Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -26,6 +26,14 @@
|
||||
- Archival: completed tasks should flow to `docs/implplan/archived/tasks.md` as per sprint guidance.
|
||||
- Avoid external URLs unless already present; prefer relative doc links.
|
||||
|
||||
## Advisory Handling (must do for every new advisory)
|
||||
- **Trigger:** any new/updated file in `docs/product-advisories/` (current or archived) automatically requires updates below—no chat approval.
|
||||
- **Docs:** add/update a high-level page in `docs/` (vision/key-features/market) and a detailed page in the closest area (`docs/reachability/*`, `docs/market/*`, `docs/benchmarks/*`, `docs/modules/<module>/*`, etc.). Inline only short snippets; place runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic, offline-friendly) and link.
|
||||
- **Sprints:** add Delivery Tracker rows in the relevant `SPRINT_*.md`, include doc paths, owners, deps; add an Execution Log line and risks/interlocks (schema/feed freeze, transparency caps) when needed.
|
||||
- **De-dup:** check `docs/product-advisories/archived/`; mark “supersedes/extends <advisory>` if overlapping to avoid duplicate tasks.
|
||||
- **Defaults:** hybrid reachability posture (graph DSSE required; edge-bundle optional), deterministic/frozen feeds, offline-ready benches.
|
||||
- **Do not defer:** execute steps immediately, then report.
|
||||
|
||||
## Cross-Module Coordination
|
||||
- Respect each module’s AGENTS.md when touching module-specific sprint entries; do not change module instructions from here.
|
||||
- If a required module AGENTS.md is missing/outdated, mark the related task BLOCKED in that module’s sprint and note it in Decisions & Risks here.
|
||||
|
||||
@@ -85,6 +85,15 @@
|
||||
| 50 | SCANNER-BUILDID-401-035 | TODO | Depends on scanner symbol work and fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
|
||||
| 51 | SCANNER-INITROOT-401-036 | TODO | Requires graph writer updates from 1. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
|
||||
| 52 | QA-PORACLE-401-037 | TODO | Depends on reachability graph fixtures; add CI harness. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
|
||||
| 53 | GRAPH-HYBRID-401-053 | TODO | Await graph schema (task 1) final hash; align with Attestor. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
|
||||
| 54 | EDGE-BUNDLE-401-054 | TODO | Depends on 53 and init/root handling (51). | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
|
||||
| 55 | SIG-POL-HYBRID-401-055 | TODO | Needs edge-bundle schema from 54 and Unknowns rules. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
|
||||
| 56 | DOCS-HYBRID-401-056 | TODO | Dependent on 53–55 delivery; interim draft exists. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
|
||||
| 57 | BENCH-DETERMINISM-401-057 | TODO | Await feed-freeze hash + SBOM/VEX bundle list; align with Signals/Policy. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implement cross-scanner determinism bench from 23-Nov advisory: shuffle SBOM/VEX, run 10x2 matrix per scanner, compute determinism rate & CVSS delta σ; add CI target `bench:determinism`, store hashed inputs/outputs, and publish summary CSV. |
|
||||
| 58 | DATASET-REACH-PUB-401-058 | TODO | Needs schema alignment from tasks 1/17/55. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
|
||||
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | TODO | Depends on 1 and native symbolizer readiness. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
|
||||
| 60 | CORPUS-MERGE-401-060 | TODO | After 58 schema settled; tie to QA-CORPUS-401-031. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
|
||||
| 61 | DOCS-BENCH-401-061 | TODO | Blocks on outputs from 57–60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
|
||||
|
||||
## Wave Coordination
|
||||
| Wave | Guild owners | Shared prerequisites | Status | Notes |
|
||||
@@ -98,6 +107,9 @@
|
||||
- CAS hash/predicate choices must stay consistent across Scanner, Signals, Replay, and Policy (tasks 1, 11, 19, 24).
|
||||
- DSSE predicate catalog and Signer integration (tasks 12, 24, 34–36) gate VEX and provenance tasks.
|
||||
- UI/CLI explainers (tasks 15, 21, 47) depend on policy reachability outputs and graph schema stabilization.
|
||||
- Hybrid reachability attestation decision: graph-level DSSE is mandatory; edge-bundle DSSE is optional/targeted (runtime/init/contested edges) with Rekor publish capped; see `docs/reachability/hybrid-attestation.md` and tasks 53–56.
