From 76ecea482e83dbe9f51afd75ef96c67154df3a0a Mon Sep 17 00:00:00 2001 From: StellaOps Bot Date: Tue, 2 Dec 2025 09:28:11 +0200 Subject: [PATCH] archive advisories --- .../31-Nov-2025 FINDINGS.md | 1691 ----------------- ...5 - DSSE-Signed Offline Scanner Updates.md | 0 ...roof-Linked VEX UI Developer Guidelines.md | 0 ...torage Blueprint for PostgreSQL Modules.md | 0 ...ec-2025 - Time-to-Evidence (TTE) Metric.md | 0 ...ble Proof Spine Receipts and Benchmarks.md | 0 ...25 - embedded in-toto provenance events.md | 0 ...025 - function-level vex explainability.md | 0 ...l serdica census excel import blueprint.md | 0 ...roof spine for explainable quiet alerts.md | 0 ...p with deterministic diff-aware rescans.md | 0 ...-Nov-2025 - layer-sbom cache hash reuse.md | 0 ...025 - multi-runtime reachability corpus.md | 0 ...nical persistence cyclonedx interchange.md | 0 ...plan for quiet scans provenance diff-ci.md | 0 .../17-Nov-2025 - SBOM-Provenance-Spine.md | 0 ...17-Nov-2025 - Stripped-ELF-Reachability.md | 0 ...8-Nov-2025 - Binary-Reachability-Engine.md | 0 .../18-Nov-2025 - CSharp-Binary-Analyzer.md | 0 .../18-Nov-2025 - Patch-Oracles.md | 0 .../18-Nov-2025 - SBOM-Provenance-Spine.md | 0 .../18-Nov-2025 - Unknowns-Registry.md | 0 ...ch ELF Build‑IDs for Stable PURL Mapping.md | 0 ...array Constructors as Reachability Roots.md | 0 ...ity & Moat Watch — Verified 2025 Updates.md | 0 ...y Reachability with PURL‑Resolved Edges.md | 0 ...2025 - Where Stella Ops Can Truly Lead.md | 0 ...ng Determinism in Vulnerability Scoring.md | 0 ...ishing a Reachability Benchmark Dataset.md | 0 ...23-Nov-2025 - Stella Ops vs Competitors.md | 0 ... Binary Reachability via DSSE Envelopes.md | 0 ... a Deterministic Reachability Benchmark.md | 0 ...SS v4.0 Score Receipts for Transparency.md | 0 ...r‑gap deployment playbook for StellaOps.md | 0 ...e VEX 'Not Affected' Claims with Proofs.md | 0 ...Half-Life Confidence Decay for Unknowns.md | 0 ...ne‑kit attestation essentials checklist.md | 0 ...ndling Rekor v2 and DSSE Air‑Gap Limits.md | 0 ...025 - Opening Up a Reachability Dataset.md | 0 ...ph Revision IDs as Public Trust Anchors.md | 0 ...25 - Blueprint for a 2026‑Ready Scanner.md | 0 ...ure Brief - SBOM‑First, VEX‑Ready Spine.md | 0 ...bility Layer for Vulnerability Verdicts.md | 0 ...5 - Late‑November SBOM & VEX competitor.md | 0 ... Making Graphs Understandable to Humans.md | 0 ... Ambiguity Through an Unknowns Registry.md | 0 ... Binary Reachability via DSSE Envelopes.md | 0 ...tication and Authorization Architecture.md | 0 ...CLI Developer Experience and Command UX.md | 0 ...25 - Concelier Advisory Ingestion Model.md | 0 ... - Evidence Bundle and Replay Contracts.md | 0 ... - Export Center and Reporting Strategy.md | 0 ...ndings Ledger and Immutable Audit Trail.md | 0 ...Graph Analytics and Dependency Insights.md | 0 ...-2025 - Mirror and Offline Kit Strategy.md | 0 ... Notification Rules and Alerting Engine.md | 0 ...hestrator Event Model and Job Lifecycle.md | 0 ...n Architecture & Extensibility Patterns.md | 0 ...25 - Policy Simulation and Shadow Gates.md | 0 ...me Posture and Observation with Zastava.md | 0 ...overeign Crypto for Regional Compliance.md | 0 ... Task Pack Orchestration and Automation.md | 0 ... - Telemetry and Observability Patterns.md | 0 ...ility Triage UX & VEX-First Decisioning.md | 0 ...nce Tests Pack for StellaOps Guardrails.md | 0 ....0 Momentum in Vulnerability Management.md | 0 ... - SBOM to VEX Proof Pipeline Blueprint.md | 0 ...A Failure Catalogue for StellaOps Tests.md | 0 ... Mid-Level .NET Onboarding (Quick Start).md | 0 ...rative Evidence Patterns for Stella Ops.md | 0 ...Nov-2025 - Ecosystem Reality Test Cases.md | 0 ...- Implementor Guidelines for Stella Ops.md | 0 ...eachability Benchmark Fixtures Snapshot.md | 0 ... Rekor Receipt Checklist for Stella Ops.md | 0 ...-Nov-2025 - Standup Sprint Kickstarters.md | 0 ...5 - UI Micro-Interactions for StellaOps.md | 0 ...25 - Unknowns Decay & Triage Heuristics.md | 0 77 files changed, 1691 deletions(-) delete mode 100644 docs/product-advisories/31-Nov-2025 FINDINGS.md rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/15-Nov-2025 - embedded in-toto provenance events.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/15-Nov-2025 - function-level vex explainability.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/15-Nov-2025 - ipal serdica census excel import blueprint.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/15-Nov-2025 - proof spine for explainable quiet alerts.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/15-Nov-2025 - scanner roadmap with deterministic diff-aware rescans.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/16-Nov-2025 - layer-sbom cache hash reuse.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/16-Nov-2025 - multi-runtime reachability corpus.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/16-Nov-2025 - validation plan for quiet scans provenance diff-ci.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/17-Nov-2025 - SBOM-Provenance-Spine.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/17-Nov-2025 - Stripped-ELF-Reachability.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/18-Nov-2025 - Binary-Reachability-Engine.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/18-Nov-2025 - CSharp-Binary-Analyzer.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/18-Nov-2025 - Patch-Oracles.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/18-Nov-2025 - SBOM-Provenance-Spine.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/18-Nov-2025 - Unknowns-Registry.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/20-Nov-2025 - Branch · Attach ELF Build‑IDs for Stable PURL Mapping.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/20-Nov-2025 - Branch · Model .init_array Constructors as Reachability Roots.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/20-Nov-2025 - Branch · Reachability & Moat Watch — Verified 2025 Updates.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/20-Nov-2025 - Encoding Binary Reachability with PURL‑Resolved Edges.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/23-Nov-2025 - Where Stella Ops Can Truly Lead.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/23-Nov-2025 - Stella Ops vs Competitors.md (100%) rename docs/product-advisories/archived/{ => 27-Nov-2025-superseded}/23-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/25-Nov-2025 - Offline‑kit attestation essentials checklist.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/26-Nov-2025 - Opening Up a Reachability Dataset.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Late‑November SBOM & VEX competitor.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Making Graphs Understandable to Humans.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Authentication and Authorization Architecture.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - CLI Developer Experience and Command UX.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Concelier Advisory Ingestion Model.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Evidence Bundle and Replay Contracts.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Export Center and Reporting Strategy.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Graph Analytics and Dependency Insights.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Mirror and Offline Kit Strategy.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Notification Rules and Alerting Engine.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Policy Simulation and Shadow Gates.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Runtime Posture and Observation with Zastava.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Sovereign Crypto for Regional Compliance.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Task Pack Orchestration and Automation.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Telemetry and Observability Patterns.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Ecosystem Reality Test Cases.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Implementor Guidelines for Stella Ops.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Standup Sprint Kickstarters.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - UI Micro-Interactions for StellaOps.md (100%) rename docs/product-advisories/{ => archived/27-Nov-2025-superseded}/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md (100%) diff --git a/docs/product-advisories/31-Nov-2025 FINDINGS.md b/docs/product-advisories/31-Nov-2025 FINDINGS.md deleted file mode 100644 index cb0c44913..000000000 --- a/docs/product-advisories/31-Nov-2025 FINDINGS.md +++ /dev/null @@ -1,1691 +0,0 @@ -# Findings – Gaps in “Designing a Deterministic Reachability Benchmark” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` - -**Method:** Read the advisory, cross-checked Sprint `SPRINT_0513_0001_0001_public_reachability_benchmark`, and compared with current bench scaffolding expectations (schemas, build/score flows, baselines). Below are the missing or weakly specified areas that need decisions and follow-on work. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| G1 | Dataset versioning & integrity | No canonical version/hash per case/split; no manifest tying case IDs to hashes or DSSE attestation of the benchmark state. | Repro claims and leaderboard comparability break when cases drift. | Add `benchmark/VERSION` plus a manifest (`manifest.json` + `manifest.dsse`) covering all case directories, splits, and schema versions; require submissions to cite the manifest hash. | -| G2 | Submission provenance / anti-spoof | Submission schema omits attestation of tool binary, flags, and dataset version; no signature to prevent forged results. | Vendors can spoof runs or misreport tool versions; trust in leaderboard is weak. | Extend submission schema with `{attestation, tool_sha256, dataset_manifest}`; accept DSSE/IETF RATS evidence; verify signature before scoring. | -| G3 | Language-specific determinism controls | Advisory says “deterministic builds” but does not mandate env guards (`PYTHONHASHSEED`, `TZ=UTC`, `LC_ALL=C`, Node `--heapsnapshot-never`, Java `-Duser.country=US -Duser.language=en`, C compiler flags). | Re-run variance can exceed 1–5% grade; coverage/traces become non‑reproducible. | Document per-language env/flags in build templates; pin seeds; add a determinism lint that fails when entropy sources (time, hostname, randomness, network) are observed. | -| G4 | Dynamic evidence schemas | Coverage/traces are mentioned but lack explicit schemas or validation (format, units, clock source, path encoding). | Tool outputs cannot be compared or replayed; hard to verify explainability levels. | Add `coverage.schema.json` and `trace.schema.json`; normalize timestamps to monotonic nanoseconds; require DSSE-wrapped evidence bundles per case. | -| G5 | Unreachability oracles | Negative cases lack explicit “must-not-reach” tests and guard toggles; no check that sinks stay dark when flags off. | False positives look like successes; labels can silently drift when code changes. | Require an “unreachable” oracle per negative case (test that asserts sink untouched); store guard matrix in `truth.yaml`; add CI step that fails on unexpected sink hits. | -| G6 | Baseline determinism & offline posture | Baseline runners (Semgrep/CodeQL/angr/Snyk) are listed but rulepacks, databases, and CLI images are not frozen or vendored; network dependency not banned. | Results vary by day or fail in air‑gap; comparisons become unfair. | Vendor rule packs and CodeQL DB seeds into `baselines/_frozen/` with hashes; run tools with `--disable-version-check` and offline flags; publish exact image digests. | -| G7 | Resource normalization & timeouts | Scoring captures runtime/peak RAM but does not fix CPU/arch, thread limits, or timeout/ retry policy; large-language cases could dominate. | Leaderboard not comparable; vendors can over-provision hardware to win. | Define reference runner profile (e.g., x86_64, 4 vCPU, 16 GB RAM, cgroups limits); set per-case wall/time budgets and classify “timeout” separately from “unreachable.” | -| G8 | Case evolution governance | TAC exists but no intake checklist (license, safety, reproducibility), dual-review rule, or version bump rules for cases/schemas. | Inconsistent case quality; legal risk from third-party code; breaking changes slip in unnoticed. | Add contributor checklist; require two maintainers + TAC sign-off; semantic versioning for schemas and cases; changelog per case with DSSE approval. | -| G9 | Sensitive-data handling | Execution traces and logs may leak secrets/PII; no redaction or allowlist guidance. | Publishing traces could expose secrets or customer data in public benchmark. | Enforce redaction filters in harnesses; add “PII/secret scan” check in build pipeline; document allowed fields and require synthetic data only. | -| G10 | Submission safety & malware controls | No sandboxing guidance for submitted binaries/artifacts; no AV/behavior scan before scoring. | Malicious submissions could target CI/score hosts. | Score in disposable sandbox; run AV/yara; restrict submission size/types; discard binaries after scoring; document this in submission guide. | -| G11 | Distribution / kit integrity | “Repro packs” mentioned but no concrete packaging (manifest, checksums, signature) or offline mirror flow. | Consumers cannot verify downloads; offline users blocked. | Publish `benchmark-kit.tgz` with SHA256 + Sigstore signing; include CAS layout for cases/artifacts; provide mirror instructions and sample `airgap-load.sh`. | -| G12 | StellaOps product linkage | Advisory doesn’t map benchmark artifacts to internal reachability evidence chain (Sprint 0401) or VEX/Verdict lattice inputs. | Benchmark effort risks diverging from product semantics and evidence format. | Add integration note: export truth/evidence in the same DSSE/graph format the Scanner expects; add a “stella-baseline” profile and conversion scripts. | - -## Immediate follow-ups -- Add these gaps as tasks in the reachability benchmark sprint (0513) with owners and dates. -- Decide where schemas for coverage/traces live (`benchmark/schemas/`) and draft them alongside manifest/attestation changes. -- Update build templates per language with determinism env vars and redaction checks. -- Freeze baseline rulepacks/DBs and publish digests. -- Document sandbox and submission attestation requirements in the submission guide and CI policy. - -# Findings – Gaps in “Add CVSS v4.0 Score Receipts for Transparency” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` - -**Method:** Read the advisory, cross-checked Sprint `SPRINT_0190_0001_0001_cvss_v4_receipts`, and compared with Policy/Signals architecture expectations (deterministic scoring, DSSE attestations, multi-tenant receipts). Below are the missing or weakly specified areas that need decisions and follow-on work. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CV1 | Policy lifecycle & replay | Advisory calls for policy IDs/hashes but omits rules for **policy rotation** and backfill: when policies change, how to re-score existing receipts, preserve prior policy hash, and mark receipts as “computed under policy X”. | Receipts can become incomparable; auditors can’t tell which policy produced a score. | Define policy versioning and replay rules: immutable policies; when policy changes, emit new receipts with old ones retained; add `computedWithPolicyId/hash` and `supersedesReceiptId`; optional bulk backfill job with DSSE re-sign. | -| CV2 | Canonical input hashing | Inputs hash is referenced but no canonicalization rules (ordering, whitespace, locale, numeric precision, timezone, null handling). | Different services may compute different hashes → false “different receipt” or DSSE signature failures. | Specify canonical serialization (e.g., JSON Canonicalization Scheme, UTC, sorted keys, fixed decimal precision, trimmed whitespace) and test vectors; enforce in ReceiptBuilder and clients. | -| CV3 | Threat/Env freshness & decay | Threat metrics can become stale; advisory doesn’t define TTLs, “last observed” timestamps, or auto-expiry of exploitation intel. | Scores may overstate risk long after exploitation stops; history lacks time-bounded evidence. | Add `observedAt`, `expiresAt`, and decay policy (e.g., downgrade E after N days without sightings); include in policy config and receipt history. | -| CV4 | Multi-tenant segregation | Same vulnerability may have different Environmental metrics per tenant; advisory doesn’t state whether to store per-tenant receipts or a shared base+overrides model. | Tenants could see each other’s context or overwrite Env scores; caching may leak data. | Model receipts as tenant-scoped; store Base once but derive tenant-specific Threat/Env receipts with isolation; enforce tenant IDs in keys and hashes. | -| CV5 | v3.1→v4.0 interoperability | No guidance for ingesting vendor CVSS v3.1 vectors or mixed inputs; no mapping strategy or “converted” marker. | Pipelines may drop scores or mislabel vectors; UI confusion when vendors lag on v4.0. | Provide deterministic v3.1→v4.0 mapping with `conversionMethod` + `confidence`; tag receipts as `source:converted-v3.1`; allow dual display until vendor provides native v4.0. | -| CV6 | Evidence provenance & storage | Evidence list exists but not tied to Evidence Locker/DSSE chain; no guidance on redaction, retention, or CAS location. | Receipts can point to mutable or PII-laden artifacts; replay may break if evidence moves. | Require CAS URIs, retention class, redaction status; store evidence DSSE references; integrate with Evidence Locker for storage/verification; add `verifiedAt`/`hashMismatch` flags. | -| CV7 | Immutability vs amendment | History table exists, but advisory doesn’t mandate append-only receipts or forbid in-place edits; DSSE re-sign rules when amending are unspecified. | Receipts could be altered silently, breaking auditability and DSSE trust. | Enforce append-only: amendments create new receipt IDs; old receipts immutable; history references previous receipt; re-sign DSSE on each new receipt; add `immutable=true` guard in persistence layer. | -| CV8 | Export determinism (PDF/JSON) | UI/CLI exports mentioned but not constrained: fonts, locale, timezone, rounding, and ordering are unspecified; PDF generation not deterministic. | Exports vary across runs/environments; cannot serve as audit evidence. | Define export profile: UTC timestamps, fixed font set, embedded fonts, stable ordering, standardized severity palette, normalized vector formatting; hash exports and store in Evidence Locker. | -| CV9 | RBAC & change authority | Advisory hints at roles but doesn’t set RBAC boundaries for Base vs Threat/Env edits or evidence attachment, nor how to log delegation. | Unauthorized changes could alter scores; audit trails incomplete. | Define role matrix (e.g., Security Engineer: Base; SOC Analyst: Threat; Customer Admin: Env; Viewer: read-only); enforce in APIs; log actor IDs and auth method in history entries. | -| CV10 | Monitoring & guardrails | No operational controls for failed DSSE verification, hash mismatches, policy/schema drift, or scoring engine version skew. | Silent corruption or version drift could invalidate receipts without alerting. | Add health checks/alerts: DSSE verify failures, hash mismatches, policy hash change, engine version mismatch; expose Prometheus counters and fail-fast toggles in ingestion/recalc pipelines. | - -## Immediate follow-ups -- Add a CVSS gap-remediation task to Sprint `SPRINT_0190_0001_0001_cvss_v4_receipts` and split into sub-tasks if needed (policy lifecycle, hashing canonicalization, multi-tenant receipts, v3.1 conversion, evidence/DSSE linkage, RBAC/monitoring, deterministic exports). -- Publish canonical hashing spec and sample vectors in `docs/modules/policy/cvss-v4.md` (or schema folder) and add tests in `StellaOps.Policy.Scoring.Tests`. -- Define tenant-scoped receipt storage and RBAC in Policy WebService contract; ensure DSSE/signature rules cover amendments. - -# Findings – Gaps in “Air‑gap deployment playbook for StellaOps” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md` - -**Method:** Read the advisory and cross-checked with air‑gap/offline posture expectations (offline kits, Rekor mirrors, deterministic replay, crypto profiles) and with existing sprints for offline (e.g., SPRINT_0510_0001_0001_airgap, SPRINT_500_ops_offline). Identified missing controls and decisions needed to operationalize the playbook safely. