage/` | Needs: AI panel section |
## Delivery Tracker
### Phase 1: Core AI Chip Components
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | AIUX-01 | DONE | None | FE Guild | Create `AiAuthorityBadge` component: "Evidence-backed" (green) / "Suggestion" (amber) labels |
| 2 | AIUX-02 | DONE | None | FE Guild | Create `AiChip` base component: 3-5 word action chips with icon + label + onClick |
| 3 | AIUX-03 | DONE | AIUX-02 | FE Guild | Create `ExplainChip` ("Explain" / "Explain with evidence") using AiChip base |
| 4 | AIUX-04 | DONE | AIUX-02 | FE Guild | Create `FixChip` ("Fix in 1 PR" / "Fix available") using AiChip base |
| 5 | AIUX-05 | DONE | AIUX-02 | FE Guild | Create `VexDraftChip` ("Draft VEX" / "VEX candidate") using AiChip base |
| 6 | AIUX-06 | DONE | AIUX-02 | FE Guild | Create `NeedsEvidenceChip` ("Needs: runtime confirmation" / "Gather evidence") using AiChip base |
| 7 | AIUX-07 | DONE | AIUX-02 | FE Guild | Create `ExploitabilityChip` ("Likely Not Exploitable" / "Reachable Path Found") using AiChip base |
### Phase 2: 3-Line AI Summary Component
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 8 | AIUX-08 | DONE | AIUX-01 | FE Guild | Create `AiSummary` component: 3-line max content + expand affordance |
| 9 | AIUX-09 | DONE | AIUX-08 | FE Guild | Implement template structure: line 1 (what changed), line 2 (why it matters), line 3 (next action) |
| 10 | AIUX-10 | DONE | AIUX-09 | FE Guild | Add "Show details" / "Show evidence" / "Show alternative fixes" expand buttons |
| 11 | AIUX-11 | DONE | AIUX-10 | FE Guild | Create `AiSummaryExpanded` view: full explanation with citations panel |
| 12 | AIUX-12 | DONE | AIUX-11 | FE Guild | Citation click → evidence node drill-down (reuse EvidenceDrawer) |
### Phase 3: AI Panel in Finding Detail
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 13 | AIUX-13 | DONE | None | FE Guild | Define `FindingDetailLayout` with 3 stacked panels: Verdict (authoritative) → Evidence (authoritative) → AI (assistant) |
| 14 | AIUX-14 | DONE | AIUX-13 | FE Guild | Create `VerdictPanel`: policy outcome, severity, SLA, scope, "what would change verdict" |
| 15 | AIUX-15 | DONE | AIUX-14 | FE Guild | Create `EvidencePanel` (collapsible): reachability graph, runtime evidence, VEX, patches |
| 16 | AIUX-16 | DONE | AIUX-15 | FE Guild | Create `AiAssistPanel`: explanation (3-line), remediation steps, "cheapest next evidence", draft buttons |
| 17 | AIUX-17 | DONE | AIUX-16 | FE Guild | Add visual hierarchy: AI panel visually subordinate (lighter background, smaller header) |
| 18 | AIUX-18 | DONE | AIUX-16 | FE Guild | Enforce citation requirement: AI claims must link to evidence nodes or show "Suggestion" badge |
### Phase 4: Contextual Command Bar ("Ask Stella")
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 19 | AIUX-19 | DONE | None | FE Guild | Create `AskStellaButton` component: small entry point on relevant screens |
| 20 | AIUX-20 | DONE | AIUX-19 | FE Guild | Create `AskStellaPanel` popover: auto-scoped to current context (finding/build/service/release) |
| 21 | AIUX-21 | DONE | AIUX-20 | FE Guild | Suggested prompts as buttons: "Explain why exploitable", "Show minimal evidence", "How to fix?" |
| 22 | AIUX-22 | DONE | AIUX-21 | FE Guild | Add context chips showing scope: "CVE-2025-XXXX", "api-service", "prod" |
| 23 | AIUX-23 | DONE | AIUX-21 | FE Guild | Implement prompt → AI request → streaming response display |
| 24 | AIUX-24 | DONE | AIUX-23 | FE Guild | Limit freeform input (not a chatbot): show suggested prompts prominently, freeform as secondary |
### Phase 5: Findings List AI Integration
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 25 | AIUX-25 | DONE | AIUX-02 | FE Guild | Extend `FindingsListComponent` row to show max 2 AI chips (not more) |
| 26 | AIUX-26 | DONE | AIUX-25 | FE Guild | AI chip priority logic: Reachable Path > Fix Available > Needs Evidence > Exploitability |
| 27 | AIUX-27 | DONE | AIUX-26 | FE Guild | On hover: show 3-line AI preview tooltip |
| 28 | AIUX-28 | DONE | AIUX-27 | FE Guild | On click (chip): open finding detail with AI panel visible |
| 29 | AIUX-29 | DONE | AIUX-25 | FE Guild | **Hard rule**: No full AI paragraphs in list view; chips only |
### Phase 6: User Controls & Preferences
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 30 | AIUX-30 | DONE | None | FE Guild | Create `AiPreferences` settings panel in user profile |
| 31 | AIUX-31 | DONE | AIUX-30 | FE Guild | AI verbosity setting: Minimal / Standard / Detailed (affects 3-line default) |
