Stabilize U
This commit is contained in:
master
@@ -0,0 +1,20 @@
|
||||
{
|
||||
"tier": 0,
|
||||
"feature": "admin-audit-trails",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"sourceFiles": [
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/DecisionService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/IDecisionService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/IAuditService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/IDecisionHook.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/LedgerEventWriteService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Domain/DecisionModels.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Observability/LedgerTelemetry.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Observability/LedgerTimeline.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/LedgerEventWriteServiceTests.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/EvidenceDecisionApiIntegrationTests.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/FindingWorkflowServiceTests.cs", "exists": true}
|
||||
],
|
||||
"missingRatio": 0.0,
|
||||
"sourceVerified": true
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
"tier": 2,
|
||||
"feature": "admin-audit-trails",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"testProject": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj",
|
||||
"filter": "All tests (MTP runner ignores VSTest --filter; all 141 ran)",
|
||||
"testsRun": 141,
|
||||
"testsPassed": 141,
|
||||
"testsFailed": 0,
|
||||
"rawOutput": "Run tests: StellaOps.Findings.Ledger.Tests.dll [net10.0|x64]\nPassed! - Failed: 0, Passed: 141, Skipped: 0, Total: 141, Duration: 2s 891ms",
|
||||
"assertionQuality": "adequate",
|
||||
"codeReviewFindings": {
|
||||
"DecisionService_RecordAsync": "Creates LedgerEventDraft with SequenceNumber=0 and delegates to LedgerEventWriteService.AppendAsync. LedgerEventWriteService expects strict sequence ordering. However DecisionService always passes 0, relying on auto-sequence at write time. RecordAsync properly validates, builds canonical envelope, and fires hooks. FUNCTIONAL for single-event chains.",
|
||||
"DecisionService_GetHistoryAsync": "Returns Array.Empty<DecisionEvent>(). This is a STUB - audit timeline retrieval is NOT implemented.",
|
||||
"IAuditService": "Interface declares GetTimelineAsync but NO implementation class was found in the codebase. Pure interface stub.",
|
||||
"LedgerEventWriteServiceTests": "3 tests verify hash computation, sequence conflict detection, and idempotent append. All assert actual computed values (hashes, statuses, errors). DEEP assertion quality.",
|
||||
"EvidenceDecisionApiIntegrationTests": "8 tests exercise HTTP endpoints but use StatusCode.Should().BeOneOf(OK, Unauthorized, NotFound, BadRequest) patterns. SHALLOW - these tests pass regardless of actual behavior because they accept any status code.",
|
||||
"FindingWorkflowServiceTests": "3 tests verify workflow operations (assign, accept risk, comment) with deep assertions on payload structure, event types, and status values. DEEP assertion quality.",
|
||||
"RuntimeWiring": "Program.cs registers InMemoryFindingRepository (returns null for all queries) and NullEvidenceRepository (returns null). Evidence graph builder and admin audit views are scaffolded but backed by empty data sources."
|
||||
},
|
||||
"classification": "not_implemented",
|
||||
"classificationRationale": "Previous run-001 classification of not_implemented is CONFIRMED. Key gaps remain: (1) DecisionService.GetHistoryAsync is a stub returning empty array, (2) IAuditService has no implementation, (3) Runtime DI uses NullEvidenceRepository and InMemoryFindingRepository returning null/empty for all queries. The append-only write path works (LedgerEventWriteService is well-tested) but the read-side audit trail (history, timeline, evidence graph) is not wired. Integration tests use shallow StatusCode.Should().BeOneOf() patterns that accept any response.",
|
||||
"reclassificationWarranted": false,
|
||||
"notes": "The write path (DecisionService.RecordAsync -> LedgerEventWriteService.AppendAsync) IS functional and well-tested. The read path for audit trails is entirely stubbed. Classification should remain not_implemented until GetHistoryAsync, IAuditService implementation, and real repository wiring are completed."