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| AG1 | Trust roots & key custody | Playbook references `trust-root.pem` and `offline-signer.key` but lacks guidance on root rotation, split-key custody, HSM/offline signing flows, and how PQ dual-signing coexists with FIPS/EIDAS/GOST profiles. | Risk of single-operator key compromise; unclear compliance stance per region; PQ readiness ambiguous. | Define per-profile root hierarchy, rotation cadence, and key custody (M of N). Provide HSM/offline signer option; document dual-sign (ECDSA+PQ) handling and verification precedence. | -| AG2 | Rekor mirror integrity | Mentions `rekor-mirror/` but not the mirror format (CAR/SQLite), signing of the mirror, freshness markers, or how to reconcile partial mirrors with online logs. | Air-gapped sites may ingest stale or tampered logs; replay might diverge from upstream. | Standardize mirror format and signature (Sigstore bundle/DSSE); include `mirror.manifest` with root hash, range, and signature; add “staleness allowed” window and reconciliation procedure. | -| AG3 | Feed freezing & provenance | No explicit freeze points for vulnerability/OVAL/OSV feeds or Concelier snapshots in the offline kit manifest. | Replay may pull newer data, breaking determinism and auditability. | Add `feeds` section to manifest with snapshot IDs/hashes and validity window; require DSSE for feed snapshots; block replay if feeds are newer/older than declared window unless override is signed. | -| AG4 | Deterministic tooling versions | Toolkit versions are implied but not pinned in manifest; no hash of CLI/container images. | Rebuilds in air-gap could drift, leading to non-reproducible proofs. | Add `tools` list (name, version, image digest, sha256 of binaries) to manifest; enforce verification before replay. | -| AG5 | Size and resource limits | No guidance on kit size limits, compression, or streaming validation for large OCI exports; no plan for chunking. | Large artifacts may be truncated or fail transfer; verification expensive in constrained sites. | Define max kit size, recommend zstd with checksummed chunks, and provide streaming verification script; add chunk manifest with per-chunk hashes. | -| AG6 | Malware/content scanning | Kits can include binaries; there is no requirement for AV/YARA scanning before distribution or post-ingest. | Air-gapped sites could import malicious content. | Add pre-publish AV/YARA step with signed report hash; require on-ingest scan in air-gap before registry load; record scan result in manifest. | -| AG7 | Policy/graph alignment | Manifest carries `policy_id`/`graph_rev` but not their hashes or DSSE attestations; no rule for mismatches during replay. | Gate decisions may be computed with different policies/graphs than intended. | Include hashes/DSSE refs for policy bundle and graph revision; replay must verify and fail closed on mismatch. | -| AG8 | Tenant/env scoping | Manifest has tenant/env strings but no enforcement or isolation guidance when multiple tenants share an air-gapped site. | Cross-tenant leakage or misapplied proofs. | Require tenant-scoped storage paths and verification of tenant in DSSE annotations; block import if tenant/env mismatch. | -| AG9 | Ingress/egress audit trail | Gateway headers are defined, but there’s no requirement to log and sign ingress/egress events for kits or attestation uploads. | Missing chain-of-custody; disputes hard to resolve. | Add signed ingress/egress receipts (DSSE) with hash of kit, operator ID, time, and gateway decision; store in Proof Graph. | -| AG10 | Replay validation depth | Replay command is described but not bounded: which steps are re-run, how to handle partial success, and what constitutes a verified replay are unspecified. | Replay may be superficial, giving false confidence. | Define replay levels (hash-only, full recompute, recompute with policy freeze); require success criteria and evidence bundle; fail if any hash drift. | -| AG11 | Observability in air-gap | Tracing guidance assumes OTLP export; no offline-friendly sink/retention plan. | Traces/logs may be lost or leak externally. | Provide OTLP file/SQLite exporter and retention limits; add redaction rules; include in kit or bootstrap scripts. | -| AG12 | Operational runbooks | Playbook lacks explicit runbooks for failure cases: signature verification failure, missing header at gateway, mirror staleness, or policy mismatch. | Operators may improvise and bypass controls. | Add runbook matrix with decision trees and required approvals; include in `offline-kit/README` and ops docs. | - -## Immediate follow-ups -- Create a remediation task in the relevant air-gap sprint (e.g., `SPRINT_0510_0001_0001_airgap` or ops/offline sprint) to close AG1–AG12, with owners/dates. -- Extend offline-kit manifest schema to include keys/tools/feeds/policy hashes, tenant scoping, AV scan results, and chunk metadata; add DSSE signatures for manifest and mirror. -- Document key management profiles (FIPS/eIDAS/GOST/SM + optional PQ), rotation, and custody; update Authority/Verifier guides accordingly. -- Add pre-publish and post-ingest AV/YARA checks and signed reports; wire gateway/ingress receipts into Proof Graph. - -# Findings – Gaps in “Define Safe VEX 'Not Affected' Claims with Proofs” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` - -**Method:** Read the advisory and compared it with reachability/VEX pipelines (Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`) and policy/attestation expectations. Identified missing guardrails needed to make `not_affected` defensible and deterministic. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| VEX1 | Allowed justifications governance | Advisory lists example justifications but no canonical allowlist, schema versioning, or approval path for new values. | Teams may invent ad-hoc reasons, weakening comparability and audits. | Publish a signed justification catalog (OpenVEX extension) with version/hash; enforce allowlist in Policy/Excititor; require RFC for additions. | -| VEX2 | Proof bundle schema | “Proof bundle” is referenced but not structured (no required evidence types, hashes, or DSSE refs). | Receipts can claim proof without verifiable contents; auditors can’t replay. | Define `proofBundle.schema.json`: required sections (entrypoint coverage, config/flags, reachability graph hash, tests/traces, mitigation evidence), DSSE refs, and SHA256s; validate on VEX emission. | -| VEX3 | Entry-point coverage completeness | Advisory says “enumerate entry points” but no coverage metric or negative-test requirement. | Partial audits may still certify `not_affected`, leading to false negatives. | Require coverage % (audited/known) and a mandatory “must-not-reach” test per justification; fail VEX if coverage < threshold or negative test missing. | -| VEX4 | Config/flag drift control | Limits (flags/config) are listed but not tied to hashes or runtime enforcement. | Deployments can drift (flags flipped) while VEX stays `not_affected`. | Include config/flag hashes in VEX analysis; emit runtime guardrails (policy gate) that deny if hash/flag mismatch; add expiry when constraints are temporary. | -| VEX5 | Time-bounded validity | Exceptions are mentioned informally; no required `expiresAt`/`recheckBy`. | Stale `not_affected` persists after conditions change. | Make `expiresAt` + `recheckBy` mandatory for constrained justifications; auto-revert to `under_review` on expiry and alert owners. | -| VEX6 | DSSE/Rekor enforcement | Advisory says “Sign the VEX” but doesn’t require DSSE predicate type, Rekor entry, or offline mirror rules. | Unsigned or unlogged VEX can be tampered; offline parity unclear. | Mandate `stella.ops/vexDecision@v1` DSSE, Rekor (or mirror) inclusion, and manifest hash; reject unsigned VEX in pipelines. | -| VEX7 | Tenant/role segregation | No RBAC rules for who may assert `not_affected` or approve proofs. | Unauthorized downgrades could hide risk. | Define role matrix (security approver + service owner required); enforce dual sign-off and DSSE annotation with actor IDs. | -| VEX8 | Re-evaluation triggers | No automation to re-evaluate when SBOM/graph/runtime hits change. | VEX can become invalid after new evidence but stays `not_affected`. | Add triggers: new SBOM version, new reachability graph hash, runtime hit, or policy change → set status to `under_review` and require re-sign. | -| VEX9 | Integration with uncertainty/unknowns | Advisory doesn’t address how to handle low-confidence or missing data states. | `not_affected` could be issued while evidence is incomplete. | Require uncertainty score (from Signals) and forbid `not_affected` if uncertainty > threshold; otherwise emit `under_review`. | -| VEX10 | Export determinism | No rules for canonical ordering/formatting of OpenVEX with analysis block. | Different serializers may yield hash drift; DSSE signatures may not verify across tools. | Define canonical serialization (sorted keys, UTF-8, normalized timestamps) and test vectors; enforce in emitter/validator. | - -## Immediate follow-ups -- Add a VEX gap-remediation task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` (policy/DSSE track) to close VEX1–VEX10. -- Draft `proofBundle.schema.json` and justification catalog; wire validation into Policy VEX emitter and Excititor gates. -- Add runtime/config hash checks and expiry handling to VEX emission and gate policy; ensure re-evaluation triggers on SBOM/graph/runtime changes. - -# Findings – Gaps in “Half-Life Confidence Decay for Unknowns” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` - -**Method:** Read the advisory and compared it with Signals/Unknowns handling (Sprint `SPRINT_0140_0001_0001_runtime_signals`) and policy/triage pipelines. Identified control gaps needed to make decay auditable, deterministic, and safe for risk scoring. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| U1 | Governance of τ (tau) | Advisory suggests presets but no governance (who sets per-entity τ, allowable ranges, change log). | Inconsistent decay across teams; hidden priority swings. | Create a `confidence_decay_config` with signed defaults per entity (incident/vuln/issue/doc) and change-control; surface τ in API responses. | -| U2 | Floor / freeze rules | No lower bound or freeze semantics; pinned/SLA items may decay to near-zero. | Critical items can fall out of view; audits can’t explain priority drops. | Add `confidence_floor` and `is_confidence_frozen`; require floor for SLA-bound vulns; expose in scoring. | -| U3 | Multi-signal weighting | All signals reset equally; high-value signals (new exploit, customer incident) should outweigh trivial edits. | Trivial activity can mask staleness; risk is mis-ranked. | Introduce weighted signals with severity classes; compute `last_signal_weighted_at` using max(weighted freshness); document signal taxonomy. | -| U4 | Time basis / clock drift | Advisory omits time source; no guidance on UTC vs local or monotonic clock, nor handling of backdated events. | Drifted clocks or reordered events can inflate confidence. | Use monotonic+UTC timestamps; reject future/backdated signals beyond threshold; log corrections. | -| U5 | Deterministic recalculation | No schedule/trigger for recomputing confidence; materialization vs on-read undefined. | Different services may show divergent scores; caching bugs remain hidden. | Define recalculation cadence (nightly job) plus on-read fallback; publish checksum of decay snapshot per day; add regression test vectors. | -| U6 | SLA/priority coupling | Interaction with vuln SLAs and severity not specified (e.g., Critical vulns decaying). | SLA breaches hidden by decay; compliance risk. | Clamp decay for SLA-scoped items (e.g., do not decay below 0.6 until SLA satisfied); include SLA override flag in score. | -| U7 | Unknowns/uncertainty linkage | Advisory doesn’t align decay with uncertainty states from Signals/Unknowns Registry. | Items with high uncertainty may retain high priority incorrectly. | Tie decay to uncertainty: if uncertainty high, cap confidence or force review; store `uncertainty_score` alongside confidence. | -| U8 | Backfill & migrations | No plan to backfill `last_signal_at` or τ when enabling feature; historic items may get mis-scored. | Sudden reordering of queues; audit gaps. | Define migration script: seed `last_signal_at` from latest activity; default τ from config; dry-run impact report. | -| U9 | API/UX surfacing | UI badges suggested but no API fields or sort semantics defined; missing red/amber thresholds in contracts. | Implementations diverge; front-ends guess thresholds. | Add API fields (`confidence`, `confidence_band`, `tau_days`) and standard bands; document sorting (`priority * confidence`). | -| U10 | Observability & alerts | No monitoring for missing signals, runaway decay, or stalled recompute jobs. | Silent failures lead to incorrect queues. | Add metrics (confidence_recalc_latency, items_below_floor, signals_per_type); alerts when recompute job skips or when high-severity items decay below band. | - -## Immediate follow-ups -- Add a decay-gap task to the relevant sprint (e.g., `SPRINT_0140_0001_0001_runtime_signals`) to close U1–U10 with owners/dates. -- Define and publish `confidence_decay_config` and signal taxonomy; add API fields/bands and regression test vectors for decay math. -- Implement floor/freeze/SLA clamping and weighted signals; add monitoring/alerts for recompute health. - -# Findings – Gaps in “Offline‑kit attestation essentials checklist” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `25-Nov-2025 - Offline‑kit attestation essentials checklist.md` - -**Method:** Reviewed the checklist against mirror/air-gap kit expectations (Sprint `SPRINT_0125_0001_0001_mirror`, air-gap sprints) and DSSE/Rekor/attestation practices. Identified missing controls to make offline kits verifiable, deterministic, and safe to ship. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| OK1 | Trust roots & key manifest | Checklist mentions `vendor-pubkeys.pem`/manifest but lacks rotation rules, revocation flow, and PQ dual-sign guidance. | Stale/compromised keys may remain trusted; PQ-readiness unclear. | Define key manifest schema with validity windows, revocation list, PQ co-sign option; require DSSE-signed manifest and rotation playbook bundled. | -| OK2 | Tooling provenance | Bundled tools (`cosign`, `tlog-verify`) are not hashed/signed; no verification steps for the verifiers themselves. | Offline verification can be subverted by tampered tools. | Include tool hashes + signatures (or supply verifiers as DSSE-signed blobs); add VERIFY step to check tool integrity before use. | -| OK3 | Cross-linking artifacts | Installer, SBOM, receipts, and DSSE envelopes aren’t cross-referenced by a single manifest hash. | Customers can mix components from different releases; audit trail weak. | Add top-level manifest (DSSE-signed) linking all file digests (installer, SBOM, DSSE, receipt, configs, tools) and the key manifest hash. | -| OK4 | Rekor/receipt freshness & checkpoints | Checklist includes a receipt and checkpoint but no staleness window or multi-log/mirror guidance. | Stale or mismatched receipts may pass; offline parity with mirrors unclear. | Add `checkpoint.meta` with log origin, tree size, timestamp, max drift; include mirror hash; fail VERIFY if beyond window. | -| OK5 | Compression/determinism parameters | Installer/archive determinism is “tip-only”; no required flags (mtime, owner, compression level) or verification of reproducibility. | Rebuilds may drift; hashes differ across builders. | Standardize archiving flags (e.g., `tar --mtime @0 --owner 0 --group 0 --numeric-owner | zstd -19 --long=27 --no-progress`) and add reproducibility self-check step to VERIFY. | -| OK6 | Evidence coverage | Only SBOM + installer covered; scan/VEX attestations and policy/graph hashes absent. | Offline users lack vulnerability context; cannot replay decisions. | Bundle scan + VEX DSSE predicates and policy/graph hashes; include reachability status and mitigation notes. | -| OK7 | Time anchoring | No trusted time source or Roughtime/RFC3161 token included. | Cannot prove freshness of kit or receipts in offline court/audit. | Include signed time anchor (Roughtime/RFC3161) and verify it against trust roots; record in manifest. | -| OK8 | Transport integrity | No guidance on packaging for physical transport (tamper-evident, chunking, checksum lists). | Media swap/tamper risk during handoff; large kits may corrupt. | Provide `SHA256SUMS` + chunk manifest, recommend tamper-evident packaging, and include chain-of-custody receipt template. | -| OK9 | Tenant/env scoping | Kits are not scoped to tenant/env or product variant. | Cross-tenant kit reuse could bypass controls. | Add tenant/env/product identifiers to manifest and VERIFY guard; block import if mismatch. | -| OK10 | VERIFY completeness & failure modes | VERIFY.md lacks negative tests, failure guidance, or automation hooks (exit codes/log capture). | Operators may skip steps or accept partial verification. | Provide scripted `verify.sh` with strict exit codes, logging, and remediation guidance; include failure decision tree in README. | - -## Immediate follow-ups -- Add an offline-kit gaps task to the mirror/offline sprint (e.g., `SPRINT_0125_0001_0001_mirror`) to close OK1–OK10. -- Extend kit manifest schema to cover tool hashes, cross-links, checkpoints with freshness, tenant/env scoping, time anchors, and chain-of-custody receipt; sign the manifest with DSSE. -- Add deterministic packaging flags, tool integrity checks, scan/VEX artifacts, and a scripted `verify.sh` with negative-path guidance. - -# Findings – Gaps in “Handling Rekor v2 and DSSE Air‑Gap Limits” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` - -**Method:** Read the advisory and compared it with current transparency/attestation posture (mirror/offline kits, reachability DSSE, Rekor usage). Focused on log size/type changes, sharding, offline parity, and retry/idempotency requirements. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| RK1 | Entry type & schema governance | Advisory notes v2 keeps only `dsse` and `hashedrekord`, but no internal policy/schemas were updated to forbid deprecated types. | Pipelines may still emit `intoto`/`rekord` entries; submissions will fail or be non-compliant. | Update attestation schemas and signing code to allow only `dsse`/`hashedrekord`; add CI lint to fail deprecated types. | -| RK2 | Payload size limits | No hard limits or preflight checks for DSSE payload size; no chunking/manifest pattern defined. | Large SBOM/scan/VEX payloads will be rejected by public Rekor; retries waste time. | Enforce max payload (e.g., 80KB for public Rekor) with preflight; move large data to CAS/blob, sign manifest-only DSSE; provide chunking manifest + reassembly rules. | -| RK3 | Private vs public routing | Advisory suggests private logs but no routing matrix or policy (when to use public, private, or none). | Inconsistent submissions; sensitive data could hit public log; or nothing logged. | Define routing policy (public for small public artifacts; private for internal/large; none for restricted); encode in config and DSSE metadata; audit route decisions. | -| RK4 | Shard awareness & verification | Rekor v2 shards logs, but verification/checkpoint logic in kits/pipelines isn’t shard-aware. | Inclusion proofs may fail or be unverifiable offline; replay to wrong shard. | Extend verification to record shard ID/tree ID; bundle shard checkpoint metadata; update verify tools to validate shard-specific proofs. | -| RK5 | Idempotent submission keys | Advisory calls for idempotent re-submit but no idempotency keys or dedupe store specified. | Duplicate or conflicting log entries; pipeline flakiness. | Use deterministic submission key (hash of envelope + log target + subject digest); store in DB; skip if already succeeded. | -| RK6 | Offline parity / bundle completeness | No requirement to ship Sigstore bundle or offline mirror of log entries alongside attestations. | Air-gap replay lacks log proofs; parity with online Rekor breaks. | Always emit Sigstore bundles (DSSE + tlog data) and include in offline kits; add bundle hash to manifest. | -| RK7 | Transparency checkpoint freshness | Checkpoints are not versioned or freshness-bounded; no staleness alarm. | Stale checkpoints may pass verification; audit trail weak. | Add checkpoint metadata (tree size, timestamp, log ID, shard ID, max allowed staleness); fail verify if outside window. | -| RK8 | PQ and multi-alg support | Advisory doesn’t address dual-sign (ECDSA+PQ) for long-lived proofs. | Future-proofing and some compliance profiles unmet. | Support dual-sign predicates and Rekor submissions where allowed; record algorithms in metadata and bundle. | -| RK9 | Error taxonomy & backoff | No standardized error classification for Rekor rejections (size, type, HTTP codes) or retry/backoff policy. | Pipelines may spin or silently drop entries. | Add error taxonomy + retry policy: size→fail fast; 5xx→exponential backoff; 4xx type→lint failure; log structured metrics. | -| RK10 | Policy linkage | Rekor entries not cross-linked to policy/graph hashes or reachability evidence; advisory hints but not mandated. | Proves signature but not decision context; weak audit. | Include policy_id, graph_hash in DSSE annotations; store in bundle/manifests; verify presence before submit. | - -## Immediate follow-ups -- Add a Rekor/DSSE gap task to the relevant sprint (e.g., mirror/offline or reachability evidence) to close RK1–RK10 with owners/dates. -- Enforce payload preflight + chunked-manifest pattern; route public/private per policy; bundle Sigstore artifacts with shard-aware checkpoints and idempotency keys. -- Update verify tooling and kits to validate shard, checkpoint freshness, and policy/graph annotations; add retry/error taxonomy in submission workers. - -# Findings – Gaps in “Opening Up a Reachability Dataset” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `26-Nov-2025 - Opening Up a Reachability Dataset.md` - -**Method:** Read the advisory and cross-checked with benchmark efforts (Sprint `SPRINT_0513_0001_0001_public_reachability_benchmark`) and reachability evidence chain requirements. Focused on dataset governance, determinism, legal/sanitization, and scoring reproducibility. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| RD1 | Dataset legal/sanitization | Advisory calls for “sanitized subset” but lacks a documented sanitization checklist (license vetting, PII/secrets scan, binary redistributability). | Legal/redistribution risk; dataset could ship non-redistributable code. | Create SANITIZATION checklist + automated scans (license, PII/secret, binary redistribution) and require DSSE-signed approval per case. | -| RD2 | Feed freeze & provenance | No requirement to lock feed snapshots (package indexes, OSV/OVAL) or record tool hashes for dataset generation. | Re-runs may differ; external feeds could change labels. | Require `manifest.lock.json` with feed snapshot IDs/hashes, tool image digests, rule hashes; sign with DSSE. | -| RD3 | Schema + validator maturity | Graph/truth schemas mentioned but no published JSON Schemas, examples, or validator in CI. | Contributions may drift, breaking harness compatibility. | Publish JSON Schemas (graph, truth, dataset, scores), example fixtures, and a CI validator; fail PRs on schema violations. | -| RD4 | Ground-truth evidence depth | “Ground truth” is listed but not tied to evidence (oracles, traces, proof of reachability/unreachability). | Labels may be disputed; reproducibility weak. | Require per-case evidence bundle refs (tests/traces/patch-oracle) with hashes; include explainability path or sink evidence. | -| RD5 | Binary cases scope | Binary mini-cases are proposed but no guidance on stripped vs unstripped, symbol source, or patch-oracle expectations. | Binary ground truth may be unverifiable or unrepeatable. | Define binary case recipe: stripped/unstripped pairs, symbol source, build-id capture, patch-oracle outputs, required callgraph format. | -| RD6 | Determinism enforcement | Determinism is asserted but no CI check to rerun harness N times and compare hashes; no reproducibility budget. | Dataset could regress into non-determinism unnoticed. | Add determinism CI: rerun harness 3x, compare hashes of scores/outputs; fail on drift >0; publish hash manifest. | -| RD7 | Benchmark scoring transparency | Metrics listed but no frozen baselines, sample outputs, or severity of failure handling. | Hard to compare tools; contributors can’t validate locally. | Provide baseline runs (naïve/imports-only/call-depth-2/Stella reference) with signed result JSON; document expected scores and tolerance (zero drift). | -| RD8 | Submission & contribution policy | No CLA/contribution policy, review gate, or DSSE requirement for contributed cases. | Low-quality or malicious contributions; legal exposure. | Add CONTRIBUTING + CLA notice; require DSSE-signed case submissions with validator run; mandate maintainer review + two sign-offs. | -| RD9 | Versioning & change log | Releases (v0.1/v0.2) suggested but no change-log format or deprecation rules for cases. | Consumers can’t track breaking changes; reproducibility breaks silently. | Adopt semantic dataset versions; keep CHANGELOG with per-case changes; do not delete cases—deprecate via metadata and keep old versions. | -| RD10 | Offline/air-gap parity | Advisory says offline-friendly but does not require bundling dataset + harness with hashes for air-gap users. | Air-gapped users may get incomplete data or mismatched hashes. | Ship `benchmark-kit.tgz` with dataset, schemas, harness image digest, hash manifest, and DSSE signature; include offline VERIFY instructions. | - -## Immediate follow-ups -- Add a reachability-dataset gaps task to Sprint `SPRINT_0513_0001_0001_public_reachability_benchmark` to close RD1–RD10. -- Publish JSON Schemas and validators; add determinism CI (multi-run hash compare) and baseline result artifacts; extend manifest.lock with feed/tool hashes and DSSE signing. -- Define sanitization checklist, binary case recipe, contribution/CLA/DSSE requirements, and offline kit packaging for dataset+harness. - -# Findings – Gaps in “Use Graph Revision IDs as Public Trust Anchors” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md` - -**Method:** Read the advisory and compared with reachability evidence chain plans (Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`), graph storage, and UI/CLI needs. Identified missing contracts to make revision IDs enforceable, verifiable, and cross-service consistent. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| GR1 | Manifest definition | Advisory references manifest inputs but provides no formal schema or canonical serialization rules. | Different generators may compute different hashes for the same graph; revision IDs become inconsistent. | Publish `graph-revision-manifest.schema.json`, define canonical JSON (sorted keys, UTF-8), and add test vectors. | -| GR2 | Hash algorithm / encoding | BLAKE3 suggested, but not mandated; no encoding (hex/base58) or truncation rules; no multi-alg support. | Consumers may hash with different algos/encodings, breaking rev IDs and auditability. | Mandate algo (e.g., BLAKE3-256 hex), length, and encoding; allow optional multi-alg field for PQ/interop; include in manifest. | -| GR3 | Immutability enforcement | Advisory says “never reuse” but doesn’t specify storage or API constraints preventing mutation/overwrite of a revision. | Revisions could be overwritten or garbage-collected, breaking evidence chains. | Enforce append-only storage with FK from nodes/edges to `graph_revision_id`; forbid UPDATE/DELETE; tombstone with 410 on purge with audit log. | -| GR4 | Lineage and diff metadata | Parent linkage is suggested but not required; no guidance on diff computation/storage. | Hard to compare revisions or trace lineage; UI “compare” may be inconsistent. | Require `parent_revision_id` and optional diff summary/hash; expose `GET /graphs/{id}/revisions/{rev}/diff/{rev2}` API; store edge delta counts. | -| GR5 | Cross-artifact linkage | Advisory doesn’t mandate recording feed/policy/graph evidence hashes in the manifest or DSSE. | Revision IDs may not tie back to SBOM/VEX/policy, weakening trust anchor use. | Include SBOM, VEX, policy/lattice, tool image digests, and config flags in manifest; sign manifest with DSSE and reference in ledger. | -| GR6 | UI/CLI surfacing & copy accuracy | UI copy button suggested but no requirement for truncation rules or full-id availability; no CLI flags. | Users may copy truncated IDs, causing ambiguity; CLI/URL parity may diverge. | Define display rules (short form = first 12 chars, full available via tooltip/CLI); add CLI `--rev` everywhere graph data is fetched. | -| GR7 | Sharding/tenant scope | No guidance on tenant scoping or shard IDs when revisions live in multi-tenant stores. | Cross-tenant leakage or wrong-shard lookups. | Include `tenant_id` and optional `shard_id` in manifest and storage keys; enforce isolation in queries/APIs. | -| GR8 | Pinning/governance | Pinning is suggested but not tied to roles, approvals, or audit trails. | Unauthorized pins could bless bad graphs; lack of traceability. | Require dual approval for pin, store pin metadata (who/when/why), expose audit log, and DSSE-sign pinned manifest. | -| GR9 | Retention & GC | No retention rules for old revisions; risk of GC breaking cited URLs. | Audits break if revisions are garbage-collected. | Define retention policy (e.g., never GC pinned/cited revisions; age-based GC only with archive snapshot), with tombstone records. | -| GR10 | Offline/air-gap verification | No instruction to bundle manifests/revisions in offline kits. | Air-gapped users can’t verify revisions or evidence. | Include revision manifests + DSSE in offline/mirror bundles; add VERIFY steps for graph revisions. | - -## Immediate follow-ups -- Add a graph-revision gap task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` to close GR1–GR10. -- Publish manifest schema and canonical hashing rules; enforce append-only storage, lineage metadata, and DSSE-signed manifests with cross-artifact digests. -- Update UI/CLI contracts to surface full/short revision IDs, add shard/tenant context, and pin/audit workflows; include revision manifests in offline kits. - -# Findings – Gaps in “Blueprint for a 2026‑Ready Scanner” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` - -**Method:** Read the roadmap advisory and compared it to ongoing scanner/SPDX/VEX/SLSA work (sprints 0186, 0401, 0513). Identified gaps to make the blueprint actionable, deterministic, and standard-aligned. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| SC1 | Standards convergence plan | Advisory lists CVSS v4.0, CycloneDX 1.7, SLSA 1.2 RC2 but no migration/compatibility plan across pipeline stages. | Fragmented adoption; mixed outputs; audit pain. | Publish a standards convergence roadmap with cutover dates, dual-write periods, and fallback rules; map each stage (SBOM, VEX, provenance, scoring) to target versions. | -| SC2 | CycloneDX 1.7 / CBOM support | No requirement to emit CBOM or structured citations from scanner/SBOMer. | Crypto/algorithm visibility and provenance claims missing; compliance gaps. | Extend SBOM outputs to CycloneDX 1.7 with CBOM + citations; hash-lock; add tests/fixtures. | -| SC3 | SLSA 1.2 Source Track | Blueprint notes SLSA 1.2 but no plan to capture Source Track provenance (repo tree hash, reviewer attestations). | Provenance chain incomplete; cannot meet SLSA 1.2 expectations. | Add Source Track capture to build/scan manifests (source digest, branch, PR/reviewer attestations), and emit DSSE predicates. | -| SC4 | Multi-version compatibility | No downgrade/compatibility handling for consumers that only speak v3.1 (CVSS), CDX 1.6, or SLSA 1.0. | Downstream tools may break or silently ignore fields. | Define compatibility matrix and adapters: v4→v3.1 CVSS mapping, CDX1.7→1.6 reducer, SLSA1.2→1.0 reducer; gate by feature flags. | -| SC5 | Determinism & reproducibility guardrails | Blueprint asserts determinism but lacks CI checks for multi-run hash stability across new standards (CDX1.7, SLSA1.2). | Silent drift when enabling new formats; audits fail. | Add determinism CI covering SBOM/VEX/provenance outputs under new formats; require zero hash drift across N runs; publish hash manifests. | -| SC6 | Evidence breadth (binary & source) | Binary reachability + source provenance alignment is not detailed (stripped binaries, symbol sources, build-id capture). | Incomplete evidence chain; harder to defend reachability claims. | Require binary fixtures with build-id, symbol source, patch-oracle; include in reachability manifests; tie to Source Track data. | -| SC7 | Policy/UX surfacing | No UX/API plan to surface new metadata (CBOM, citations, SLSA source fields, dual-sign info). | Users can’t see or export the richer evidence; tooling divergence. | Update API/UI schemas to display CBOM fields, citations, source provenance, dual-sign algs; add export/CLI flags. | -| SC8 | Testing/baselines | No baseline vectors/fixtures for CVSS v4.0 + CDX1.7 + SLSA1.2 combined. | Hard to validate integrations; regressions likely. | Create baseline fixture set and golden outputs combining all three standards; include in CI and offline kit. | -| SC9 | Governance & approvals | No decision forum or owner assignments for adopting new standards. | Risk of piecemeal or stalled adoption. | Create an approval checklist and owner map per standard; require sign-off before enabling defaults. | -| SC10 | Offline/air-gap parity | No plan to package new artifacts (CBOM, SLSA source attestations) in offline kits/mirrors. | Air-gapped customers miss key metadata; parity broken. | Extend offline kits/mirror bundles with CBOM, source-provenance attestations, and combined hash manifest; update VERIFY docs. | - -## Immediate follow-ups -- Add a scanner blueprint gaps task to the relevant scanner/replay sprint (e.g., `SPRINT_0186_0001_0001_record_deterministic_execution`) to close SC1–SC10. -- Publish a standards convergence roadmap, add CDX 1.7/CBOM outputs and SLSA 1.2 Source Track fields to manifests, create compatibility adapters, and add determinism CI + golden fixtures. -- Update UI/API/export and offline-kit packaging to surface and ship the new metadata; define governance/approvals for enabling defaults. - -# Findings – Gaps in “Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` - -**Method:** Read the architecture brief and compared with scanner/SBOM/VEX pipeline sprints (0186, 0401, 0513) and replay/attestation standards. Focused on missing contracts needed to operationalize the SBOM-first spine deterministically and offline-ready. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| SP1 | Canonical contracts | Brief lists APIs (/scan, /sbom, /attest, /vex-gate, /diff, /unknowns) but no shared schemas or versioning for requests/responses. | Services may drift; CLI/UI integrations break. | Publish versioned API/DTO schemas (OpenAPI + JSON Schema) for each endpoint; add conformance tests. | -| SP2 | Predicate/edge schema | Edge predicates (`contains`, `reachable_via`, `overridden_by`, etc.) not formally specified (fields, required evidence). | Graph interoperability and evidence linking become ambiguous. | Define graph predicate schema with required evidence refs and hash fields; enforce in ingestion and policy layers. | -| SP3 | Unknowns workflow contract | State machine suggested but no API/DB contract or SLA/timeouts. | Unknowns handling inconsistent; SLAs unenforceable. | Define Unknowns schema, allowed transitions, SLA clocks, and audit events; add API/CLI endpoints and tests. | -| SP4 | Bundle format lock | Bundle layout shown but not versioned or signed; no required hashes/DSSE for inputs.lock. | Replay/air-gap parity weak; bundles could be tampered. | Version and sign bundle manifest (inputs.lock) with DSSE; require hash list for all contents; define upgrade path. | -| SP5 | Diff semantics | SBOM↔SBOM and SBOM↔runtime diffs lack canonical rules (normalization, matching keys, ignore lists). | Different engines produce different diffs; policies unreliable. | Specify diff normalization (PURL+version+hash, case, ordering), ignore rules, and deterministic output schema; add golden fixtures. | -| SP6 | Offline feed parity | Feeds section mentions bundles but no freeze/refresh policy or snapshot hashes. | Offline runs may diverge; replay breaks. | Require feed snapshot IDs/hashes in bundles; define staleness windows and refresh workflow; fail closed on mismatch. | -| SP7 | DSSE/Trust chain enforcement | DSSE is assumed but not mandated per hop; no required predicates or Rekor/mirror policy. | Unsigned evidence may enter spine; audit gaps. | Mandate DSSE predicates per stage (scan, sbom, policy-verified, vex); enforce verification before ingest; record Rekor/mirror evidence or local ledger entry. | -| SP8 | Policy lattice versioning | Lattice/policy hash referenced but not versioned or stored alongside decisions. | Decisions may not be reproducible; audits fail. | Store policy version/hash in decisions/proofs; sign policy bundles; add policy registry with changelog. | -| SP9 | Performance/scale constraints | No guidance on scale limits (graph size, evidence size, timeout budgets) or pagination for APIs. | Risk of outages/DoS; inconsistent client behavior. | Define performance envelopes, pagination defaults, evidence size caps; add load tests and limits in APIs. | -| SP10 | Cross-standard alignment | Brief references SBOM (CDX/SPDX) and VEX but no explicit mapping of fields and hashes between SBOM, attestations, graph nodes, and policy outputs. | Evidence chain may be non-joinable; explainability suffers. | Define crosswalk mapping (SBOM IDs → graph nodes → VEX products → policy decisions) with required identifiers/hashes; add conformance tests. | - -## Immediate follow-ups -- Add a spine-gap task to a relevant sprint (e.g., `SPRINT_0186_0001_0001_record_deterministic_execution`) to close SP1–SP10 with owners/dates. -- Publish versioned schemas for APIs, predicates, bundles, diffs, and Unknowns; mandate DSSE predicates per stage and policy lattice versioning; add deterministic fixtures and offline parity rules. - -# Findings – Gaps in “Explainability Layer for Vulnerability Verdicts” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` - -**Method:** Read the explainability advisory and compared with reachability evidence chain (Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`) and VEX/policy outputs. Focused on making explanation graphs canonical, verifiable, and integrated with DSSE/Rekor and offline kits. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| EX1 | Canonical schema & hashing | Explanation graph JSON is outlined but lacks formal schema, canonicalization rules, and hash/test vectors. | Different services could hash/serialize differently → signatures break, audits fail. | Publish `explanation-graph.schema.json`, define canonical JSON (sorted keys, UTF-8), hash algorithm, and test vectors; enforce in emitter/validator. | -| EX2 | DSSE predicate type & signing | DSSE is suggested but no predicate type or signing policy defined (key set, Rekor/mirror usage). | Unsigned/weakly signed graphs may enter system; replay impossible. | Define predicate `stella.ops/explanationGraph@v1`; require DSSE signing + Rekor/mirror record or bundle; verify on ingest. | -| EX3 | Evidence blob integrity | Evidence nodes include hashes but no required storage location rules, size limits, or redaction guidance. | Evidence may be mutable, missing, or leak sensitive data. | Enforce CAS-style storage with content hashes, max size limits, redaction checklist; require DSSE for large evidence manifests. | -| EX4 | Linkage to decisions & policy | Advisory does not mandate linking explanation graphs to specific policy/lattice versions or decision IDs. | Explanations can’t prove they correspond to the shipped decision; weak audit trail. | Require `decision_id`, `policy_hash`, `rules_hash` fields; store in graph and DSSE annotations; verify on load. | -| EX5 | Runtime/graph alignment | No requirement to align explanation graph nodes with graph_revision_id or runtime evidence refs. | Explainability may diverge from actual graph/version used for verdict. | Include `graph_revision_id` and references to runtime traces; validate they match the decision’s revision. | -| EX6 | UI/CLI export & replay | Export/verify flow is suggested but no standard bundle format or scripts are defined. | Users can’t easily replay explanations; offline parity weak. | Define `explanation-bundle.zip` layout (graph JSON, evidence blobs, verify script), add CLI `stella explain verify/export`, and VERIFY steps for offline kits. | -| EX7 | Privacy/PII controls | No guidance on redacting PII/secret data inside evidence/summary fields. | Explanations could leak sensitive info in support/exports. | Add PII/secret scan + allowlist for evidence summaries/refs; fail export if violations; log redactions. | -| EX8 | Performance/size budget | No size or performance budgets for explanation graphs; large graphs could bloat UI/exports. | Slow UI, oversized bundles, increased storage. | Set size limits (nodes, evidence count, blob size), add truncation rules with “omitted_count” fields; monitor metrics. | -| EX9 | Versioning & evolution | No schema versioning/compatibility policy for explanation graphs. | Breaking changes could invalidate stored explanations. | Add `schema_version`, changelog, and compatibility policy; include migration guidance in docs. | -| EX10 | Testing/baselines | No baseline fixtures or golden tests for explanation graphs. | Changes may break explainability without detection. | Create golden fixtures and regression tests (hash-stable) for sample vulnerabilities; include in CI and offline kits. | - -## Immediate follow-ups -- Add an explainability-gaps task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` to close EX1–EX10 with owners/dates. -- Publish schema, canonicalization rules, DSSE predicate, and verification scripts; align graphs with policy decisions and graph revisions; add PII controls, size budgets, and golden fixtures/export tooling. - -# Findings – Gaps in “Late‑November SBOM & VEX competitor” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md` - -**Method:** Reviewed competitor snapshot (Syft/Grype, Trivy, Xray, Clair) against StellaOps ingestion, normalization, offline bundles, and deterministic evidence chain. Identified gaps to harden interoperability, determinism, and risk tracking. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CM1 | External SBOM/scan normalization | No mandatory normalization/validation layer for third-party SBOMs/scans (Syft/Trivy/Clair). | Upstream schema/PURL bugs propagate into graphs and VEX decisions. | Add normalization/validator with schema version detection, PURL repair heuristics, and quarantine for anomalies before ingest. | -| CM2 | Signature & provenance verification | Advisory suggests ingesting external outputs but no requirement to verify SBOM/DB signatures (Syft attestation, grype-db signatures). | Untrusted data could enter evidence chain; offline bundles unverifiable. | Require signature/DSSE verification for all external SBOMs/DBs; fail closed if missing/invalid; record signer in manifests. | -| CM3 | DB snapshot governance | No policy for mirroring/updating external vuln DBs (grype-db, Trivy, Xray) with hashes/staleness windows. | Drift or schema mismatch causes nondeterministic results; offline users get stale data. | Define snapshot schedule + staleness SLA; store hashes, schema version, signer; include in manifest.lock; block use when stale/mismatched. | -| CM4 | Compatibility adapters | No defined adapters/mappers for Syft/Trivy/Clair SBOM/scan outputs to Stella canonical graph. | Ingest paths may diverge or break on upstream changes. | Build and test adapters per tool with golden fixtures; versioned compatibility matrix; feature-flag per tool version. | -| CM5 | PURL/identity anomaly tests | No regression tests for known upstream bugs (e.g., Syft Go PURL issues). | Previously fixed issues may reappear unnoticed. | Add anomaly test suite with upstream bug vectors; run in CI against normalizer; block regressions. | -| CM6 | Offline bundle parity | No standard for packaging external tool data (SBOM + vuln DB) into offline bundles with DSSE. | Air-gap customers can’t verify third-party inputs or keep parity with online. | Define “external-ingest-kit” format: SBOMs, DB snapshot, signatures, manifest DSSE; add VERIFY script. | -| CM7 | Risk dashboard linkage | Competitive signals not linked to sprint tasks/risk register. | PM/Eng may miss urgency when upstream tools change. | Add competitor risk tracker linking tool versions to ingestion adapters and staleness alerts; surface in Decisions & Risks. | -| CM8 | Performance & fallback | No policy for fallback when external tool output is malformed or too large. | Pipelines may fail hard or produce partial graphs. | Define fallback paths (skip record + alert, or degrade to minimal component list); set size/time limits for ingest. | -| CM9 | Transparency of third-party data | No requirement to surface which external tool/version produced each ingested record. | Difficult to audit blame when data is wrong. | Store `source_tool`, `tool_version`, `signature_key`, `snapshot_id` per ingested artifact and expose via API/CLI. | -| CM10 | Benchmark parity | No plan to reflect external-tool baselines in public benchmark datasets. | Benchmark may not capture real-world ingestion diversity; weak external credibility. | Include Syft/Trivy/Clair baselines and anomaly cases in benchmark fixtures; publish signed baseline outputs. | - -## Immediate follow-ups -- Add a competitor-ingest gaps task to a scanner/replay sprint (e.g., `SPRINT_0186_0001_0001_record_deterministic_execution`) to close CM1–CM10. -- Implement external-ingest normalization/verification (signatures, schema detection), adapters with golden fixtures, snapshot governance with staleness SLAs, and offline bundle packaging for third-party tools. -- Track upstream tool releases in a risk dashboard tied to ingestion adapters; expose source tool/version in APIs; add baselines/anomaly cases to benchmarks. - -# Findings – Gaps in “Making Graphs Understandable to Humans” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Making Graphs Understandable to Humans.md` - -**Method:** Reviewed the explainability-for-edges advisory against graph evidence chain work (Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`). Focused on schema governance, determinism, UI/API surfacing, and auditability of edge reasons/evidence. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| EG1 | Reason enum governance | Reason glossary provided but no canonical enum/spec, versioning, or extension process. | Different services may use divergent strings; comparisons and explainers break. | Publish `edge-reason.enum.json` with versioning and change-control; enforce via schema/validator. | -| EG2 | Canonical edge schema | Edge metadata structure (reason/evidence/provenance/confidence) not formally schematized or hash-normalized. | Serialization drift breaks determinism and hashing; API/UI may diverge. | Define `edge.schema.json` (canonical JSON rules) and add hash/test vectors; require in graph storage and exports. | -| EG3 | Evidence limits & redaction | No limits or redaction rules for evidence strings (could leak secrets/PII or bloat UI). | Sensitive data exposure; large payloads; audit risk. | Add max counts/lengths, PII/secret scan, allowlist of evidence types; truncate with indicator. | -| EG4 | Confidence rubric | Confidence values (high/medium/low) lack a shared rubric. | Inconsistent scoring; auditors can’t compare. | Publish a rubric per reason type; require detector to set confidence per rubric; validate in CI. | -| EG5 | Detector/rule provenance | Detector/rule_id suggested but not required or standardized. | Hard to trace which rule emitted an edge; audit gaps. | Require `detector` and `rule_id` fields; enforce format (component@version, stable rule key); include in DSSE annotations. | -| EG6 | UI/CLI parity | Advisory describes UI snippets but no API/CLI contract to fetch reason/evidence. | UI/CLI may diverge; exporters may drop fields. | Update graph APIs/CLI exports to include edge metadata; add “Why” column in tables and explain drawer; ensure same fields in CSV/JSON. | -| EG7 | Determinism tests | No deterministic test/fixture set for edge reasons/evidence across reruns and languages. | Re-runs may change reasons; explainability becomes unstable. | Add golden fixtures per language (static/dynamic/import/reflection/binary cases) and rerun-hash CI. | -| EG8 | Integration with VEX/explanation graphs | No requirement to propagate edge reasons into explanation graphs or VEX evidence. | Explainability chain broken between graph and verdict. | Include edge reason/evidence refs in explanation graph nodes and VEX evidence blocks; verify linkage. | -| EG9 | Localization/UX copy | No guidance on truncation/localization of reason strings in UI exports. | Inconsistent UX; truncated data may lose meaning. | Standardize short code (enum) + localized label; truncate evidence separately; keep code intact. | -| EG10 | Backfill/migration | No plan to backfill existing graphs with reason metadata. | Old edges lack reasons; mixed data quality. | Add backfill task with heuristics; flag edges without reasons; track progress metrics. | - -## Immediate follow-ups -- Add an edge-explainability gap task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` to close EG1–EG10. -- Publish edge schema/enum/rubric, enforce in APIs/exports, add PII limits and deterministic fixtures, and ensure propagation into explanation graphs and VEX evidence. - -# Findings – Gaps in “Managing Ambiguity Through an Unknowns Registry” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md` - -**Method:** Read the advisory and compared with Signals/Unknowns work (Sprint `SPRINT_0140_0001_0001_runtime_signals`) and reachability evidence chain. Focused on contracts, determinism, decay/governance, and integration with SBOM/VEX/attestations. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| UN1 | Canonical schema & enums | Unknowns model described but no formal schema/enums (origin, reason, classification) or versioning. | Divergent implementations; data not portable across services. | Publish `unknowns.schema.json` with enums and version; add canonical JSON rules and test vectors. | -| UN2 | Deterministic scoring spec | UR_t formula given but no fixed coefficients/rubrics or canonical hashable inputs. | Different services compute different scores; audits fail. | Define scoring config (B/A/T components, decay policy) with hashable manifest; pin defaults; add regression tests. | -| UN3 | Decay policy registry | Decay policies (linear/exponential) not versioned or governed. | Changing decay silently alters risk posture. | Create `decay_policies` catalog with IDs, params, validity window; sign changes; include in manifest. | -| UN4 | Evidence/provenance capture | No required evidence fields (e.g., entropy hints, section anomalies, missing signature) or attestation linkage. | Unknowns lack reproducible evidence; hard to resolve/audit. | Require evidence block with hashes/pointers; link to DSSE/scan attestation IDs; store in CAS. | -| UN5 | Integration with SBOM/VEX | Unknowns not mandated to link to SBOM components/VEX decisions once resolved. | Unknowns remain orphaned; risk roll-up incomplete. | On resolution/mapping, persist component/VEX links; update portfolio metrics; emit event. | -| UN6 | SLA/gates & suppression policy | Gates suggested but no enforceable SLA fields or suppression rules/expiry. | Releases may ignore critical unknowns; suppressions never expire. | Add SLA fields (age thresholds, UR_t caps); suppression requires reason+expiry; enforce in policy gate. | -| UN7 | API/CLI surfaces | APIs sketched but not specified (filters, pagination, status transitions). | UI/CLI divergence; automation brittle. | Define REST/GraphQL contract with filters, transitions, audit logging; add CLI verbs with consistent flags. | -| UN8 | Observability & reporting | No metrics/log schema for burn-down, age histograms, P90 UR_t, or top contributors. | Hard to track improvement or alert on regressions. | Emit metrics and weekly report template; add alerts on SLA breaches and stalled decay jobs. | -| UN9 | Offline/air-gap parity | No requirement to include unknowns and decay config in offline bundles/replay manifests. | Air-gapped audits can’t reproduce unknowns state. | Include unknowns records + decay policies in replay/air-gap bundles; verify hashes during replay. | -| UN10 | Backfill/migration plan | No plan to backfill existing unresolved “unknown-like” findings into registry. | Legacy gaps persist; metrics skewed. | Add migration/backfill task with heuristics; tag inferred records; track completion. | - -## Immediate follow-ups -- Add an unknowns-gap task to Sprint `SPRINT_0140_0001_0001_runtime_signals` to close UN1–UN10 with owners/dates. -- Publish unknowns schema, scoring/decay manifests, API/CLI contracts, and CAS-backed evidence rules; enforce SLA/suppression policies, metrics, and offline bundle inclusion. - -# Findings – Gaps in “Verifying Binary Reachability via DSSE Envelopes” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md` - -**Method:** Read the binary reachability DSSE advisory and compared with reachability evidence chain tasks (Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`) and scanner binary ingest. Focused on schema, determinism, attestation, and offline parity for binary edges. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| BR1 | Predicate & schema mandate | Schemas shown (envelope, call-edge) but not declared canonical/required across Scanner/Attestor/Policy. | Services may emit incompatible predicates; verification fails. | Publish and version `dsse-envelope-v1`, `call-edge-statement-v1` schemas as canonical; enforce in CI and ingestion. | -| BR2 | Canonical edge ID & hashing | EdgeId suggested but no canonical hash recipe (ordering, normalization, encoding). | Duplicate/mismatched edges across tools; dedupe fails; DSSE hashes unstable. | Define canonical edge tuple (caller, callee, reason, policy_hash) with sorted/normalized fields; hash algo/encoding fixed; add test vectors. | -| BR3 | Evidence linkage for binaries | Edge schema allows optional evidenceHash but no required evidence types (CFG, trace, relocation) or CAS storage rules. | Weak proofs; auditors can’t verify reachability claims. | Require evidence refs per edge (CFG/trace/reloc) with content hash and CAS pointer; include in DSSE predicate. | -| BR4 | Build-ID/variant handling | BuildId optional; no rule for stripped binaries, symbol servers, or multiple variants. | Edges may not map to correct binary; replay fails on variant mismatch. | Require build-id or content hash; add symbol/variant mapping rules; record symbol source (PDB/dSYM/ELF). | -| BR5 | Policy/hash alignment | PolicyHash field present but no governance on policy versions or lattice linkage. | Edges may be signed against unknown policy; difficult to replay. | Mandate policy registry ID/hash and lattice version; fail verification if unknown. | -| BR6 | Transparency/log routing | Rekor/bundle flow not mandated; shard/log selection undefined. | Attestations may be unlogged or logged inconsistently; offline parity weak. | Require DSSE + Sigstore bundle with shard/log ID; include in offline kits; verify on ingest. | -| BR7 | Idempotent submission & retries | No guidance on idempotency keys or retry policy for log submissions. | Duplicate or missing log entries. | Use deterministic submission key (edge hash + subject digest + log target); retry policy with backoff; dedupe store. | -| BR8 | Performance/size limits | No size or chunking guidance for large CFG/trace evidence. | Log rejects big payloads; pipelines fail. | Set size limits; chunk evidence with manifest + hashes; store blobs in CAS; log only hashes. | -| BR9 | API/CLI/UI surfacing | No contract to expose binary edge attestations in API/CLI/UI or to export verification bundles. | Users can’t inspect/verify binary proofs; adoption suffers. | Add API/CLI flags to fetch/export binary edge bundles; UI badge for DSSE-verified edges; include in explainers. | -| BR10 | Test fixtures | No golden fixtures for binary edges (ELF/PE/Mach-O) with DSSE envelopes. | Regressions may go unnoticed; cross-tool compatibility untested. | Create fixture set (ELF/PE/Mach-O) with known edges, evidence, and signed envelopes; add CI verification. | - -## Immediate follow-ups -- Add a binary-reachability gap task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` to close BR1–BR10 with owners/dates. -- Publish canonical schemas, hashing rules, evidence requirements, and bundle/log policies; add fixtures and API/CLI surfaces for binary DSSE proofs with offline parity. - -# Findings – Gaps in “Authentication and Authorization Architecture” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Authentication and Authorization Architecture.md` - -**Method:** Reviewed the authN/authZ advisory against Authority posture, cross-service scope usage, sovereign crypto sprint (0514), and offline/air-gap needs. Focused on token binding, scope governance, revocation/rotation, and offline verification gaps. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| AU1 | Scope catalog governance | 65+ scopes listed but no canonical catalog versioning or change-control; role bundles not hash-tracked. | Scope drift across services; hard to audit who had what permission when. | Publish signed `scope-catalog.json` with version/hash; require services to load catalog by version; track role bundle hashes. | -| AU2 | Audience & tenant enforcement defaults | Advisory describes tenant/audience claims but no enforcement defaults or fail-closed behavior specified per service. | Services may accept tokens without tenant/audience checks; risk of cross-tenant access. | Mandate per-service config: require `tid`, `aud`, `cnf`; fail-closed; add conformance tests. | -| AU3 | DPoP/mTLS coverage & nonce policy | DPoP/mTLS required for some audiences but no explicit coverage matrix or nonce freshness policy. | High-value endpoints may be reachable with bearer tokens or replayable proofs. | Publish coverage matrix (audience→binding), require nonce for signer/attestor/orch, and add rejection metrics/alerts. | -| AU4 | Revocation bundle SLA & format | Revocation bundles defined but no freshness SLA or schema versioning; offline verification rules absent. | Offline/air-gap may trust stale revocation; auditors lack assurance. | Version revocation-bundle schema; set freshness SLA (e.g., <5m); include signed timestamp/log sequence; verify in gateways. | -| AU5 | Key rotation governance | Rotation noted but no mandatory overlap windows, audit log, or DSSE/JWS proofs of key state. | Clients may fail during rotation; provenance unclear. | Require dual-active keys with defined overlap, signed key-state manifest, and audit events; add rotation playbook tests. | -| AU6 | Sovereign crypto profile selection | Profiles (FIPS/eIDAS/GOST/SM/PQ) mentioned but no negotiation or per-tenant profile selection rules. | Wrong algorithms in regulated regions; interoperability issues. | Define crypto-profile registry with allowed algs per tenant/installation; include in tokens and JWKS metadata; enforce per-audience minima. | -| AU7 | Offline/air-gap verification path | No end-to-end example for verifying tokens/DPoP/mTLS and revocation offline. | Air-gapped deployments can’t validate tokens confidently. | Provide offline verifier bundle (JWKS, revocation, policy) + `verify-auth.sh`; add docs and tests. | -| AU8 | Delegation quotas & guardrails | Delegated service accounts described but no enforcement of quotas per tenant/client or audit of delegation chains. | Delegated tokens could proliferate, increasing blast radius. | Enforce quotas per tenant/service account; log delegation chain in `act`; add alerts on quota breaches. | -| AU9 | Attribute-based access (ABAC) semantics | ABAC attributes listed without schema/versioning or evaluation order; no conflict resolution with scopes. | Inconsistent policy outcomes; privilege escalation risk. | Define ABAC schema, precedence rules (deny-overrides), and evaluation order; version attributes; add tests. | -| AU10 | Observability & conformance tests | Metrics listed but no conformance suite to assert binding/audience/scope enforcement across services. | Regressions may ship unnoticed; inconsistent enforcement. | Create auth conformance tests (per service) and dashboards with SLOs for binding failures, audience/tenant rejection rates; run in CI. | - -## Immediate follow-ups -- Add an auth gaps task to Authority/crypto sprint (e.g., `SPRINT_0314_0001_0001_docs_modules_authority` or crypto sprint) to close AU1–AU10 with owners/dates. -- Publish signed scope/role catalogs, binding/audience matrices, revocation/JWKS schemas with freshness SLAs, offline verifier bundle, crypto-profile registry, and conformance tests per service. - -# Findings – Gaps in “CLI Developer Experience and Command UX” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - CLI Developer Experience and Command UX.md` - -**Method:** Reviewed the CLI advisory against current CLI sprints (0201/0202/0205 series) and offline/DSSE/auth requirements. Focused on determinism, auth security, distribution, compatibility, and testability. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CL1 | Command/flag compatibility contract | No versioned command/flag catalog or deprecation policy; exit codes listed but not tied to a spec. | Breaking changes may hit CI; exit-code drift breaks pipelines. | Publish versioned CLI spec (commands/flags/exit codes), with deprecation policy and compatibility tests per release. | -| CL2 | Deterministic output guarantees | Advisory claims deterministic output, but no hash/fixture tests for JSON/table modes or locale/time effects. | CI comparisons may flake; hashes change across runs/locales. | Add golden fixtures for JSON/table outputs with fixed locale/UTC; run multi-run hash tests in CI. | -| CL3 | Auth hardening in CLI | DPoP described but no rotation/cleanup policy for stored keys; device-code cache binding undefined; no check for audience default misuse. | Stale keys or weak binding can leak access; wrong audience tokens used. | Enforce key rotation/cleanup, bind device-code cache to user+machine, default audience validation, and add `stella auth doctor`. | -| CL4 | Offline/air-gap kit parity | Offline kit commands listed, but kit format, hash checks, and failure modes not specified. | Air-gap imports may be partial or unverifiable. | Define offline-kit CLI contract (manifest hash verify, required contents, failure handling); add tests. | -| CL5 | Binary distribution verification | Distribution plan mentions signatures but no mandatory cosign verification on install/self-update. | Users may run tampered binaries. | Require cosign verify on install/update; publish public key fingerprints; add `--verify` default on self-update. | -| CL6 | Buildx plugin provenance | Buildx installer verifies signature but lacks policy for pinned digest/version and rollback. | Supply-chain risk if plugin tag changes; rollbacks hard. | Pin plugin image digest; store policy file; add rollback and provenance report command. | -| CL7 | Telemetry/analytics governance | No opt-in/out policy or schema for telemetry (if any) in CLI. | Compliance/privacy risk; inconsistent behavior. | Document telemetry policy; default off; add explicit flags/env; schema for emitted events; tests ensuring default off. | -| CL8 | Accessibility/UX consistency | No a11y standards (colorblind-safe palettes, tty detection) or consistent UX patterns across commands. | Poor usability; inconsistent outputs. | Add UX guidelines: color palette, width detection, pager rules, TTY/non-TTY detection; enforce via lint/tests. | -| CL9 | Error/help localization & structure | Help/error messages not versioned or structured; no machine-readable hints for tooling. | Harder to script; poor UX for non-English locales. | Standardize error/help schema (codes + detail + remediation); optional localization; ensure JSON errors match exit codes. | -| CL10 | CI install/upgrade reliability | Install script is curl|sh with no checksum enforcement; no offline install path defined. | CI supply-chain risk; offline CI blocked. | Provide checksummed artifacts + detached sig; support offline install from kit; fail if checksum missing. | - -## Immediate follow-ups -- Add a CLI gaps task to the relevant CLI sprint (e.g., `SPRINT_0201_0001_0001_cli_i` or `SPRINT_0202_0001_0001_cli_ii`) to close CL1–CL10. -- Publish a versioned CLI spec with compatibility/deprecation rules, add golden output/exit-code tests, enforce cosign verification and offline-kit contracts, harden auth key handling, pin buildx plugin digests, and document telemetry/UX/a11y standards. - -# Findings – Gaps in “CLI Developer Experience and Command UX” (added) - -# Findings – Gaps in “Findings Ledger and Immutable Audit Trail” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` - -**Method:** Reviewed the ledger advisory against ledger/Merkle/export work and offline/air-gap expectations. Focused on schema governance, external anchoring, tenant isolation, redaction, determinism, and replay/export parity. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| FL1 | Event/ledger schema versioning | Event and projection shapes are described but no versioned JSON Schemas or canonical serialization rules. | Producers/consumers may diverge; hash/cycle validation may fail. | Publish versioned schemas for events/projections/exports with canonical JSON rules and test vectors; sign schema catalog. | -| FL2 | Merkle config & external anchoring | Merkle anchoring noted, but no mandated external anchoring policy, shard/log metadata, or checkpoint freshness. | Tamper evidence weaker; air-gap replay cannot validate freshness. | Define Merkle policy (batch size/window/algo) plus external anchor rules (log/shard ID, checkpoint freshness SLA); include in exports. | -| FL3 | Chain fork handling & tombstones | Forks are “prohibited” but no explicit behavior/logging/audit when conflicts occur; no tombstone policy. | Fork attempts may go unnoticed; auditors lack evidence. | Require fork detection with audit events + DSSE record; tombstone/410 rules; expose metrics. | -| FL4 | Tenant isolation & redaction | Tenant mention present but no redaction rules for exports or portable bundles; no isolation tests. | Cross-tenant leakage risk in exports. | Enforce tenant-scoped chains; redact tenant IDs in portable exports with redaction manifest; add isolation tests. | -| FL5 | Payload redaction/PII | Comment text “hashed” noted but no redaction/allowlist for other fields; no size limits. | PII may leak; exports may bloat. | Define redaction/allowlist, size limits, and evidence rules; enforce before hash; document in schema. | -| FL6 | Policy/version linkage | policyVersion and evidenceBundleRef exist but lattice/version governance not mandated; no DSSE for events. | Decisions not reproducible; weak audit link between policy and ledger. | Require DSSE-signed events or batch manifests including policy hash, lattice version, graph_revision_id; verify on ingest/export. | -| FL7 | Export determinism & golden fixtures | Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports. | Regressions may go unnoticed; reproducibility claims weak. | Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering. | -| FL8 | Replay/rebuild tooling | Projection rebuild guidance minimal; no checksum for rebuild outputs. | Rebuilds may diverge from ledger state; audits fail. | Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests. | -| FL9 | Air-gap verifier | Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations). | Air-gapped audits may be incomplete. | Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests. | -| FL10 | Performance envelopes & quotas | SLOs listed but no quotas/backpressure for append/export per tenant or chain. | Hot tenants could starve others; risk of data loss under load. | Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load. | - -## Immediate follow-ups -- Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10. -- Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure. - -# Findings – Gaps in “DSSE‑Signed Offline Scanner Updates — Developer Guidelines” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** User-provided advisory “DSSE‑Signed Offline Scanner Updates — Developer Guidelines” (not yet in repo); cross-checked against `docs/24_OFFLINE_KIT.md`, `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`, and sprints 160/162 attestation work. - -**Method:** Evaluated the proposed offline bundle pattern (DSSE envelope + Rekor v2 receipt + manifest + payload) and activation flow against existing offline-kit, scanner import, attestation, and determinism/air-gap requirements. Identified missing controls, governance, and telemetry required to make the pattern enforceable and replayable. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| DS1 | Trust bundle rotation & revocation | Advisory pins publisher/rekor keys but omits rotation channel, expiry/NotAfter checks, or revocation response (key compromise, revoked cert, mirror drift). | Stale or compromised keys could continue to sign/verify bundles; rollback to bad keys possible in air-gaps. | Define signed “trust bundle” schema with key set, expiry, revocation list, and provenance; enforce NotBefore/NotAfter on activation; require quorum/M-of-N to rotate keys and store rotation receipts alongside bundles. | -| DS2 | Rekor freshness & offline proof | Verification only checks receipt vs DSSE hash; no requirement to validate the Rekor checkpoint/root, inclusion promise window, or bundled log segment authenticity. | Attackers can replay old receipts or splice receipts from another tree; air-gapped sites may trust stale proofs. | Require checkpoint verification (root hash, size, log ID) and freshness bound; when offline, bundle signed log segment + checkpoint DSSE; fail closed if segment/hash mismatches. | -| DS3 | Manifest/schema canonicalization | `manifest.json` shape/version/canonical rules are undefined; hash algo/encoding not fixed; no schema signature. | Producers/consumers may compute different digests → false negatives/acceptance of tampered bundles. | Publish versioned JSON Schema with canonical ordering, SHA-256 as default, strict types; sign manifest with DSSE/JWS and include schema version in filename and trust_id. | -| DS4 | Supply-chain provenance for bundle build | Build pipeline steps (hashing, signing, Rekor submission) lack attestation/SLSA provenance; no binding to source commit, tool versions, or build runner hash. | Malicious/compromised build host could emit validly signed but malicious payloads; hard to audit. | Produce SLSA/DSSE build attestation for each bundle (builder ID, git commit, tool versions, reproducible build inputs); verify attestation before accepting bundle into cache. | -| DS5 | Anti-replay & rollback detection | Monotonicity check uses manifest.version but no binding to prior trust state or recorded trust_id; no replay window/nonce; force-activate bypass not audited. | Old bundles can be reintroduced (malicious or operator error); rollback may go unnoticed in air-gaps. | Persist last_good {version, trust_id, rekor_root} in append-only state; require version strictly increasing unless signed rollback exception; log and DSSE-sign every activation/force-activation event. | -| DS6 | Delta/partial bundle rules | Contract only shown for full bundles; deltas/partials not defined (expected final state, base hash, tombstones). | Deltas may apply on wrong base, producing diverging DB contents without detection. | Define delta schema: base_version/base_hash, operations (add/remove/replace), resulting snapshot hash; verify base before apply; generate synthetic full-hash after apply and compare to declared target. | -| DS7 | Per-file integrity & compression safety | Defense-in-depth note mentions file hashes but not mandatory verification of each entry inside `payload.tar.zst`, compression flags, or TOCTOU protection when extracting. | Tampering inside tar/zst could slip through if only outer hash is checked; extraction could overwrite symlinks or traverse directories. | Require per-entry hashes in manifest, validated before extraction; use safe extractor that rejects symlinks/`..` paths and enforces uid/gid/perm allowlist; verify zstd dictionary/levels; hash post-extract contents before swap. | -| DS8 | Config/feature flags & policy surface | `requireDsse`-style enforcement hinted but not specified across Scanner, CLI, Worker; no migration plan or policy gate. | Mixed deployments may silently skip DSSE/Rekor checks or drift from policy; inconsistent enforcement. | Add explicit config matrix (API/UI/CLI) with default `requireDsse=true`, rollout guard (`observe→enforce`), and policy gate that blocks imports lacking DSSE/Rekor unless override is signed and time-bound. | -| DS9 | Observability & SLOs | Telemetry suggests reason codes but no SLOs, alerts, or metrics for freshness, failure streaks, rollback attempts, or trust-bundle age. | Operators lack visibility; silent drift or repeated failures may persist. | Define metrics (`bundle_activate_total{reason}`, `rekor_freshness_seconds`, `trust_bundle_age_hours`, `rollback_attempt_total`), alerts on stale checkpoint/keys or repeated failures, and trace spans around verify steps; document SLOs. | -| DS10 | Recovery & quarantine governance | Quarantine step lacks retention period, evidence capture, or reprocessing flow; no checklist for operator actions or RCA evidence. | Quarantined bundles may be reintroduced without fix; root causes lost. | Require quarantine manifest (bundle hash, failure reason, logs, time, operator); set retention/SLA; add `reanalyze` job that re-verifies after trust-bundle/rekor updates; document runbook. | -| DS11 | Multi-tenant/namespace scoping | Advisory assumes single trust root/cache; no scoping for multi-tenant or env-specific feeds (prod/stage/regional crypto profiles). | Wrong bundles could be activated in other tenants/regions; policy/cert profile mismatches. | Partition cache and trust state by tenant/env/crypto profile; include tenant/profile in DSSE predicate and activation state; block activation on mismatch. | -| DS12 | Offline-kit parity & kit manifest linkage | Bundle layout is local-only; not bound to existing Offline Kit manifest/attestations; no guidance for importing via OUK or Export Center bundles. | Duplicate verification logic; kit imports may skip DSSE/Rekor or mismatch manifest coverage. | Align bundle schema with OUK: include pointers into offline-kit manifest, ensure kit contains DSSE/Rekor files, and require Scanner import to treat them as mandatory; add shared schema/docs. | - -## Immediate follow-ups -- Add a gaps-remediation task to the relevant attestation/offline sprints (e.g., `SPRINT_0162_0001_0001_exportcenter_i`, `SPRINT_0163_0001_0001_exportcenter_ii`, `SPRINT_0510_0001_0001_airgap`, or Scanner import sprint) covering DS1–DS12. -- Draft and publish versioned schemas for bundle manifest, delta bundles, trust bundle, and Rekor segment packaging; include canonicalization rules and test vectors. -- Extend offline-kit and Scanner import docs to mandate DSSE/Rekor checkpoint verification, per-entry hashing, safe extraction, append-only state, and tenant/profile scoping; wire metrics/alerts into observability docs. -- Add CI/fixtures: reproducible bundle build attestation, delta/base mismatch tests, rollback/replay tests, stale checkpoint/key tests, and quarantine reprocessing tests. - -# Findings – Gaps in “StellaOps Storage Blueprint (PostgreSQL patterns per module)” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** Pasted advisory “Here’s a crisp, opinionated storage blueprint…” / “StellaOps – PostgreSQL Patterns per Module” (2025-12-01 draft). - -**Method:** Reviewed the blueprint against module dossiers (Authority, Routing, VEX, Unknowns, Artifact), high-level architecture, and prior advisories on ledger/evidence/offline posture to identify missing guarantees, hardening steps, and operability gaps. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| SB1 | Tenant isolation | DDL examples mostly omit `tenant_id` and tenant-based RLS; policies rely only on `app.user_id`. | Cross-tenant data exposure or cache bleed; feature flags/routing/unknowns not tenant-safe. | Make `tenant_id uuid not null` mandatory on tenant-scoped tables, enforce base RLS `tenant_id = current_setting('app.tenant_id')::uuid`, and add partial indexes by tenant. | -| SB2 | RLS hardening | Blueprint assumes `set_config` but lacks guards for unset/invalid session vars, role separation, or `SECURITY DEFINER` safety. | Mis-set sessions bypass RLS; superuser paths may leak data. | Add `check_app_context()` function used in policies, deny access when settings missing, separate DB roles per service, and forbid bypass for `pg_read_all_data`. | -| SB3 | Partitioning & retention | High-volume tables (audit_log, oauth_token, outbox, unknowns history) not partitioned; no retention/archival plan. | Storage bloat, slow scans, expensive VACUUM; audit trails hard to manage. | Time/tenant partition heavy tables; enforce retention/archival to CAS; add `DROP PARTITION`/`vacuumd` runbooks and metrics. | -| SB4 | Indexing & query plans | Several hot-path queries lack indexes (e.g., `feature_flag(key, version)`, `audit_log(actor_id, at)`, GIN on JSONB facts/unknowns, partial indexes on open unknowns). | Latency spikes and table scans; MV refreshes slow. | Specify required indexes per table and refresh cadence; add `EXPLAIN` baselines in migrations/tests. | -| SB5 | HA/DR & PITR | No posture for replication, failover, backups, or PITR testing. | Data loss/outage risk; compliance gaps. | Standardize HA (streaming replica) with async/sync policy per module, scheduled base/backups + PITR drills, and recovery SLOs documented. | -| SB6 | Migration/dual-write plan | Cutover phases describe read adapters but omit dual-write/backfill, consistency checks, and abort criteria. | Divergence between Mongo and Postgres; hard rollback. | Add dual-write phase with idempotent keys, reconciliation jobs, hash-based diff reports, and automated rollback switch; document stop conditions. | -| SB7 | Schema governance | `schema_version` fields exist but no schema registry, compatibility rules, or SemVer/change-log requirements. | Breaking changes may ship unnoticed; clients can’t validate payloads. | Create schema catalog with SemVer and DSSE signatures; enforce compatibility checks in CI and at runtime; require migration playbooks per version bump. | -| SB8 | CDC security & scoping | Logical replication recommended without tenant filtering, column-level exclusions, or connector isolation. | Sensitive data may leak to analytics/third parties; multi-tenant isolation broken. | Use publication per module/tenant, exclude secret columns, TLS/auth for connectors, and add redaction/field allowlists plus monitoring for lag/divergence. | -| SB9 | Outbox robustness | Outbox table lacks idempotency keys, ordering/fencing rules, poison-message handling, and backpressure metrics. | Duplicate or lost events; dispatcher loops under load. | Add `(aggregate_type, aggregate_id, topic, created_at)` unique key, status enum, retry/backoff policy, dead-letter bucket, and observability counters; keep dispatcher transactional. | -| SB10 | Cache governance (Redis) | Cache keys/TTLs noted but no tenant/env namespacing, warm/cold coherence rules, or fail-closed behavior. | Cross-tenant bleed or stale flags/routes; silent fallback to outdated cache. | Namespaces (`env:tenant:` prefixes), include version in keys, require cache-miss fallback to Postgres with freshness checks, and metrics/alerts on hit ratio + staleness. | -| SB11 | Artifact index & CAS hygiene | CAS index lacks GC policy, tag/alias governance, encryption/ACL guidance, or tenant-scoped storage paths; signatures optional. | Digest store grows unbounded; cross-tenant leakage via shared blobs; unverifiable artifacts. | Add GC rules (refcount/last-access), tenant-scoped buckets/prefixes, mandatory signature refs, encryption at rest + access policy, and offline mirror/verify scripts. | -| SB12 | Observability & SLOs | Metrics mentioned but no SLOs/alerts for MV lag, replication lag, RLS policy hits, outbox lag, refresh failures, or Redis divergence. | Operational drift undetected; regressions hit users before detection. | Define per-module SLOs and alerting; ship dashboards; add self-test queries in readiness probes; fail-fast on MV refresh/CDC gaps. | -| SB13 | Security & compliance | No explicit at-rest/transport encryption, audit of DDL/config changes, or data-classification/PII rules for JSONB payloads. | Compliance risk; uncontrolled sensitive data storage. | Enforce TLS, TDE/disk encryption, pgaudit/DDL logging, classified columns with masking/redaction, and PII allowlists plus periodic scans. | - -## Immediate follow-ups -- Open a sprint task (e.g., under data/platform hardening) to close SB1–SB13 with owners/dates and link to this finding. -- Produce migration/dual-write and partitioning runbooks per module; add schema catalog (versioned, signed) and required indexes to migrations. -- Define HA/DR posture, CDC scoping rules, cache namespacing, artifact GC/ACL policy, and observability SLOs; wire alerts and self-tests into services. - -# Findings – Gaps in “Verifiable Proof Spine → Moat (receipts + benchmarks)” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** “Here’s a crisp, practical way to turn Stella Ops’ ‘verifiable proof spine’ into a moat—and how to measure it.” (includes “Developer Guidelines – Benchmarks for a Testable Security Moat”). - -**Method:** Read the advisory and attached developer guidelines; compared with related advisories already filed (Graph Revision IDs as Public Trust Anchors, Evidence Bundle and Replay Contracts, Reachability Benchmark Fixtures Snapshot, Comparative Evidence Patterns) and the current `bench/` layout to surface missing contracts, controls, and enforcement hooks. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| VM1 | Graph Revision contract | Graph Revision ID recipe lacks canonical serialization rules (sorting, normalization, hash alg/encoding), multi-alg/PQ plan, and provenance fields (feeds/policies/tools). | Different services may compute divergent hashes; receipts tied to non-canonical IDs become unverifiable or collide. | Publish `graph-revision-manifest.schema.json` with canonical JSON rules, mandated hash alg (e.g., BLAKE3-256 hex) and optional multi-alg, plus required digests for feeds, policies, tool images, config flags; add test vectors. | -| VM2 | DSSE predicate & receipt schema | Predicate `stellaops.dev/verdict@v1` is named but not specified (required fields, canonicalization, clock source, list ordering) nor versioning/compatibility rules. | Receipts may serialize differently across services; signature verification and replay can fail; upgrades may break stored receipts. | Define versioned predicate schema + canonical JSON (sorted keys, UTC + monotonic timestamp pair, fixed decimal precision); publish validation tests and compatibility guidance; enforce in emitters/validators. | -| VM3 | Signing policy & key lifecycle | “Sign with Authority” omits key hierarchy, rotation cadence, dual-sign (ECDSA+PQ) strategy, Rekor/mirror anchoring, and tenant scoping. | Long-lived receipts risk key compromise or compliance gaps; no traceable lineage for rotated keys; multi-tenant trust not isolated. | Document signing policy: key roles (online/offline/HSM), M-of-N custody, rotation/burn rules, dual-sign option, Rekor/mirror anchoring metadata, and tenant-scoped key IDs; enforce policy hash in receipts. | -| VM4 | Receipt storage, retention, and isolation | Postgres table is suggested but lacks retention/GC rules, compression/dedup, encryption-at-rest, RBAC/tenant isolation, and sharding guidance. | Store can bloat; sensitive proofs may be exposed across tenants; replay/export may be inconsistent. | Define storage contract: per-tenant partitioning/shards, append-only receipts, row-level encryption, TTL/archival policy, dedup by `(graphRevisionId, verdictId, algo)`, and export manifests with hashes. | -| VM5 | Reachability slice / symbol proof schema | Call-stack slices and binary symbol proofs lack formal schema, size budgets, architecture coverage (ARM/ppc), redaction rules for paths/symbols, and validation tooling. | Proofs may leak PII/paths, explode in size, or be unusable for replay; binaries without symbols remain unprovable. | Publish schemas for slices and symbol proofs with max nodes/bytes, required fields (arch, offset, hash of slice), redaction/normalization rules, and validator/golden fixtures; add fallback proof type when symbols absent. | -| VM6 | Replay Manifest governance | Replay manifest is named but not required to be DSSE-signed, canonically serialized, or to pin feeds/rulepacks/tool digests/time anchors; no CI gate uses it. | Auditors cannot trust manifests; replays may drift due to unstated feed/tool changes; CI may miss drift. | Define `replay.manifest.json` schema, canonical JSON, DSSE signing, and required fields (feeds/tool digests/policies/config, fake clock seed); add CI job to rerun gold fixtures and compare graph hashes against the manifest. | -| VM7 | “No receipt, no ship” enforcement path | Rule is declarative; no enforcement points defined (scanner pipeline, policy engine, API, UI), no failure taxonomy, and no override/waiver process. | Receipts may be missing yet verdicts ship; users see inconsistent states; overrides may bypass audit. | Add fail-closed checks in scanner/policy APIs and UI gating; define error codes for missing/invalid receipts; require signed waiver/override records and metrics for violations. | -| VM8 | Benchmark corpus governance & ground truth | Benchmarks call for public corpus and baselines but lack governance: licensing/sanitization checklist, ground-truth labels with evidence, competitor selection matrix, and contribution/review rules. | Metrics may be non-reproducible or legally risky; baseline comparisons could be biased or outdated. | Create benchmark governance doc: sanitized corpus manifest with hashes/DSSE, ground-truth evidence bundles, contributor CLA/review rules, competitor/baseline selection matrix, and staleness SLAs; store under `bench/manifest.*` and sign. | -| VM9 | Benchmark determinism & resource profile | Metrics (FP reduction, triage time, proof coverage, determinism) are defined but no reference hardware/profile, seeding rules, retry/timeout policy, or multi-run hash check. | Results vary run-to-run or across machines; comparisons and claims lose credibility. | Pin reference runner (CPU/RAM, cgroups), seeds, thread limits, timeouts; add multi-run hash stability check in `bench/scripts/run_benchmarks` and publish tolerances; mark strict scenarios that must be zero-drift. | -| VM10 | Observability, alerts, and export kits | Advisory lacks required metrics/alerts for signature failures, graph-hash drift, missing proofs, or benchmark regressions, and doesn’t define the “audit kit” packaging/signing. | Failures may go unnoticed; auditors/buyers cannot independently verify kits; offline users lack parity. | Instrument counters/alerts for receipt verify failures, graph drift, proof coverage gaps, benchmark regressions; define audit-kit layout (receipts + manifest + replay + verify script) with DSSE signature and include in offline kits/export center. | - -## Immediate follow-ups -- Add a proof-spine/receipt gap-remediation task to Sprint `SPRINT_0401_0001_0001_reachability_evidence_chain` covering VM1–VM7. -- Add a benchmark governance/determinism task to Sprint `SPRINT_0513_0001_0001_public_reachability_benchmark` covering VM8–VM10, tying to `bench/` manifests and CI jobs. -- Draft and publish schemas (graph revision, verdict predicate, replay manifest, reachability proofs) plus golden fixtures/tests; wire fail-closed receipt checks and observability alerts into scanner/policy pipelines and UI/API gating. - -# Findings – Gaps in “SBOM→VEX Proof Spine Blueprint” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** Chat-supplied advisory “tight, practical blueprint to turn your SBOM→VEX links into an auditable proof spine…” (not yet filed under `docs/product-advisories/`). - -**Method:** Parsed the advisory, aligned it with Authority/Policy/Scanner evidence-chain expectations and existing sprint `SPRINT_0401_0001_0001_reachability_evidence_chain`, and checked for determinism, governance, tenancy, and offline parity gaps. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| PS1 | Trust anchor lifecycle & conflicts | Per-dependency TrustAnchor is defined but lacks lifecycle rules (creation approval, change control, supersedes flow) and conflict resolution when multiple anchors match a purl or SBOMEntry. | Anchor drift can silently change accepted signers; conflicting anchors can cause verification bypass or denial. | Require signed TrustAnchor records with `version`, `createdBy`, `supersedes`, and deterministic purl matching precedence; add dual-control approvals and DSSE for anchor mutations; fail closed on ambiguous anchor selection. | -| PS2 | Revocation/rotation enforcement | Revocation list is mentioned but no policy for how existing spines/receipts behave after key revocation or anchor update; no rollback window or re-issuance rules. | Auditors may accept spines signed by revoked keys; replay may fail inconsistently. | Define revocation semantics (hard-fail vs warn), require re-verification tasks on revocation, emit new spines/receipts when anchors change, and publish “revoked-but-accepted-until” grace policy with metrics/alerts. | -| PS3 | Predicate schemas & test vectors | Predicate types are named (`evidence.stella/v1`, etc.) but no JSON Schemas, canonicalization vectors, or compatibility commitments. | Producers may serialize differently, leading to hash mismatches and unverifiable bundles. | Publish signed JSON Schemas + canonical JSON rules and golden test vectors for evidence/reasoning/VEX/spine; include field-level required/optional rules and normalization of enums/whitespace/precision. | -| PS4 | Merkle/ProofBundle recipe | ProofBundleID is “merkle root” but algorithm (tree shape, path ordering, hash algo, duplicate handling, domain separation) is unspecified. | Different implementations will derive different bundle IDs for the same inputs, breaking interoperability. | Standardize Merkle recipe (hash algo, leaf format, deterministic ordering, duplicate policy, domain tags); provide reference implementation and fixtures. | -| PS5 | Evidence failure/negative cases | Flow assumes successful evidence; no schema for failed scans, partial results, or “absence of evidence” attestations. | Missing DSSE records allow silent gaps; verification may over-trust incomplete data. | Define `evidence.stella/v1` variants for failures/partial coverage with required error codes and scope; require DSSE for failures and include them in ProofBundleID computation. | -| PS6 | SBOM evolution & backfill | SBOMEntryID ties to sbomDigest+purl, but no rules for updated SBOMs, component renames, or superseded SBOM versions; backfill of historical spines not described. | Proof history can fragment; replay may mismatch SBOM version to spine. | Add SBOM versioning/backfill policy: immutable sbomDigest, `supersedesSbomDigest`, migration tasks to regenerate spines for changed entries, and UI/API to view lineage. | -| PS7 | Third-party VEX & dual anchors | Import of vendor VEX is implied but no contract for dual-anchor verification (vendor + internal), status translation, or provenance preservation. | Imported VEX may be re-signed without proof of origin; status semantics can drift from vendor meaning. | Require vendor VEX verification against vendor anchor, preserve original envelope bytes, tag provenance, and optionally co-sign under Authority; define status mapping table and conflict resolution. | -| PS8 | Storage security & tenancy | Postgres/blob layout shown but lacks tenant scoping, row-level security, encryption at rest, and retention/GC policy for blobs and envelopes. | Cross-tenant data leakage risk; unbounded storage growth; unverifiable deletions. | Enforce tenant/namespace columns with RLS, encrypt blobs, add retention classes + GC rules, and record DSSE-backed delete/tombstone manifests instead of hard deletes. | -| PS9 | API contract & versioning | API endpoints are sketched without authZ roles, pagination, ETags, error codes, or versioning strategy; no idempotency keys for POST. | Clients may integrate inconsistently; accidental duplication or cache poisoning possible. | Define OpenAPI with versioned paths, RBAC roles (Authority/Viewer/Auditor), pagination/caching semantics, idempotency keys, and deterministic error models; add conformance tests. | -| PS10 | Observability & SLIs | Metrics/logging expectations are absent (only UX