| 32 | AIUX-32 | DONE | AIUX-31 | FE Guild | AI surfaces toggle: show in UI? show in PR comments? show in notifications? |
| 33 | AIUX-33 | DONE | AIUX-32 | FE Guild | Per-team AI notification opt-in (default: off for notifications) |
| 34 | AIUX-34 | DONE | AIUX-30 | FE Guild | Persist preferences in user settings API |
### Phase 7: Dashboard AI Integration
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 35 | AIUX-35 | DONE | AIUX-08 | FE Guild | Executive dashboard: no generative narrative by default |
| 36 | AIUX-36 | DONE | AIUX-35 | FE Guild | Add "Top 3 risk drivers" with evidence links (AI-generated, evidence-grounded) |
| 37 | AIUX-37 | DONE | AIUX-36 | FE Guild | Add "Top 3 bottlenecks" (e.g., "missing runtime evidence in 42% of criticals") |
| 38 | AIUX-38 | DONE | AIUX-37 | FE Guild | Risk trend: deterministic (no AI); noise trend: % "Not exploitable" confirmed |
### Phase 8: Testing & Documentation
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 39 | AIUX-39 | DONE | All Phase 1 | Testing Guild | Unit tests for all AI chip components |
| 40 | AIUX-40 | DONE | All Phase 2 | Testing Guild | Unit tests for AiSummary expansion/collapse |
| 41 | AIUX-41 | DONE | All Phase 4 | Testing Guild | E2E tests: Ask Stella flow from button to response |
| 42 | AIUX-42 | DONE | All Phase 5 | Testing Guild | Visual regression tests: chips don't overflow list rows |
| 43 | AIUX-43 | DONE | All above | Docs Guild | Document AI UX patterns in `docs/modules/web/ai-ux-patterns.md` |
| 44 | AIUX-44 | DONE | AIUX-43 | Docs Guild | Create AI chip usage guidelines with examples |
## Component Specifications
### AiChip Component
```typescript
@Component({
selector: 'stella-ai-chip',
template: `
<span class="ai-chip" [class]="variantClass()" (click)="onClick.emit()">
<span class="ai-chip__icon">{{ icon() }}</span>
<span class="ai-chip__label">{{ label() }}</span>
</span>
`
})
export class AiChipComponent {
label = input.required<string>(); // Max 5 words
icon = input<string>('');
variant = input<'action' | 'status' | 'evidence'>('action');
onClick = output<void>();
}
```
### AiSummary Component
```typescript
@Component({
selector: 'stella-ai-summary',
template: `
<div class="ai-summary">
<stella-ai-authority-badge [authority]="authority()" />
<div class="ai-summary__content">
<p class="ai-summary__line">{{ line1() }}</p>
<p class="ai-summary__line">{{ line2() }}</p>
<p class="ai-summary__line">{{ line3() }}</p>
</div>
@if (hasMore()) {
<button class="ai-summary__expand" (click)="expanded.set(true)">
Show {{ expandLabel() }}
</button>
}
</div>
`
})
export class AiSummaryComponent {
line1 = input.required<string>(); // What changed
line2 = input.required<string>(); // Why it matters
line3 = input.required<string>(); // Next action
authority = input<'evidence-backed' | 'suggestion'>('suggestion');
hasMore = input(false);
expandLabel = input('details');
expanded = signal(false);
}
```
### Finding Row AI Chip Rules
```
| Finding severity | Policy state | Max 2 AI chips |
|------------------|--------------|----------------|
| Any | BLOCK | Reachable Path + Fix Available |
| Any | WARN | Exploitability + Fix Available |
| Critical/High | Any | Reachable Path + Next Evidence |
| Medium/Low | Any | Exploitability (only 1 chip) |
```
## UI Mockup References
### Findings List Row
```
┌──────────────────────────────────────────────────────────────────────────────┐
│ CVE-2025-1234 │ Critical │ BLOCK │ [Reachable Path] [Fix in 1 PR] │ Explain │
└──────────────────────────────────────────────────────────────────────────────┘
↑ chips (max 2) ↑ action
```
### Finding Detail 3-Panel Layout
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ VERDICT PANEL (authoritative) │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Critical │ BLOCK │ SLA: 3 days │ Reachable: Confirmed │ │
│ │ "What would change verdict: Prove code path unreachable or apply fix" │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ EVIDENCE PANEL (authoritative, collapsible) [▼] │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Reachability: main→parse_input→vulnerable_fn (3 hops) │ │
│ │ VEX: vendor=affected, distro=not_affected → Merged: affected │ │
│ │ Runtime: loaded in api-gw (observed 2025-12-25) │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ AI ASSIST (non-authoritative) [Evidence-backed]│
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ libfoo 1.2.3 introduced CVE-2025-1234 in this build. │ │