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
{
|
||||
"tier": 0,
|
||||
"feature": "attested-reduction-scoring-in-findings-ledger",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"sourceFiles": [
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingEvidenceProvider.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/ScoringContracts.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/AttestationContracts.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Services/AttestationQueryService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingScoringServiceTests.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs", "exists": true}
|
||||
],
|
||||
"missingRatio": 0.0,
|
||||
"sourceVerified": true
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
{
|
||||
"tier": 2,
|
||||
"feature": "attested-reduction-scoring-in-findings-ledger",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"testProject": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj",
|
||||
"filter": "All tests (MTP runner ignores VSTest --filter; all 141 ran). Relevant: FindingScoringServiceTests (7 tests), ScoringEndpointsIntegrationTests, ScoringAuthorizationTests, ScoringObservabilityTests.",
|
||||
"testsRun": 141,
|
||||
"testsPassed": 141,
|
||||
"testsFailed": 0,
|
||||
"rawOutput": "Run tests: StellaOps.Findings.Ledger.Tests.dll [net10.0|x64]\nPassed! - Failed: 0, Passed: 141, Skipped: 0, Total: 141, Duration: 2s 891ms",
|
||||
"assertionQuality": "adequate",
|
||||
"codeReviewFindings": {
|
||||
"FindingScoringService": "FULLY IMPLEMENTED scoring logic. CalculateScoreAsync gets evidence, gets policy, normalizes, calculates, maps to response with ReductionProfile, HardFail, ShortCircuitReason, and Anchor metadata. Cache key includes policy digest and reduction flag for determinism. Batch scoring with concurrency control is implemented.",
|
||||
"AnchoredFindingEvidenceProvider": "FULLY IMPLEMENTED. Queries IEvidenceRepository for full evidence, checks reachability/runtime/VEX attestation digests via IAttestationVerifier, maps to EvidenceAnchor with DSSE envelope digest, Rekor log index, and verification status. HOWEVER: requires GUID-parseable finding IDs (TryParseGuid), and common CVE@PURL format finding IDs may fail to extract a GUID.",
|
||||
"FindingScoringServiceTests": "7 unit tests with DEEP assertions: verify ReductionProfile population when attested reduction enabled, HardFail=true with short-circuit reason, anchored VEX not_affected short-circuit to score 0, Anchor DTO population with specific values (sha256:abc123, rekorLogIndex=12345), null reduction profile when disabled, null return for missing evidence, and different cache keys for different policies.",
|
||||
"RuntimeWiring": "Program.cs line 228-229 registers NullEvidenceRepository (returns null for all evidence queries) and NullAttestationVerifier (returns IsValid=false for all digests). Line 260 registers AnchoredFindingEvidenceProvider which depends on these null implementations. So at runtime, evidence will ALWAYS be null, scoring will return null for all findings.",
|
||||
"GuidParsingLimitation": "AnchoredFindingEvidenceProvider.TryParseGuid splits on @/:/ but CVE@PURL format (e.g. 'CVE-2024-1234@pkg:npm/lodash@4.17.20') does not contain a GUID, so GetEvidenceAsync returns null for standard finding IDs."
|
||||
},
|
||||
"classification": "not_implemented",
|
||||
"classificationRationale": "Previous run-001 classification of not_implemented is CONFIRMED. The scoring SERVICE logic is fully implemented and well-tested at the unit level (7 deep tests with specific value assertions). However, the runtime wiring uses NullEvidenceRepository and NullAttestationVerifier, so the AnchoredFindingEvidenceProvider always receives null evidence. Additionally, the GUID-parsing limitation means standard CVE@PURL finding IDs cannot resolve to evidence. The feature is architecturally complete but not runtime-functional.",
|
||||
"reclassificationWarranted": false,
|
||||
"notes": "Consider reclassifying to 'partially_implemented' since the scoring logic, reduction profiles, hard-fail, short-circuit, and anchor metadata DTOs are all fully coded and tested. The gap is strictly in runtime data sources (NullEvidenceRepository, NullAttestationVerifier) and the finding ID parsing limitation. However, per the feature file's own 'Missing/Mismatched Behavior' section, the end-to-end path is broken, so not_implemented is appropriate."