|
||||
- New datasets/benches (tasks 57–61) rely on schema freeze from tasks 1/55 and determinism guardrails; ensure feed-freeze hashes are published before CI wiring.
|
||||
- Competitive/vision docs updated with reachability moat and vendor comparison; ensure sales/PMM references live in `docs/market/competitive-landscape.md` and `docs/reachability/lead.md`.
|
||||
|
||||
## Upcoming Checkpoints
|
||||
- Schedule go/no-go once Sprint 0400 readiness is confirmed (TBD, Planning).
|
||||
@@ -117,10 +129,18 @@
|
||||
| R1 | Sprint 0400 and upstream runtime/replay prerequisites slip. | Delivery blocked; evidence chain cannot start. | Track readiness in checkpoints; hold start until record mode + Evidence Locker APIs land (Planning). |
|
||||
| R2 | CAS hash/predicate mismatch across modules. | Inconsistent artifacts, replay failures. | Align specs via tasks 1, 11, 19, 24; review before implementation (Platform Guild). |
|
||||
| R3 | Determinism gaps in fixtures/benchmarks. | Flaky reachability scoring and VEX proofs. | Prioritize QA tasks 16, 25, 46, 52; enforce deterministic ordering in tests (QA Guild). |
|
||||
| R4 | Edge-bundle Rekor volume or bundle count spikes. | Rekor congestion/cost; slower pipelines; CAS bloat. | Cap Rekor publishes per graph (task 54), default to CAS-only for bulk bundles, monitor Signals ingest size; add CI perf guard after task 55. |
|
||||
| R5 | Bench/dataset tasks start before feed-freeze and schema alignment. | Non-replayable results; wasted bench runs. | Block tasks 57–61 on published feed hashes + `richgraph-v1`/Unknowns schema; add gating checklist in task definitions. |
|
||||
| R6 | Bench/dataset code not materialized (docs only). | Docs drift; no executable evidence for claims. | Tasks 57–60 must produce runnable harnesses/fixtures under `docs/benchmarks/**` or `tests/**`; Execution Log to confirm artifact paths. |
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-11-23 | Added R6 to enforce runnable bench/dataset artifacts; noted supersedes/extends text in moat/competitive docs. | Planning |
|
||||
| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 57–61 links. | Planning |
|
||||
| 2025-11-23 | Added competitive + reachability moat docs (`docs/market/competitive-landscape.md`, `docs/reachability/lead.md`) and linked sprint narrative to them. | Planning |
|
||||
| 2025-11-23 | Added tasks 57–61 (determinism bench, public reachability dataset, native callgraph ingest, corpus merge, docs), logged R5, and noted schema/feed gating. | Planning |
|
||||
| 2025-11-23 | Added hybrid attestation decision and tasks 53–56; aligned docs references. | Planning |
|
||||
| 2025-11-22 | Updated cross-references to new sprint filename in tasks-all and reachability docs; synced naming in bench playbook. | Planning |
|
||||
| 2025-11-22 | Normalized sprint to template, added dependencies/prereqs, Delivery Tracker numbering, interlocks, risks; renamed file for naming compliance. | Planning |
|
||||
| 2025-11-20 | Added tasks for purl-resolved edges, ELF build-id propagation, init-array roots, and patch-oracle QA harness; aligned docs references. | Planning |
|
||||
|
||||
@@ -30,8 +30,9 @@
|
||||
| 3 | BENCH-GRAPH-24-002 | BLOCKED | Waiting for 50k/100k graph fixture (SAMPLES-GRAPH-24-003) | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
|
||||
| 4 | BENCH-IMPACT-16-001 | BLOCKED | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
|
||||
| 5 | BENCH-POLICY-20-002 | BLOCKED | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
|
||||
| 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
|
||||
| 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
|
||||
| 7 | BENCH-SIG-26-002 | BLOCKED | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
|
||||
| 8 | BENCH-DETERMINISM-401-057 | TODO | Feed-freeze hash + SBOM/VEX bundle list from Sprint 0401. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/bench-determinism.md`) | Run cross-scanner determinism bench from 23-Nov advisory; publish determinism% and CVSS delta σ; CI target `bench:determinism`; store hashed inputs/outputs. |
|
||||
|
||||
## Wave Coordination
|
||||
- Single wave; benches sequenced by dataset availability. No parallel wave gating beyond Delivery Tracker dependencies.
|
||||
|
||||
Reference in New Issue
Block a user