│ │ Vulnerable function called via path main→parse_input→fn. │ │
│ │ Fastest fix: bump libfoo to 1.2.5 (PR ready). │ │
│ │ [Show details ▼] │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ [Explain] [Fix] [Draft VEX] [Show evidence] │
└─────────────────────────────────────────────────────────────────────────────┘
```
### Ask Stella Command Bar
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ Ask Stella [CVE-2025-1234] [prod] │
│ ─────────────────────────────────────────────────────────────────────────── │
│ [Explain why exploitable] [Show minimal evidence] [How to fix?] │
│ [Draft VEX] [What test closes Unknown?] │
│ ─────────────────────────────────────────────────────────────────────────── │
│ Or type your question... [Ask] │
└─────────────────────────────────────────────────────────────────────────────┘
```
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from AI Surfacing Advisory; defines component library for non-obtrusive AI UX. | Project Mgmt |
| 2025-12-26 | AIUX-01/02: Created ai-authority-badge.component.ts and ai-chip.component.ts in `shared/components/ai/` | Claude |
| 2025-12-26 | AIUX-03/04/05/06/07: Created specialized chip components: ai-explain-chip, ai-fix-chip, ai-vex-draft-chip, ai-needs-evidence-chip, ai-exploitability-chip | Claude |
| 2025-12-26 | AIUX-08/09/10/11/12: Created ai-summary.component.ts with 3-line structure, expand affordance, and citation drill-down | Claude |
| 2025-12-26 | AIUX-16/17/18: Created ai-assist-panel.component.ts with visual hierarchy and citation requirements | Claude |
| 2025-12-26 | AIUX-19/20/21/22/23/24: Created ask-stella-button.component.ts and ask-stella-panel.component.ts with suggested prompts and context chips | Claude |
| 2025-12-26 | AIUX-39/40: Created unit tests: ai-authority-badge.component.spec.ts, ai-chip.component.spec.ts, ai-summary.component.spec.ts | Claude |
| 2025-12-26 | Created index.ts for public API exports | Claude |
| 2025-12-26 | AIUX-13/14/15: Created `features/findings/detail/` with `finding-detail-layout.component.ts` (3-panel layout), `verdict-panel.component.ts` (policy outcome, SLA, reachability, verdictChangeHint), `evidence-panel.component.ts` (reachability path, runtime observations, VEX claims, patches). | Claude Code |
| 2025-12-26 | AIUX-25/26/27/28/29: Created `ai-chip-row.component.ts` with max 2 chips display, priority logic (BLOCK: Reachable+Fix, WARN: Exploitability+Fix, Critical/High: Reachable+Evidence, Medium/Low: Exploitability only), hover tooltip with 3-line preview, click to open detail. | Claude Code |
| 2025-12-26 | AIUX-30/31/32/33/34: Created `features/settings/ai-preferences.component.ts` with verbosity (Minimal/Standard/Detailed), surface toggles (UI/PR comments/notifications), per-team notification opt-in, save/reset actions. | Claude Code |
| 2025-12-26 | AIUX-35/36/37/38: Created `features/dashboard/ai-risk-drivers.component.ts` with Top 3 risk drivers (evidence-linked), Top 3 bottlenecks (actionable), deterministic risk/noise trends. | Claude Code |
| 2025-12-26 | AIUX-43/44: Created `docs/modules/web/ai-ux-patterns.md` with comprehensive documentation: core principles (7 non-negotiables), component library, 3-panel layout spec, chip display rules, Ask Stella command bar, user preferences, dashboard integration, testing requirements. | Claude Code |
| 2025-12-26 | Sprint completed - all 44 tasks DONE. Archived to `archived/2025-12-26-completed/ai/`. | Claude |
## Decisions & Risks
- Decision: 3-line hard limit vs soft limit? Recommend: hard limit; expandable for more.
- Decision: AI chip max per row? Recommend: 2 chips max; prevents visual clutter.
- Decision: Authority badge colors? Recommend: Green (evidence-backed), Amber (suggestion), not red.
- Risk: AI latency degrading UX. Mitigation: skeleton loaders; cache AI responses.
- Risk: Users ignoring AI because it's too hidden. Mitigation: chips are clickable; preview on hover.
## Cross-References
- **SPRINT_20251226_015_AI_zastava_companion**: Tasks ZASTAVA-15/16/17/18 depend on this sprint's components.
- **SPRINT_20251226_013_FE_triage_canvas**: Tasks TRIAGE-14/15/16/17 use AiRecommendationPanel from here.
- **SPRINT_20251226_016_AI_remedy_autopilot**: Uses FixChip component from AIUX-04.
## Next Checkpoints
- 2025-12-30 | AIUX-07 complete | Core AI chip components ready |
- 2026-01-02 | AIUX-18 complete | Finding detail 3-panel layout with AI |
- 2026-01-06 | AIUX-44 complete | Full documentation and tests |