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"tier": 0,
|
||||
"feature": "cvss-vex-sorting",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"sourceFiles": [
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingSummaryBuilder.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingSummaryService.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/FindingSummary.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingSummaryBuilderTests.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/ScoredFindingsQueryServiceTests.cs", "exists": true}
|
||||
],
|
||||
"missingRatio": 0.0,
|
||||
"sourceVerified": true
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
{
|
||||
"tier": 2,
|
||||
"feature": "cvss-vex-sorting",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"testProject": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj",
|
||||
"filter": "All tests (MTP runner ignores VSTest --filter; all 141 ran). Relevant: FindingSummaryBuilderTests (11 tests), ScoredFindingsQueryServiceTests (1 test).",
|
||||
"testsRun": 141,
|
||||
"testsPassed": 141,
|
||||
"testsFailed": 0,
|
||||
"rawOutput": "Run tests: StellaOps.Findings.Ledger.Tests.dll [net10.0|x64]\nPassed! - Failed: 0, Passed: 141, Skipped: 0, Total: 141, Duration: 2s 891ms",
|
||||
"assertionQuality": "adequate",
|
||||
"codeReviewFindings": {
|
||||
"FindingSummaryBuilder": "FULLY IMPLEMENTED. Builds FindingSummary with CvssScore, Severity, VerdictStatus, VerdictChip (color-coded), OneLiner, ProofBadges. Each finding has CvssScore and Status fields that COULD be used for sorting.",
|
||||
"FindingSummaryService": "GetSummariesAsync calls _repository.GetPagedAsync with page, pageSize, status, severity, minConfidence parameters. DOES NOT accept any sort field/direction parameters.",
|
||||
"FindingSummaryFilter": "Record has Page, PageSize, Status, Severity, MinConfidence. NO SortBy, SortDirection, or OrderBy fields. Multi-dimension sorting is NOT exposed in the API contract.",
|
||||
"FindingSummaryBuilderTests": "11 tests verify chip colors, badge statuses, one-liner generation, and field copying. All have DEEP assertions checking specific enum values and string content. However, NO tests verify sort ordering of multiple summaries.",
|
||||
"ScoredFindingsQueryServiceTests": "1 test verifies attestation metadata mapping with DEEP assertions on specific count values. Not related to sorting.",
|
||||
"RuntimeWiring": "Program.cs registers InMemoryFindingRepository which returns null/empty for all queries, so the summary endpoints return no data at runtime."
|
||||
},
|
||||
"classification": "not_implemented",
|
||||
"classificationRationale": "Previous run-001 classification of not_implemented is CONFIRMED. The core gap is that FindingSummaryFilter has NO sort parameters (no SortBy, SortDirection, or multi-dimension ordering fields). FindingSummaryService.GetSummariesAsync does not accept or apply sort ordering. The FindingSummaryBuilder correctly populates CvssScore and VerdictStatus fields that could support sorting, but the API surface does not expose sort controls. Additionally, the runtime repository returns empty data. Multi-dimension CVSS/VEX sorting is not implemented at the contract or service level.",
|
||||
"reclassificationWarranted": false,
|
||||
"notes": "The FindingSummaryBuilder is well-implemented for building individual summaries with all required fields (CvssScore, Severity, VerdictStatus). The gap is purely in the sort/ordering plumbing: FindingSummaryFilter lacks sort parameters, FindingSummaryService does not apply ordering, and the repository interface does not support ordered queries. This is a true not_implemented for the sorting aspect."
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"tier": 0,
|
||||
"feature": "ledger-projections",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"sourceFiles": [
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Infrastructure/Projection/LedgerProjectionWorker.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Services/LedgerProjectionReducer.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Hashing/ProjectionHashing.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Infrastructure/IFindingProjectionRepository.cs", "exists": true},
|
||||
{"path": "src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresFindingProjectionRepository.cs", "exists": true},
|
||||
{"path": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/LedgerProjectionReducerTests.cs", "exists": true}
|
||||
],
|
||||
"missingRatio": 0.0,
|
||||
"sourceVerified": true
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
"tier": 2,
|
||||
"feature": "ledger-projections",
|
||||
"timestamp": "2026-02-15T20:55:00.000Z",
|
||||
"testProject": "src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj",
|
||||
"filter": "All tests (MTP runner ignores VSTest --filter; all 141 ran). Relevant: LedgerProjectionReducerTests (3 tests).",
|
||||
"testsRun": 141,
|
||||
"testsPassed": 141,
|
||||
"testsFailed": 0,
|
||||
"rawOutput": "Run tests: StellaOps.Findings.Ledger.Tests.dll [net10.0|x64]\nPassed! - Failed: 0, Passed: 141, Skipped: 0, Total: 141, Duration: 2s 891ms",
|
||||
"assertionQuality": "deep",
|
||||
"codeReviewFindings": {
|
||||
"LedgerProjectionReducer": "FULLY IMPLEMENTED static reducer. Reduce() takes a LedgerEventRecord, optional current FindingProjection, and PolicyEvaluationResult. Correctly determines status, severity, risk scores, merges labels (add/remove), determines explain references, creates history entries and triage action entries. Computes deterministic CycleHash via ProjectionHashing.",
|
||||
"LedgerProjectionWorker": "FULLY IMPLEMENTED BackgroundService. ExecuteAsync loads checkpoint, reads event batches, applies each event via ApplyAsync (get current projection -> evaluate policy -> reduce -> upsert projection + insert history + insert action + save checkpoint). Includes telemetry, incident diagnostics, error handling, and batch metrics.",
|
||||
"OutOfOrderHandling": "CONFIRMED MISSING. LedgerProjectionWorker iterates 'foreach (var record in batch)' at line 86 without sorting by sequence number. The batch is processed in received order. LedgerProjectionReducer.Reduce is a pure function that processes one event at a time and does not perform ordering. The feature claim for 'out-of-order event delivery by ordering events by sequence number before applying' is NOT satisfied.",
|
||||
"LedgerProjectionReducerTests": "3 tests with DEEP assertions: (1) Reduce_WhenFindingCreated verifies status, severity, labels, explainRef, rationale, cycleHash, and hash determinism. (2) Reduce_StatusChange verifies status transition, comment extraction, action entry creation. (3) Reduce_LabelUpdates verifies label merge (add/update/remove). All use FluentAssertions with specific value checks.",
|
||||
"ProjectionHashing": "Computes deterministic cycle hashes for projection state, enabling replay consistency verification.",
|
||||
"PostgresFindingProjectionRepository": "Full Postgres persistence implementation for projections with upsert, checkpoint, history, and action operations."
|
||||
},
|
||||
"classification": "not_implemented",
|
||||
"classificationRationale": "Previous run-001 classification of not_implemented is RECONSIDERED. The projection pipeline (worker + reducer + repository + hashing) is substantially implemented and well-tested. The ONLY gap is out-of-order event handling: LedgerProjectionWorker processes events in batch order without sequence reordering. All other projection claims (materialize events to read models, deterministic hashing, catch-up from checkpoint, policy evaluation) are implemented. However, since the feature file specifically claims out-of-order handling and this is not satisfied, the not_implemented classification is borderline. RECOMMEND reclassifying to 'partially_implemented' and moving feature file back to the appropriate location, since ~80% of the feature surface is functional.",
|
||||
"reclassificationWarranted": true,
|
||||
"suggestedStatus": "not_implemented",
|
||||
"notes": "The projection system is the most complete of the 4 investigated features. The reducer is well-tested with deep assertions. The worker correctly implements the projection loop with checkpoint management, telemetry, and error handling. The single gap (out-of-order sequence reordering before reduce) is a specific claimed behavior that is not enforced. If out-of-order handling were removed from the feature claims, this would pass. Current classification as not_implemented is slightly harsh but technically correct per the feature file's own E2E test plan item 4."
|
||||
}
|
||||
Reference in New Issue
Block a user