hints); no alerts for verification drift, revocation, hash mismatch, or signer skew. | Integrity regressions may go unnoticed; auditors lack evidence of continuous enforcement. | Add required counters/histograms (verify pass/fail by reason, anchor conflicts, revocation hits, recompute drift), structured logs with IDs, and alert thresholds; document runbooks. | -| PS11 | Offline/export kit parity | Advisory references offline friendliness but does not define export format (bundle layout, signatures, chunking), replay script, or air-gap verification inputs. | Air-gapped users cannot verify or may accept tampered kits; deterministic replay claims weaken. | Specify offline proof kit (SBOM + envelopes + anchors + schemas + Merkle recipe) with signed manifest and verify script; include chunking rules and hardware profile for replay. | -| PS12 | Key custody & PQC coexistence | Keys live in Authority, but custody model, M-of-N approval, audit trails, and PQC dual-sign verification order are not defined. | Single-operator compromise or ambiguous verification precedence; PQ readiness unverifiable. | Define key hierarchies per environment, dual-control ops, signed key-rotation records, verification precedence (ECDSA vs PQ), and audit logging; ship HSM/KMS policy guidance. | -| PS13 | Receipts schema & cache invalidation | Receipt structure is mentioned but not versioned; no rules for cache TTL, re-issuance when evidence/policy changes, or signing requirements. | Stale receipts may circulate; auditors cannot trust replay date/tool versions. | Version receipt schema, include verifier version/time, anchor IDs, tool hashes, policy hash; require DSSE signing; enforce cache TTL and auto-invalidate on anchor/policy change. | -| PS14 | Performance/backpressure & dedup | No throughput/latency SLOs, queue/backpressure rules, or deduplication of envelopes for identical inputs. | Service overload or ballooning storage; duplicate envelopes inflate Merkle roots. | Define SLOs and per-tenant quotas; require deduplication by hash/predicate; add idempotent processing with backoff and metrics on drops/retries. | - -## Immediate follow-ups -- Add a gaps-remediation task to `SPRINT_0401_0001_0001_reachability_evidence_chain` (or create a new sprint for the proof spine) covering PS1–PS14 with owners/dates. -- Publish signed JSON Schemas, Merkle recipe, and test vectors for evidence/reasoning/VEX/spine/receipt; wire canonicalization tests into CI. -- Draft TrustAnchor lifecycle/rotation policy (dual-control, revocation handling, ambiguity fail-closed) and update Authority/Policy docs accordingly. -- Define offline proof-kit packaging + verifier script and include metrics/alerts/runbooks for verification drift and anchor conflicts. - -# Findings – Gaps in “Time-to-Evidence (TTE) Metric” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` - -**Method:** Evaluated TTE proposal against StellaOps UX/telemetry architecture (UI sprints 0209/0215, Telemetry core 0180). Focused on instrumentation fidelity, data quality, SLO coverage, caching/streaming readiness, offline/tenant safety, and governance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| TTE1 | Proof eligibility definition | “First proof” not formally defined (what counts as proof per surface; screenshots vs raw artifacts). | Inconsistent measurement; teams may emit on summaries. | Define proof eligibility per surface (SBOM line with bomRef + hash, reachability edge with graph rev, VEX clause with evidence ID); forbid summaries; add contract tests. | -| TTE2 | Event schema/versioning | Event fields are informal; no schema/version, tenant scope, or PII redaction guidance. | Broken joins and leakage across tenants; dashboards unreliable. | Publish versioned `tte-event.schema.json` with required fields (finding_id, tenant_id, proof_kind, source, ui_version, synthetic flag), redaction rules, and validation in collectors. | -| TTE3 | Correlation & dedupe | No guidance on deduping multiple `proof_rendered` events per open, retries, or tab refresh. | Over-counting inflates TTE; noisy alerts. | Define correlation rules (per finding_id + view instance), keep first-proof TTE canonical, bucket retries separately; add idempotency key. | -| TTE4 | Sampling & bot exclusion | Sampling hinted but no hard targets, bot filters, or synthetic tagging. | Skewed metrics; false regressions. | Require 100% in staging, ≥50% prod with bot/synthetic exclusion flag; document filter and include in rollups. | -| TTE5 | SLO scope & budgets | P95=15s stated globally; no per-surface SLOs, error budgets, or burn alerts. | Hot pages regress without alarms; mixed workloads masked. | Set per-surface SLOs (list/detail/deep-link, per proof_kind), define 28-day error budget and burn alerts; add regression guard in CI. | -| TTE6 | Backend readiness (indexes/streaming) | Pre-index/streaming called out but no required indexes, chunk sizes, or fallback for cold caches. | P95 fails in prod despite UI work. | Mandate indexes (pkg@version, graph node, bomRef), first-chunk SLA (<200ms), cache warmers for top-N findings, and fallback to cached proof slice. | -| TTE7 | Offline/air-gap mode | No rules for TTE when offline kits are used (local proofs) or when proofs are unavailable. | Air-gapped users show infinite TTE or misleading empties. | Define offline TTE path: local proof sources, explicit “offline proof unavailable” state, separate `source=offline_kit`; exclude from online SLO or bucket separately. | -| TTE8 | Alerting & dashboards | Dashboards listed but no alert policies, runbooks, or ownership. | Slow drift unnoticed; no on-call action. | Create alert rules (P95>15s 15m, P99>30s 15m) with owners, runbook, and suppression windows; add weekly trend review. | -| TTE9 | Governance & release gates | No requirement to block releases on TTE regression or to store baselines. | Regressions ship silently. | Add release check: compare P95 vs previous release by proof_kind/page; block if >20% regression unless waived; store baseline snapshots. | -| TTE10 | Accessibility & layout | Evidence-above-fold rule stated but no viewport spec, keyboard/a11y checks, or fallback for long proofs. | Users may still miss proof or fail accessibility audits. | Define viewport targets (e.g., 1366x768), a11y checks (ARIA/Tab order for proof panel), truncation rules with “copy full proof”, and Playwright a11y test for TTE scenarios. | - -## Immediate follow-ups -- Add TTE1–TTE10 remediation task `TTE-GAPS-0215-011` to Sprint `SPRINT_0215_0001_0001_vuln_triage_ux` (primary UI owner) with telemetry alignment to Sprint `SPRINT_0180_0001_0001_telemetry_core`. -- Publish `tte-event.schema.json`, proof eligibility rules per surface, sampling/bot filters, per-surface SLO/error budgets, required indexes/streaming SLOs, offline-kit handling, alert/runbook, release gate, and a11y/viewport test cases. - -# Findings – Gaps in Archived November Advisories (15–23 Nov 2025) - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** All advisories in `docs/product-advisories/archived/` dated 15–23 Nov 2025 (e.g., embedded in-toto provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, reachability corpus, etc.). - -**Method:** Skimmed each archived advisory and consolidated common gaps; focused on missing schemas, determinism/replay rules, tenant/redaction, offline parity, and ownership. Kept to 1–2 high-impact gaps per advisory to seed backlog without expanding scope excessively. - -## Gap Table -| Advisory (archived) | Gap ID | Gap | Impact | Recommendation | -| --- | --- | --- | --- | --- | -| Embedded in-toto provenance events | AR-EP1 | No canonical event/predicate schema or DSSE requirement; relies on narrative. | Provenance unverifiable; toolchain drift. | Publish `provenance-event.schema.json`, require DSSE, include tool version + policy hash; add fixtures. | -| Function-level VEX explainability | AR-FX1 | Lacks stable IDs for function nodes/edges and reachability proofs. | Explanations not replayable; links break. | Define function-node ID scheme, require graph_rev, shortest-path proof bundle; add determinism tests. | -| Serdica census Excel import blueprint | AR-SE1 | No PII redaction or checksum rules for Excel ingest. | Data leakage; non-deterministic imports. | Add redaction/allowlist, checksum manifest, DSSE receipt per import, and replay script. | -| Proof spine for quiet alerts | AR-PS1 | “Proof spine” undefined (hash recipe, bundle layout, failure cases). | Quiet alerts un-auditable. | Standardize spine (hash algo, ordering, failure records), DSSE-sign, and ship fixtures. | -| Scanner roadmap diff-aware rescans | AR-SR1 | No determinism guards (seed/time clamp) for rescans. | Drift across runs; flaky diffs. | Enforce fixed seeds/UTC, sorted outputs, golden diffs CI. | -| Layer-SBOM cache hash reuse | AR-LS1 | Cache key recipe unspecified (layer ordering, tar flags, compression). | Cache collisions/misses; incorrect reuse. | Define canonical key recipe (ordered layer digests, normalized tar, compression flags) and validators. | -| Multi-runtime reachability corpus | AR-MR1 | Corpus lacks licensing/provenance and ground-truth assertions. | Legal risk; unvalidated results. | Add license metadata, expected reachability assertions, DSSE-signed manifest. | -| SPDX canonical persistence / CycloneDX interchange | AR-SX1 | No canonicalization rules (ordering, whitespace, encoding) across SPDX↔CDX. | Hash drift; signature breakage. | Publish canonicalization spec + round-trip tests, DSSE-sign outputs. | -| Validation plan for quiet scans (diff-CI) | AR-VQ1 | No acceptance thresholds or negative/failure fixtures. | Quiet scans may suppress real issues. | Define threshold matrix, include failure/edge fixtures, CI gate on false-negative budget. | -| SBOM-Provenance-Spine (17 & 18 Nov) | AR-SP1 | Duplicate advisories; spine lacks versioning and Merkle recipe. | Divergent implementations; audit gaps. | Declare single canonical doc, versioned spine schema, Merkle/hash recipe, DSSE signing. | -| Stripped-ELF reachability | AR-SEF1 | No symbol-stripping fallback (DWARF absent) or redaction rules. | Binaries unprovable; PII path leaks. | Require fallback heuristics, redaction, and proof attestation format. | -| Binary Reachability Engine | AR-BR1 | Performance/SLOs and determinism seeds absent. | Non-reproducible graphs; timeouts. | Set seed/time clamps, path-ordering rules, perf SLO, golden graphs CI. | -| C# Binary Analyzer | AR-CS1 | No PURL mapping or IL-level canonical IDs. | Findings not linkable to packages; unstable links. | Define IL symbol IDs + PURL mapping rules; add hash anchors. | -| Patch Oracles | AR-PO1 | Oracle decision schema undefined; no audit trail. | Wrong patch suggestions; untraceable. | Create oracle schema with inputs, decision, confidence, evidence; DSSE-sign and log. | -| Unknowns Registry (18 Nov) | AR-UR1 | Registry schema/versioning missing; decay logic undefined. | Unknowns pile up; inconsistent triage. | Version registry schema, define decay/expiry fields, audit trail, and offline export. | -| ELF Build-ID mapping | AR-BI1 | Build-ID→PURL mapping recipe not specified; no collision policy. | Misattribution; trust breaks. | Define mapping algorithm, collision handling, attestation with subject hashes. | -| .init_array constructors as reachability roots | AR-IA1 | No rule for weighting/ordering roots or de-duplication. | Over/under-approx reachability. | Specify root precedence, dedupe, and evidence bundle with graph_rev. | -| Reachability & Moat Watch updates | AR-MW1 | No change-log or checkpoint signing for updates. | Consumers can’t track or trust updates. | Add signed checkpoints, changelog, and freshness SLA. | -| Encoding binary reachability with PURL edges | AR-PE1 | Edge encoding schema not versioned; arch-specific fields absent. | Cross-arch drift; parsing errors. | Version edge schema, require arch/endianness, hash of binaries, and fixtures. | -| Where Stella Ops Can Truly Lead | AR-ML1 | Positioning lacks measurable targets or evidence asks. | Strategy not actionable. | Add 3–5 measurable targets (perf/SLO, replay fidelity) with proof requirements and owners. | -| Benchmarking determinism in vuln scoring | AR-BD1 | No benchmark corpus or scoring reproducibility rules. | Claims unproven; regressions undetected. | Publish corpus + expected scores, hash manifest, DSSE results, CI reruns. | -| Publishing a reachability benchmark dataset | AR-RD1 | Dataset packaging/licensing undefined; no integrity attestation. | Cannot redistribute or verify. | Add license metadata, manifest + hashes, DSSE attestation, offline kit. | -| Stella Ops vs Competitors | AR-SC1 | Comparison lacks normalized criteria or evidence links. | Biased/unsupported claims. | Define criteria table, data sources, timestamps; include raw evidence links. | -| Verifying Binary Reachability via DSSE Envelopes (archived copy) | AR-VB1 | Archived version lacks current DSSE predicate and Merkle recipe updates. | Divergence from active spec. | Mark superseded; link to active advisory; provide migration notes. | - -## Immediate follow-ups -- Add an “Archived Advisories Gaps” tracker row to the relevant documentation sprint (e.g., `SPRINT_300_documentation_process`) to decide which archived topics merit revival; start with high-signal engine/graph items (AR-BR1, AR-SEF1, AR-PE1) and provenance items (AR-EP1, AR-SP1). -- For any archived advisory revived, create a fresh canonical advisory and sprint tasks; retire duplicates (e.g., SBOM-Provenance-Spine) with clear supersede notes. - -### Per-advisory gap summaries (archived) - -| Advisory | Concise Gap | Recommendation | -| --- | --- | --- | -| Where Stella Ops Can Truly Lead | Strategy brief lacks measurable targets and evidence asks. | Define 3–5 measurable targets (perf/SLO, replay fidelity) with required evidence links and owners. | -| Benchmarking Determinism in Vulnerability Scoring | No corpus/expected scores; reproducibility undefined. | Publish benchmark corpus + expected scores with hash manifest and DSSE results; add CI rerun gate. | -| Binary-Reachability-Engine | Missing determinism seeds/time clamps and perf SLOs. | Fix seeds/UTC, path-ordering rules, perf SLO, golden graphs CI. | -| Branch · Attach ELF Build‑IDs for Stable PURL Mapping | Mapping recipe/collision policy absent. | Define Build-ID→PURL algorithm, collision handling, attestation with subject hashes. | -| Branch · Model .init_array Constructors as Reachability Roots | Root weighting/dedup rules missing. | Specify root precedence, dedupe policy, and graph_rev-bound evidence bundle. | -| Branch · Reachability & Moat Watch — Verified 2025 Updates | No signed checkpoints/changelog. | Add signed checkpoints with freshness SLA and changelog; distribute via DSSE snapshot. | -| CSharp-Binary-Analyzer | No IL symbol IDs or PURL mapping rules. | Define IL symbol ID + PURL mapping with hash anchors; add fixtures. | -| DSSE-Signed Offline Scanner Updates | (Archived) No canonical DSSE predicate or offline kit recipe. | Publish predicate schema, offline bundle layout, and verifier script with hashes. | -| Encoding Binary Reachability with PURL‑Resolved Edges | Edge schema unversioned; arch fields missing. | Version edge schema; require arch/endianness/binary hash; add fixtures. | -| Patch-Oracles | Oracle decision schema/audit trail undefined. | Create decision schema (inputs, decision, confidence, evidence) with DSSE signing and logging. | -| Publishing a Reachability Benchmark Dataset | Packaging/licensing/integrity unclear. | Add license metadata, manifest + hashes, DSSE attestation, offline kit. | -| SBOM-Provenance-Spine (17 & 18 Nov) | Duplicate docs; spine lacks versioning/Merkle recipe. | Declare canonical version, publish schema + Merkle recipe, DSSE-sign; mark duplicate superseded. | -| Stella Ops vs Competitors | Criteria/evidence not normalized. | Define comparison criteria table, data sources/timestamps, and raw evidence links. | -| Storage Blueprint for PostgreSQL Modules | Patterns lack tenancy/isolation and PITR/SLA specifics. | Add tenant isolation, PITR/SLA baselines, deterministic migrations, and signed change log. | -| Stripped-ELF-Reachability | No fallback when symbols absent; redaction undefined. | Provide fallback heuristics, redaction rules, and proof attestation format. | -| Unknowns-Registry | Schema/versioning and decay/expiry logic missing. | Version registry schema; add decay/expiry fields, audit trail, offline export. | -| Verifiable Proof Spine Receipts and Benchmarks | Proof spine hash recipe undefined; benchmarks missing. | Standardize hash/ordering, include failure cases, DSSE-sign; publish benchmarks. | -| Verifying Binary Reachability via DSSE Envelopes (archived copy) | Archived version diverges from active spec. | Mark superseded; link to active advisory; provide migration notes. | -| embedded in-toto provenance events | No event schema or DSSE requirement. | Publish provenance-event schema; require DSSE; include tool/policy hashes. | -| function-level vex explainability | Missing stable function IDs/graph_rev binding. | Define function-node IDs, require graph_rev, shortest-path proof bundle, determinism tests. | -| ipal serdica census excel import blueprint | No PII redaction or checksum rules. | Add redaction/allowlist, checksum manifest, DSSE receipt per import, replay script. | -| layer-sbom cache hash reuse | Cache key recipe unspecified. | Define canonical key (ordered layer digests, normalized tar/compression flags) and validators. | -| multi-runtime reachability corpus | Lacks licensing/provenance and ground truth. | Add license metadata, expected reachability assertions, DSSE-signed manifest. | -| proof spine for explainable quiet alerts | Spine definition missing (hash recipe/failures). | Standardize spine schema/ordering, include failure records, DSSE-sign fixtures. | -| scanner roadmap with deterministic diff-aware rescans | No determinism guards or seeds. | Enforce fixed seeds/UTC, sorted outputs, golden diff CI. | -| spdx canonical persistence cyclonedx interchange | No canonicalization rules across SPDX↔CDX. | Publish canonicalization spec + round-trip tests; DSSE-sign outputs. | -| validation plan for quiet scans provenance diff-ci | Lacks acceptance thresholds and negative fixtures. | Define thresholds and failure/edge fixtures; gate CI on false-negative budget. | - -## Archived advisory stubs (per-advisory headings) -*These stubs reference the consolidated AR-* gap table above; no additional gaps beyond that table.* - -# Findings – Gaps in “Where Stella Ops Can Truly Lead” -See AR-ML1 in the archived gap table. - -# Findings – Gaps in “ Where Stella Ops Can Truly Lead” -See AR-ML1 in the archived gap table; archived filename contains a leading space. - -# Findings – Gaps in “Benchmarking Determinism in Vulnerability Scoring” -See AR-BD1 in the archived gap table. - -# Findings – Gaps in “Binary-Reachability-Engine” -See AR-BR1 in the archived gap table. - -# Findings – Gaps in “Branch · Attach ELF Build‑IDs for Stable PURL Mapping” -See AR-BI1 in the archived gap table. - -# Findings – Gaps in “Branch · Model .init_array Constructors as Reachability Roots” -See AR-IA1 in the archived gap table. - -# Findings – Gaps in “Branch · Reachability & Moat Watch — Verified 2025 Updates” -See AR-MW1 in the archived gap table. - -# Findings – Gaps in “CSharp-Binary-Analyzer” -See AR-CS1 in the archived gap table. - -# Findings – Gaps in “DSSE-Signed Offline Scanner Updates” -See AR-DS1 in the archived gap table. - -# Findings – Gaps in “Encoding Binary Reachability with PURL‑Resolved Edges” -See AR-PE1 in the archived gap table. - -# Findings – Gaps in “Patch-Oracles” -See AR-PO1 in the archived gap table. - -# Findings – Gaps in “Publishing a Reachability Benchmark Dataset” -See AR-RD1 in the archived gap table. - -# Findings – Gaps in “SBOM-Provenance-Spine” -See AR-SP1 in the archived gap table. - -# Findings – Gaps in “SBOM-Provenance-Spine” -See AR-SP1 in the archived gap table; duplicate advisory, treat 18-Nov version as canonical. - -# Findings – Gaps in “Stella Ops vs Competitors” -See AR-SC1 in the archived gap table. - -# Findings – Gaps in “Storage Blueprint for PostgreSQL Modules” -See AR-SB1 in the archived gap table. - -# Findings – Gaps in “Stripped-ELF-Reachability” -See AR-SEF1 in the archived gap table. - -# Findings – Gaps in “Unknowns-Registry” -See AR-UR1 in the archived gap table. - -# Findings – Gaps in “Verifiable Proof Spine Receipts and Benchmarks” -See AR-VP1 in the archived gap table. - -# Findings – Gaps in “Verifying Binary Reachability via DSSE Envelopes” -See AR-VB1 in the archived gap table. - -# Findings – Gaps in “embedded in-toto provenance events” -See AR-EP1 in the archived gap table. - -# Findings – Gaps in “function-level vex explainability” -See AR-FX1 in the archived gap table. - -# Findings – Gaps in “ipal serdica census excel import blueprint” -See AR-SE1 in the archived gap table. - -# Findings – Gaps in “layer-sbom cache hash reuse” -See AR-LS1 in the archived gap table. - -# Findings – Gaps in “multi-runtime reachability corpus” -See AR-MR1 in the archived gap table. - -# Findings – Gaps in “proof spine for explainable quiet alerts” -See AR-PS1 in the archived gap table. - -# Findings – Gaps in “scanner roadmap with deterministic diff-aware rescans” -See AR-SR1 in the archived gap table. - -# Findings – Gaps in “spdx canonical persistence cyclonedx interchange” -See AR-SX1 in the archived gap table. - -# Findings – Gaps in “validation plan for quiet scans provenance diff-ci” -See AR-VQ1 in the archived gap table. - -# Findings – Gaps in “Rekor Receipt Checklist for Stella Ops” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` - -**Method:** Compared checklist to Authority/Attestor receipt requirements and DSSE/Rekor v2 posture. Focused on canonical schema, inclusion proof freshness, subject binding, provenance, offline verification, and governance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| RR1 | Versioned receipt schema | Checklist lists fields but no versioned/signed JSON Schema for receipts or catalog. | Drift across services; clients accept malformed receipts. | Publish `rekor-receipt.schema.json` and signed schema catalog; enforce validation in issuer/consumer. | -| RR2 | Inclusion proof & checkpoint | Inclusion proof/checkpoint optional; no freshness/window rules. | Receipts can be replayed after log forks or stale checkpoints. | Require inclusion proof + log checkpoint hash, shard, and max age; fail receipts outside window. | -| RR3 | Subject & policy binding | Receipt doesn’t mandate subject hash, policy/lattice hash, or trust profile. | Auditors can’t bind receipt to the evaluated object/policy. | Make subject digest, policy hash, and trust profile mandatory fields; include in DSSE payload. | -| RR4 | Client provenance | Client version/flags/TUF snapshot not captured. | Hard to audit which verifier path created receipt; incompatibility hidden. | Record client version, build hash, config flags, and TUF snapshot in receipt metadata. | -| RR5 | Time integrity | TSA/clock-drift guardrails absent; no signed time source. | Stale or backdated receipts reduce evidentiary value. | Require TSA stamp or trusted time source ID and drift threshold; reject receipts beyond skew. | -| RR6 | Offline/air-gap verification | Checklist omits offline verifier inputs/outputs and failure codes. | Air-gapped users can’t validate receipts deterministically. | Ship offline verify script spec (inputs: receipt, bundle, checkpoint; outputs: exit codes, hashes); include in kit. | -| RR7 | Mirror bridging | No rules for mirroring Rekor receipts/checkpoints into offline mirrors. | Mirror freshness and tamper-evidence unclear. | Define mirror snapshot format (checkpoint + entries + DSSE), freshness SLA, and hash manifest for import. | -| RR8 | Retention/governance | Retention/rotation and redaction not specified. | Receipts may be pruned/rotated without audit trail. | Set retention policy, rotation rules, legal hold, and DSSE-signed rotation records. | -| RR9 | Alerting/observability | No metrics/alerts for receipt failures or checkpoint staleness. | Failures go unnoticed; weak operational posture. | Add metrics/alerts for validation failures, checkpoint age, TSA errors; surface SLOs. | -| RR10 | Multi-tenant isolation | Tenant scoping and PII redaction rules absent. | Receipts could leak tenant data when exported. | Require tenant ID scoping, optional redaction map, and isolation tests for exports. | - -## Immediate follow-ups -- Track RR1–RR10 under `REKOR-RECEIPT-GAPS-314-005` in Sprint `SPRINT_0314_0001_0001_docs_modules_authority`. -- Publish signed schema/catalog, mandate inclusion proof freshness, subject/policy binding, client provenance, time integrity, offline verify script, mirror snapshot rules, retention governance, observability SLOs, and tenant-safe exports. - -# Findings – Gaps in “Standup Sprint Kickstarters” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Standup Sprint Kickstarters.md` - -**Method:** Reviewed the kickstarter checklist against sprint governance rules. Focused on deterministic ceremonies, dependency capture, evidence of readiness, and offline-friendly coordination. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| SK1 | Template conformance | Kickstarters don’t map to the sprint template (Topic/Scope, Dependencies, Docs prereqs). | Teams improvise structure; omissions persist. | Add a canonical “kickstarter” template aligned to sprint template; enforce via docs lint. | -| SK2 | Readiness evidences | No requirement to show artefacts (schemas, fixtures, AGENTS) before moving tasks to DOING. | Tasks start without prerequisites; rework later. | Require a readiness checklist + evidence links per task before status changes. | -| SK3 | Dependency ledger | Dependencies captured ad hoc; no immutable ledger or owners. | Blockers rediscovered during sprint; sequencing unclear. | Add dependency ledger with owner/date/SLO; link into Decisions & Risks. | -| SK4 | Time-box & exit criteria | Standup goals lack time-box and measurable exit. | Standups sprawl; no clear “done” signal. | Define 15–20 min time-box with explicit exit criteria and fast-follow actions. | -| SK5 | Cross-timezone coverage | No asynchronous path for distributed teams; relies on live attendance. | Remote teams miss blockers; delays accumulate. | Provide async standup template (thread/checklist) with deterministic update window and archival rules. | -| SK6 | Evidence persistence | Updates not required to be committed (e.g., Execution Log). | Knowledge lost; audits impossible. | Require standup outcomes appended to sprint Execution Log with date/owner. | -| SK7 | Risk/decision capture | Decisions/risks from standups not mandated to land in sprint section. | Decisions drift; mitigations forgotten. | Add “decisions/risks delta” subsection per standup; link to docs/ADRs if opened. | -| SK8 | Offline/air-gap posture | No guidance for air-gapped teams (no cloud boards/chat). | Air-gapped execution breaks comms trail. | Provide offline-friendly workflow (filesystem logs + git commits), banned services list, and export scripts. | -| SK9 | Metrics & SLOs | Success metrics for standups not defined (lead time/blocker clear rate). | No feedback loop; ceremonies may not improve outcomes. | Track basic metrics per sprint: blockers cleared/day, carryover, average task start latency; review weekly. | -| SK10 | Role clarity | Roles (facilitator, note-taker, decision owner) not assigned. | Decisions get lost; action items drift. | Add mandatory role assignment per standup with rotation; record in Execution Log. | - -## Immediate follow-ups -- Add SK1–SK10 remediation task to Sprint `SPRINT_300_documentation_process` with owners/dates; enforce kickstarter template + evidence/ledger rules. -- Publish offline-friendly/async variants, metrics, and role checklist; add docs lint to block PRs without populated kickstarter sections. - -# Findings – Gaps in “UI Micro-Interactions for StellaOps” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` - -**Method:** Compared micro-interaction brief to UI guild standards (accessibility, determinism, offline, perf). Focused on tokens, reduced-motion, telemetry, testing, and error/latency handling. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| MI1 | Motion tokens | Doc lists examples but no tokenized durations/easing curves or theme slots. | Inconsistent motion; hard to enforce reduced-motion. | Define motion tokens (durations, easings, distances) in design tokens; gate via lint. | -| MI2 | Reduced motion/a11y | No rule for `prefers-reduced-motion`, focus traps, or SR copy on micro-interactions. | A11y regressions; fails audits. | Require reduced-motion variants, focus order tests, ARIA labels for animated elements. | -| MI3 | Performance budgets | No FPS/latency budgets or CPU/GPU cap per animation. | Jank on low-end devices; perf regressions unnoticed. | Set budgets (e.g., <16ms main thread), add perf tests in CI, document fallback to static states. | -| MI4 | Offline/slow-network states | Micro-interactions assume online responses; no skeletons/timeouts strategy. | Bad UX in offline/slow links; spinner stalls. | Add skeleton/timebox patterns, retry/backoff rules, and offline banners per interaction type. | -| MI5 | Error & cancellation states | Missing guidance for cancel/undo animations and error toasts alignment. | Users can’t recover gracefully; inconsistent messaging. | Standardize cancel/undo affordances, error toast placement/content, and motion for failure paths. | -| MI6 | Cross-surface consistency | No contract tying micro-interactions to component library tokens. | Different surfaces diverge; reuse is low. | Map interactions to shared components; include UX conformance checklist in Storybook docs. | -| MI7 | Telemetry & experiments | No instrumentation schema or flag strategy. | Can’t measure adoption or regressions; risky rollouts. | Define event schema (interaction id, duration, success/fail), add feature flags + A/B hooks, and privacy notes. | -| MI8 | Determinism & tests | Tests/examples missing deterministic seeds and snapshot rules. | Animations flake in CI; screenshots unstable. | Add deterministic animation seeds, Playwright screenshot rules, and golden snapshots per key interaction. | -| MI9 | Accessibility of micro-copy | Micro-copy for tooltips/toasts not standardized or localized. | Inconsistent wording; i18n gaps. | Provide micro-copy catalogue + localization keys; enforce in lint/tests. | -| MI10 | Dark/light/contrast | No guidance for contrast/theming of micro-states. | Poor contrast in certain themes; fails WCAG. | Define theme-aware tokens for hover/active/disabled; add contrast tests. | - -## Immediate follow-ups -- Add MI1–MI10 remediation task to UI Sprint `SPRINT_0209_0001_0001_ui_i` (or UI II/III if preferred) with owners and dates. -- Publish motion/telemetry/testing tokens, reduced-motion rules, offline/error patterns, component mappings, and theme-aware micro-copy guidance; add Playwright/a11y checks to CI. - -# Findings – Gaps in “Proof-Linked VEX UI Developer Guidelines” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** Proof-linked VEX UI spec provided in chat (Not Affected badge → proof drawer pattern) - -**Method:** Reviewed provided spec against VEX Explorer/Explain drawers, DSSE integrity, offline parity, and scope/tenancy rules. Focused on security, determinism, caching, accessibility, and replayability. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| PVX1 | API auth/tenant scope | Spec omits required scopes/tenant headers for proof endpoints. | Proof links could leak across tenants or bypass scope checks. | Require `vex.read`, `findings.read`, `downloads.read` scopes and tenant header; add 403 handling in UI. | -| PVX2 | Caching & staleness | Drawer fetch/HEAD calls lack cache/staleness policy. | Users may see stale proofs or hammer endpoints. | Define cache headers, ETag use, max-age, and staleness banners; add retry/backoff rules. | -| PVX3 | Integrity verification depth | Drawer compares digest headers only; no signature/DSSE verify client-side. | MitM could swap payload with matching digest header spoof. | Add optional client-side DSSE/signature verification (WebCrypto) or enforce signed response headers + pinned keys. | -| PVX4 | Error/failure UX | No UX for proof download failures, timeouts, or partial retries. | Users stuck on spinner; unclear next steps. | Add timeout/error states, retry with backoff, and “report mismatch” action that logs correlation ID. | -| PVX5 | Offline/air-gap mode | Offline kit bundle path mentioned only as “nice-to-have”; not specified. | Air-gapped reviewers can’t open proofs or graph slices. | Define offline bundle format (tar.zst + manifest + digests), UI fallback to local files, and verify script hook. | -| PVX6 | Evidence completeness rules | “At least one proof” rule exists but no prioritization when multiple proofs absent. | Inconsistent badges; trust dilution. | Define precedence (DSSE > attestation > graph), badge states per combination, and gating rules before showing green badge. | -| PVX7 | Telemetry schema/privacy | Events listed but no schema, PII redaction, or sampling controls. | Telemetry may capture sensitive findings; GDPR risk. | Define event schema with redaction, sampling, retention; add opt-out and per-tenant export. | -| PVX8 | URL/permalink signing | Permalinks suggested but not protected against tampering. | Shared URLs could be forged to different nodes. | Sign permalink params (HMAC) or include consensus/graph hash; validate on open. | -| PVX9 | Consistency between VEX Explorer & Findings | Spec doesn’t define reconciliation when Explorer status conflicts with Findings verdict. | Users see conflicting states; trust drops. | Add rule: show warning banner when consensus revision ≠ policy revision; deep-link to both views with revision info. | -| PVX10 | QA fixtures & contracts | No test fixtures/contracts for drawer + API responses. | Hard to implement consistently; regressions untested. | Ship fixture JSON for full/partial/fail cases; add Playwright tests for drawer states and contract tests for endpoints. | - -## Immediate follow-ups -- Add PVX1–PVX10 remediation task to Sprint `SPRINT_0215_0001_0001_vuln_triage_ux` (proof-linked VEX UI) with owners/dates. -- Update VEX Explorer/Findings UI + APIs to enforce scopes/tenant headers, caching/staleness policy, stronger integrity verification, failure UX, offline bundle support, evidence precedence, telemetry schema, signed permalinks, revision reconciliation, and fixtures/tests. - -# Findings – Gaps in “Unknowns Decay & Triage Heuristics” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` - -**Method:** Reviewed the heuristic advisory and compared with Signals/Unknowns registry work (Sprint `SPRINT_0140_0001_0001_runtime_signals`) and prior decay/unknowns gaps. Focused on making decay/triage enforceable, deterministic, measurable, and offline-ready. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| UT1 | Heuristic catalog & schema | Heuristics listed narratively; no signed/Versioned schema or catalog with IDs, weights, thresholds. | Inconsistent application; hard to audit or evolve safely. | Publish `unknowns-heuristics.catalog.json` with IDs/weights/params and DSSE-sign; enforce via validator in Signals. | -| UT2 | Deterministic scoring path | Heuristics mention time/decay but no canonical formula, seed, or ordering rules. | Non-deterministic triage scores; replay breaks. | Define canonical scoring formula (inputs, ordering, rounding, UTC/monotonic clock); add multi-run hash test. | -| UT3 | Data quality bands | No quality/confidence bands for unknowns inputs (entropy hints, symbol matches). | Low-quality signals may overrule strong ones; explainability weak. | Add quality bands and minimum data-quality gate; expose in API/UI; block heuristics if quality < threshold. | -| UT4 | Suppression/waiver policy | Suppression/waiver of unknowns not defined (expiry, approvers, evidence). | Unknowns can be suppressed silently; audit gaps. | Require DSSE-signed waiver with reason/expiry/approver; surface in ledger/UI; block auto-suppression. | -| UT5 | SLA/priority coupling | Triage heuristics not tied to SLA classes or severity bands. | High-priority unknowns may decay or be deprioritized incorrectly. | Bind heuristics to SLA/priority matrix; clamp decay for SLA-critical classes; expose in config. | -| UT6 | Offline parity | No offline kit guidance for heuristics/decay config or cached signals. | Air-gapped users can’t reproduce triage results. | Ship heuristics catalog + decay config + cached signals in offline kit with hashes/DSSE + verify script. | -| UT7 | Observability & alerts | No metrics/alerts for heuristic outcomes (unknowns escalating/dropping) or decay job failures. | Failures go unnoticed; risk mis-prioritization. | Add metrics/alerts: unknowns_by_quality, decay_job_latency, waiver_expiry, offline_cache_age; include dashboards. | -| UT8 | Backfill/migration rules | No plan to backfill existing unknowns with new heuristic fields/bands. | Legacy records inconsistent; comparisons invalid. | Define migration/backfill script to populate heuristic scores/bands; add migration checksum report. | -| UT9 | Explainability UX | Advisory doesn’t specify UI fields for heuristic contribution, quality, decay, waiver. | Users can’t trust triage results; auditors lack detail. | Add UI/API fields: `heuristicScores[]`, `qualityBand`, `decayApplied`, `waiverId`; include in exports. | -| UT10 | Testing & fixtures | No fixture suite to validate heuristic scoring/decay/waiver flows. | Regressions undetected; behavior drifts across releases. | Create fixtures/tests for each heuristic and decay path; include golden outputs and hash checks; run in CI. | - -## Immediate follow-ups -- Add an unknowns-heuristics gaps task to Sprint `SPRINT_0140_0001_0001_runtime_signals.md` to close UT1–UT10 with owners/dates. -- Publish signed heuristic catalog and deterministic scoring rules; add quality bands, waiver policy, SLA coupling, offline kit contents, observability/alerts, backfill plan, UX fields/exports, and fixtures with golden outputs. - -# Findings – Gaps in “Graph Analytics and Dependency Insights” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Graph Analytics and Dependency Insights.md` - -**Method:** Reviewed the graph analytics advisory against graph API/indexer sprints (0207/0141) and evidence chain needs. Focused on schema/versioning, determinism, privacy/tenant isolation, performance budgets, and offline/export parity. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| GA1 | Analytics schema/versioning | Metrics/analytics outputs not tied to versioned schemas or canonical JSON/CSV rules. | Consumers may misparse; hash-based reproducibility fails. | Publish versioned schemas for analytics outputs (centrality, clusters, diffs) with canonical serialization and test vectors. | -| GA2 | Determinism & repeatability | Advisory asserts deterministic analytics but no rerun-hash CI or seed control for algorithms (e.g., Louvain). | Runs may drift, undermining reproducibility claims. | Require fixed seeds/configs; add multi-run hash CI; document tolerances per algorithm. | -| GA3 | Privacy/PII & tenant isolation | No redaction/aggregation rules for sensitive fields or tenant-scoped analytics; cross-tenant leakage risk. | Analytics exports could expose tenant data. | Enforce tenant scoping, redaction/aggregation rules; produce redacted/public variants; add isolation tests. | -| GA4 | Baseline datasets & fixtures | No canonical fixtures/baselines for analytics metrics. | Regressions undetected; hard to compare vendors. | Publish baseline datasets with expected metrics/hashes; include in CI and benchmark kits. | -| GA5 | Performance/budget envelopes | No explicit limits for query cost, tile sizes, or analytics job budgets. | Jobs may exhaust resources; DoS risk. | Set budgets/quotas per tenant/job; expose metrics/alerts; enforce in API. | -| GA6 | Explainability of analytics | Advisory doesn’t require exposing reason/inputs for scores (centrality, clusters). | Users can’t audit why a score was produced. | Include inputs/rationale in outputs (parameters, seeds, data slice, revision IDs); link to evidence/graph revision. | -| GA7 | Export/format determinism | Multiple export formats mentioned but no checksum/manifest requirements. | Exports may be non-reproducible; offline parity weak. | Require checksum manifest + DSSE for analytics exports; canonical ordering; include graph_revision_id. | -| GA8 | Algorithm versioning | Algorithm versions/implementations not recorded. | Metric changes invisible; audits impossible. | Record algorithm name/version and implementation hash in outputs; include in manifests. | -| GA9 | Offline/air-gap parity | No requirement to bundle analytics outputs for offline verification. | Air-gapped users can’t verify or compare analytics. | Provide offline analytics bundle schema + verify script; include seeds, configs, manifests, hashes. | -| GA10 | Governance/change log | No change-log or SemVer for analytics outputs/APIs. | Breaking changes propagate silently. | Adopt SemVer + CHANGELOG for analytics schemas/APIs; embed version in outputs. | - -## Immediate follow-ups -- Add a graph analytics gaps task to Sprint `SPRINT_0207_0001_0001_graph.md` (or related graph/indexer sprint) to close GA1–GA10. -- Publish analytics schemas, seeds/configs, and baseline fixtures; enforce determinism/quotas, add DSSE-signed manifests, privacy/redaction rules, algorithm/version metadata, and offline bundle/verify scripts with changelog governance. - -# Findings – Gaps in “Mirror and Offline Kit Strategy” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Mirror and Offline Kit Strategy.md` - -**Method:** Reviewed the mirror/offline kit strategy against mirror creator sprints (0125/0150) and offline/air-gap requirements. Focused on manifest integrity, DSSE/TUF, time anchors, delta correctness, tenant scoping, and distribution safety. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| MS1 | Manifest schema/versioning | Mirror manifest/layout described but no signed/ versioned schemas. | Tools may generate incompatible mirrors; verification unreliable. | Publish signed schemas for mirror manifest/index (full/delta) with canonical JSON rules and test vectors. | -| MS2 | DSSE/TUF policy & key rotation | DSSE/TUF profile noted but rotation, key manifest, and dual-sign (PQ/fips) rules not enforced. | Stale/compromised keys may be trusted; regional crypto gaps. | Require key manifest with validity/rotation, dual-sign options, and enforce in build/verify; include in bundle. | -| MS3 | Delta correctness & tombstones | Mirror delta creation lacks formal algorithm, tombstone handling, and base-hash binding. | Deltas may miss/delete incorrectly; replay breaks. | Define delta spec (base hash, added/removed/tombstones), include in manifest, add fixtures/CI. | -| MS4 | Time anchor & checkpoint freshness | Time-anchor hooks exist but no freshness SLA or verification in mirror kits. | Stale bundles may be accepted in air-gap; audit weakened. | Require time-anchor token + freshness window in manifest; verify during import; fail stale. | -| MS5 | Tenant/env scoping | Mirror bundles not mandated to carry tenant/env scope or to validate on import. | Cross-tenant data leakage or wrong-env import. | Include tenant/env in manifest + DSSE; import must fail on mismatch. | -| MS6 | Distribution integrity | OCI/FS distribution lacks required checksum/signature headers and immutability indicators. | Tampered mirrors could be ingested. | Enforce checksum + signature metadata for HTTP/OCI; require immutable object storage flags; verify on import. | -| MS7 | Chunking/size limits | No guidance for large mirrors or chunk manifests. | Transfers may fail or be partial; hard to verify. | Provide chunk manifest with per-chunk hashes (zstd/OCI layers), max size guidance, and streaming verify. | -| MS8 | Offline import/verify UX | Import/verify steps not formally specified (exit codes, scripts, failure modes). | Operators may skip checks; errors unclear. | Ship standard `mirror-verify.sh` with exit codes, required checks (schema, sig, hashes, time anchor, tenant), and negative tests. | -| MS9 | Observability & audit | No metrics/log schema for mirror creation/import, verification failures, or staleness. | Issues may go unnoticed; harder to audit. | Emit metrics/logs for build/import/verify (counts, failures, staleness); add alerts. | -| MS10 | Governance/change log | No SemVer/change log for mirror formats/profiles. | Breaking changes silently break consumers. | Adopt SemVer + CHANGELOG for mirror formats; embed version in manifest; block cross-major mixing. | - -## Immediate follow-ups -- Add a mirror/offline-kit gaps task to Sprint `SPRINT_0125_0001_0001_mirror.md` (or 0150 series) to close MS1–MS10. -- Publish signed schemas and delta/time-anchor specs; enforce DSSE/TUF policy with rotation, tenant/env scoping, distribution integrity, chunking limits, standard verify script, metrics/alerts, and SemVer/change log for mirror formats. - -# Findings – Gaps in “Concelier Advisory Ingestion Model” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Concelier Advisory Ingestion Model.md` - -**Method:** Reviewed the advisory versus Link-Not-Merge/AOC requirements and Concelier ingestion sprints (0115 series). Focused on schema governance, connector safety, provenance, determinism, and offline parity. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CI1 | Canonical observation schema/versioning | Observation/linkset structures shown but no published JSON Schema or versioning for AOC/Aggregation contracts. | Connectors may emit divergent shapes; validation inconsistent; replay unreliable. | Publish signed schemas (`observation.schema.json`, `linkset.schema.json`, `aoc.guard.json`), version them, and enforce via AOCVerifier/CI. | -| CI2 | Forbidden-field enforcement | AOC rules listed, but no explicit denylist/allowlist or Roslyn/analyzer test suite shipped. | Derived/merged fields could leak into ingestion, breaking AOC purity. | Ship analyzers + tests with a denylist (severity, fix, merged status, reachability) and enforce in CI; fail builds on violations. | -| CI3 | Provenance completeness | Signature presence noted but no required fields for signer identity, signature algorithm, or verification result. | Weak provenance; auditors cannot validate source authenticity. | Require provenance block with signer key ID, algorithm, verification status, Rekor/mirror ref; fail ingest on missing provenance. | -| CI4 | Feed snapshot governance | No policy for feed snapshot hashes/staleness per connector; offline bundles undefined for advisory feeds. | Non-deterministic ingestion; offline parity breaks. | Require feed snapshot manifest (hash, fetch time, source URL, signer) per connector; include in offline advisory bundle; enforce staleness windows. | -| CI5 | Conflict detection rules | Conflict model shown but no deterministic rules/thresholds for conflict detection or confidence scoring. | Inconsistent conflict reporting; hard to compare runs. | Define conflict types, detection rules, confidence rubric, and deterministic ordering; add tests. | -| CI6 | Idempotency keys & dedupe | Idempotent upsert mentioned but no canonical content-hash recipe or idempotency key per connector. | Duplicates or missed updates if connectors vary hashing. | Standardize content-hash recipe (normalized JSON, hash algo/encoding) and idempotency key; add test vectors. | -| CI7 | Multi-tenant isolation | Tenant claim required but no isolation tests or redaction rules for cross-tenant artifacts. | Cross-tenant leakage risk in shared stores/logs. | Add tenant-isolation tests and redaction guard; enforce tenant in IDs/queries; log rejection metrics. | -| CI8 | Connector safety & sandboxing | No safety baseline for connectors (rate limits, timeouts, schema validation before write, memory limits). | Connector defects can destabilize ingestion or accept malformed data. | Define connector SLOs/limits; add sandbox runner with time/mem caps and schema pre-validate before persistence. | -| CI9 | Offline/air-gap ingest & export | Advisory export format mentioned but not specified (hash lists, signatures, bundle schema). | Air-gap consumers can’t verify advisory bundles; replay breaks. | Define `advisory-bundle` schema (hash manifest + DSSE signature + feed snapshots); add CLI import/verify steps. | -| CI10 | Testing fixtures & benchmarks | No shared fixtures/benchmarks for connectors (OSV, GHSA, CSAF, vendor feeds). | Regression detection weak; connectors may break silently. | Provide fixture set + determinism tests per connector family; run in CI; publish hashes. | - -## Immediate follow-ups -- Add a Concelier ingestion gaps task to the relevant sprint (e.g., `SPRINT_0115_0001_0004_concelier_iv` or nearby Concelier sprint) to close CI1–CI10. -- Publish signed schemas and hashing recipes; enforce AOC denylist via analyzers; add provenance requirements, snapshot governance, conflict rules, connector sandbox limits, offline bundle schema, and fixture-based CI. - -# Findings – Gaps in “Notification Rules and Alerting Engine” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Notification Rules and Alerting Engine.md` - -**Method:** Read the advisory, compared with Notifier sprints (0170/0171/0172) and current code/contracts in `src/Notifier/StellaOps.Notifier` (rules, connectors, storm breaker, ack tokens). Focused on determinism, RBAC/tenant isolation, provenance, offline parity, and operational guardrails. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| NR1 | Schema/versioning & canonical JSON | Rules/channels/templates/deliveries not backed by signed, versioned schemas or canonical serialization (ordering, tz/locale, casing). | Drift across services/SDKs; hash-based dedupe and DSSE signatures unstable. | Publish signed schemas with canonical JSON rules and test vectors; enforce via API/SDK validators and worker ingestion. | -| NR2 | Tenant isolation & cross-tenant guardrails | Tenant field present but no hard enforcement, shared-channel policy, or dual-approval for cross-tenant routes. | Cross-tenant leakage via misconfigured channels/rules. | Enforce tenant scoping in storage/queries; require dual-approval + DSSE annotation for cross-tenant channel use; fail closed on mismatch. | -| NR3 | Deterministic rendering & localization | Locale-aware templates lack fixed locale/timezone, font set, whitespace rules, or golden outputs per channel. | Output hashes drift; dedupe/digests and audits unreliable. | Fix locale to en-US + UTC; embed font set for email/PDF; normalize whitespace/order; add golden fixtures for Slack/Teams/Email/Webhook outputs. | -| NR4 | Rate limits, backpressure, and DLQ | Throttle windows exist but no per-tenant/channel quotas, queue depth/backpressure policy, DLQ classification, or storm-breaker linkage. | Overload or runaway retries; noisy tenants can starve others. | Set quotas per tenant/channel; define shed/delay policy; classify errors (retryable/non) with DLQ + alerting; integrate storm-breaker signals into dispatcher. | -| NR5 | Reliability & retry semantics | Retry/backoff/idempotency strategy unspecified per channel; no max-attempts/jitter defaults or idempotency key recipe. | Duplicate deliveries or silent drops; hard to audit. | Standardize retry policy with bounded attempts + jitter; idempotency key recipe per delivery/action; record retry attempts and final state in ledger/metrics. | -| NR6 | Security of webhook/ack flows | Webhook signing shown but no canonicalization, replay window, or CSRF/redirect protections; ack tokens lack `cnf` binding guidance. | Ack/webhook spoofing or replay; approvals could be hijacked. | Mandate canonical body hash + timestamp drift limit; require nonce + `cnf` binding for ack tokens; enforce host allowlist/TLS profile; block redirects; add conformance tests. | -| NR7 | PII/redaction & payload limits | Redaction implied but no allowlist, size limits, or template lint per channel. | PII/secrets may leak via Slack/email/webhooks; payloads may be rejected. | Define redaction policy + size limits; lint templates; truncate with `omitted_count`; add PII/secret scan in CI and per-delivery guard. | -| NR8 | Observability & SLO conformance | Metrics listed but no alert thresholds, sampling budgets, or linkage to ledger/incident IDs. | SLO breaches unnoticed; tracing costs spike; weak auditability. | Define alert rules for latency/failure/duplicate/queue depth; set trace sampling budgets; link deliveries to ledger/event IDs; publish SLO dashboards. | -| NR9 | Offline/air-gap parity | No requirement to package rules/templates/channel configs with hashes/signatures or verify connectors offline. | Offline sites cannot verify/reproduce notifications; env drift. | Ship “notify-kit” (schemas, templates, connectors) with hash manifest + DSSE; include connector binary hashes and channel health fixtures; provide verify script. | -| NR10 | Change governance & simulations | Simulations exist but not required pre-deploy; no dual-approval or evidence capture for rule/template changes. | Risky rule changes can ship without guardrails; regressions likely. | Require dual-approval + mandatory simulation run before activation; store simulation evidence hash; block activation without proof. | - -## Immediate follow-ups -- Add a notification-gaps task to Sprint `SPRINT_0171_0001_0001_notifier_i.md` to close NR1–NR10 with owners/dates. -- Publish schemas + canonical JSON rules; enforce tenant scoping, quotas/backpressure, retry/ack security, redaction policies, deterministic rendering tests; ship offline “notify-kit” with DSSE manifest and verify script; require dual-approval + simulation evidence for rule/template changes. - -# Findings – Gaps in “Orchestrator Event Model and Job Lifecycle” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` - -**Method:** Read the advisory, cross-checked Orchestrator sprints (0151/0152) and current contracts (OAS 61–63, air-gap, observability tracks). Focused on determinism, replay/audit fidelity, tenant/quotas, DAG correctness, offline parity, and security/operational guardrails. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| OR1 | Canonical schemas & hashing | Event/job payloads lack versioned JSON Schemas, canonicalization (sorted keys, tz/locale, numeric precision), or hash recipe for history/audit bundles. | Drift across services/SDKs; hashes/signatures unstable; replay may mis-verify. | Publish signed schemas for job, event, quota, throttle, incident, replay records with canonical JSON and hash/test vectors; enforce in API/worker validators. | -| OR2 | Replay determinism & inputs lock | Replay guarantees stated but no inputs.lock (tool versions, policy/graph hashes, env/seed) or side-effect guardrails. | Replays may diverge from originals; audit claims weakened. | Require replay manifest with inputs.lock (tool images, policy/lattice hash, graph_revision_id, seeds, time source); block replay if mismatched; record replays as DSSE with `replayOf` linkage. | -| OR3 | Lease/heartbeat governance | Heartbeat cadence given but no monotonic clock requirement, drift tolerance, or lease-expiry/backoff policy; no DSSE/log for lease changes. | False expiries or hung jobs; inconsistent worker behavior across regions. | Mandate monotonic+UTC clocks; define heartbeat jitter, grace windows, and lease extension limits; log DSSE events for lease/expiry; add conformance tests. | -| OR4 | DAG/dependency correctness | Dependencies listed but no cycle detection, topological ordering rules, or partial-failure handling; no per-edge idempotency key. | Cycles or partial-complete runs can deadlock or double-execute. | Enforce DAG validation (cycle detection), topological scheduling with deterministic order, per-edge idempotency key; define partial-failure policy (fail-fast vs continue) and audit it. | -| OR5 | Quotas/circuit breakers governance | Quota and breaker thresholds not versioned; no change-control, tenant overrides, or emergency bypass audit. | Misconfig can starve tenants or bypass safety; hard to audit changes. | Version quotas/breakers with DSSE-signed configs; require dual-approval for emergency bypass; emit change events to ledger; add per-tenant override rules and tests. | -| OR6 | Security & tenant isolation | Scopes mentioned elsewhere but advisory lacks authN/Z defaults (mTLS/DPoP), tenant binding on all APIs/events, and webhook/worker allowlists. | Cross-tenant leakage or forged worker traffic; job control abuse. | Enforce tenant binding on all API/event payloads; require mTLS/DPoP for workers; maintain worker allowlist + key rotation; reject events missing tenant/trace bindings. | -| OR7 | Event fan-out ordering & backpressure | SSE/GraphQL/webhook feeds not required to preserve ordering, dedupe by eventId, or apply backpressure/flow control. | Dashboards/consumers may see out-of-order or duplicate events; memory pressure. | Define ordering (timestamp+eventId), dedupe rules, ack/backpressure protocol per channel; add replayable event store with cursor checkpoints and deterministic pagination. | -| OR8 | Offline/audit bundle schema | Audit bundle contents listed but no schema, size limits, redaction rules, compression/determinism flags, or DSSE signature requirement. | Offline audits may ingest tampered/incomplete bundles; PII may leak; hashes drift. | Define `audit-bundle.schema.json`, hash manifest, deterministic archive flags (mtime/owner), redaction/PII allowlist, and DSSE signature; ship verify script with exit codes. | -| OR9 | Observability/SLOs & incident hooks | Metrics listed but no SLO thresholds, alert rules, sampling budgets, or linkage to incident mode/circuit breakers. | SLO breaches unnoticed; incident mode may not trigger; tracing costs spike. | Publish SLOs + alert rules (queue depth, latency, failure rate, heartbeat gaps); tie to circuit breakers/incident mode activation; set trace sampling budgets and dashboards. | -| OR10 | TaskRunner bridge integrity | Pack-run heartbeat/log/artifact flows lack integrity rules (hashing, size limits), resumability, and DSSE linkage to job events. | Logs/artifacts may be tampered; replay/resume may fail; weak audit trail. | Require hashes for artifacts/log streams, size/chunk limits, DSSE linkage of pack-run events to jobId/runId; define resume semantics and tests; include in audit bundles. | - -## Immediate follow-ups -- Add an orchestrator-gap task to Sprint `SPRINT_0151_0001_0001_orchestrator_i.md` to close OR1–OR10 with owners/dates. -- Publish signed schemas + hash recipes; enforce tenant binding/mTLS/DPoP, DAG validation, quotas/breakers governance, heartbeat/lease policy, fan-out ordering/backpressure, audit-bundle schema/verify script, SLO alerts, and TaskRunner integrity (hashes/DSSE/resume rules). - -# Findings – Gaps in “Plugin Architecture & Extensibility Patterns” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` - -**Method:** Reviewed the advisory against module plugin patterns (Authority, Scanner analyzers, Concelier connectors), platform determinism/air-gap rules, and existing plugin guides. Focused on trust, compatibility, isolation, determinism, offline parity, and governance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| PL1 | Canonical manifests & schemas | Manifest format shown but no signed/Versioned JSON Schemas, canonical JSON rules, or hash recipe for plugin/connector/analyzer descriptors. | Divergent manifests across modules; hashes/DSSE signatures unstable; loaders may accept malformed plugins. | Publish signed schemas per plugin type with canonical JSON rules and hash/test vectors; enforce validation in hosts/CI. | -| PL2 | Capability token governance | Capabilities listed but no registry/versioning or negotiation rules across host versions. | Capability drift; plugins may assume features not supported by host, causing runtime failures. | Create capability catalog (SemVer) per module; enforce host-version compatibility and fail closed when unknown tokens encountered; provide downgrade rules. | -| PL3 | Supply chain & provenance | No requirement for plugin SBOM, signatures (DSSE/cosign), or provenance metadata (builder, source digest, policy hash). | Tampered or opaque plugins could be loaded; audit/replay weak. | Require SBOM + DSSE-signed provenance bundle per plugin; verify signatures and policy hash at load; store provenance in CAS and audit log. | -| PL4 | Sandbox/Resource isolation | Advisory mentions isolation but lacks mandatory sandbox model (AppDomain/AssemblyLoadContext + cgroups/seccomp), CPU/RAM/time budgets, or deny-by-default network/filesystem. | Plugins can exhaust resources or escape isolation, affecting host determinism/security. | Define sandbox profile per module with CPU/mem/time/IO caps, network default-deny, and configurable allowlist; enforce via host; add kill-switch metrics/alerts. | -| PL5 | Determinism enforcement & test harness | Determinism principles stated but no per-plugin determinism tests, seeds, locale/timezone pinning, or multi-run hash checks. | Plugins may emit non-deterministic outputs, breaking reproducibility. | Provide plugin test harness with multi-run hash CI, fixed locale/UTC, seeded RNG, and determinism lint; require passing before publish/load. | -| PL6 | ABI/API compatibility & migrations | HostVersion field present but no compatibility matrix, breaking-change policy, or migration hooks. | Plugins may break on host upgrades; silent failures. | Publish compatibility matrix per module; define breaking-change policy and migration hooks; enforce semantic range checks at load with clear errors. | -| PL7 | Dependency/secret posture | Offline-first listed but no lockfiles, vendored deps, or secret-handling rules (KMS refs vs inline). | Runtime downloads or secret sprawl; non-reproducible builds. | Require dependency lockfiles + vendored artefacts; forbid runtime downloads; mandate secret refs (KMS/secret store), never inline; add CI checks. | -| PL8 | Observability, crash containment, and kill-switch | Health checks mentioned but no required crash isolation, auto-disable on fault rate, or structured logs/traces per plugin ID. | Faulty plugins can flap hosts; poor triage. | Add fault counter + kill-switch thresholds; emit structured logs/traces with pluginId; auto-disable after N failures with DSSE-signed disable record and rollback path. | -| PL9 | Offline kit packaging & verification | Offline kit layout shown but no DSSE signatures, deterministic archive flags, or verify script with exit codes. | Air-gapped installs can’t verify authenticity; hashes drift across builders. | Package plugins in deterministic archive with hash manifest + DSSE signature; include verify script (hash/signature/hostVersion check) and time-anchor token. | -| PL10 | Distribution trust & revocation | No process for plugin publication review, CVE tracking, revocation/denylist distribution, or metadata feed for updates. | Malicious/vulnerable plugins may persist; customers unaware of revocations. | Establish review/sign-off workflow; publish signed plugin index with revocation/denylist and CVE metadata; hosts poll index (or import offline) and refuse revoked versions. | - -## Immediate follow-ups -- Add a plugin-architecture gaps task to a coordination sprint (e.g., `SPRINT_300_documentation_process.md`) to close PL1–PL10 with owners/dates and module owners for each plugin type. -- Publish signed schemas/capability catalog; enforce sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline packaging with verify script, and signed plugin index with revocation/CVE data. - -# Findings – Gaps in “Policy Simulation and Shadow Gates” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Policy Simulation and Shadow Gates.md` - -**Method:** Read the advisory, compared with policy reasoning sprints (0120/0121) and replay core (0185), and with Policy Engine contracts. Focused on determinism, coverage fidelity, gate governance, auditability, offline parity, and safety. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| PS1 | Canonical schemas & hashing | Simulation, diff, coverage, promotion records lack versioned JSON Schemas, canonical JSON rules, and deterministic hash recipe. | Results may drift across services/SDKs; hashes/DSSE signatures unstable; replay unverifiable. | Publish signed schemas for simulation/diff/coverage/promotions + canonical JSON rules and hash/test vectors; enforce in API/CLI/worker validators. | -| PS2 | Shadow isolation & redaction | Shadow collections defined but no mandatory tenant scoping, PII/redaction rules, TTL/GC governance, or cross-tenant leakage tests. | Shadow data could leak or persist indefinitely; compliance/audit risk. | Enforce tenant scoping, redaction allowlist, TTL with DSSE-config, isolation tests; forbid cross-tenant queries; include redaction manifest in audit trail. | -| PS3 | Coverage fixture governance | Fixture format shown but no schema versioning, required fields, negative/edge cases, or golden fixtures with determinism checks. | Fixtures may be ambiguous; regressions undetected; audits weak. | Publish fixture schema + conformance suite; require negative/edge cases; provide golden fixtures and multi-run hash CI; include VEX-aware expectations. | -| PS4 | Gate policy & approvals | Promotion gates lack RBAC/dual-approval rules, DSSE evidence, policy/graph hash binding, or environment constraints. | Unsanctioned promotions or mismatched policy/graph could ship. | Require dual-approval with DSSE-signed gate bundle including policy/graph hashes, inputs.lock, scope/env; enforce RBAC and deny if evidence missing. | -| PS5 | Replay/inputs.lock & feed freeze | Determinism hash uses policy/rules only; no inputs.lock covering feeds, SBOMs, tool versions, time source, or random seeds. | Replays may diverge due to feed/tool drift; audit claims weakened. | Add inputs.lock (feeds snapshots, tool/image digests, time source, seeds); store with simulation/promotions; reject replay if mismatched; DSSE-sign. | -| PS6 | Resource budgets & quotas | No per-tenant/job-type quotas, concurrency limits, or cost caps for simulations/diffs/coverage. | Large simulations could starve production or cause outages. | Define quotas/concurrency per tenant/policy; enforce budgets and backpressure; surface metrics/alerts; fail fast with retryable codes. | -| PS7 | Observability & audit linkage | Metrics/audit events listed but no required SLOs, alert thresholds, or linkage to ledger/replay evidence. | Failures may go unnoticed; audit trail fragmented. | Set SLOs + alert rules (latency, failure rate, coverage pass rate, gate duration); log DSSE/audit events with simulation IDs; link to ledger entries. | -| PS8 | CLI/CI contract & exit codes | CLI commands shown but no versioned spec for flags/exit codes or CI gating rules (what fails a pipeline). | CI may mis-handle outcomes; breaking changes unnoticed. | Publish CLI/CI contract (flags, outputs, exit codes, JSON schema); add compatibility tests; define CI gating defaults (fail on coverage <100%, diff severity thresholds). | -| PS9 | Offline/air-gap parity | No requirement to package simulations/coverage/gate evidence in offline kits with hashes/signatures and verify scripts. | Air-gapped sites cannot verify or replay simulations; env drift. | Provide “policy-sim-kit” (schemas, fixtures, results, inputs.lock, DSSE signatures, verify script) with deterministic archives; document import/verify flow. | -| PS10 | Safety for shadow/no-notify | Advisory says no notifications but lacks guard to prevent hooks or side-effects (webhooks, Jira, enforcement flags) during shadow runs. | Shadow runs could trigger actions or mutate state; production impact risk. | Enforce side-effect guard: disable outbound hooks/enforcement during shadow; static allowlist; assert no writes except shadow collections; add tests. | - -## Immediate follow-ups -- Add a policy-simulation gaps task to Sprint `SPRINT_0185_0001_0001_shared_replay_primitives.md` (or successor policy simulation sprint) to close PS1–PS10 with owners/dates. -- Publish signed schemas + inputs.lock rules; enforce shadow isolation/redaction, fixture conformance with golden tests, gate RBAC/DSSE evidence, quotas/backpressure, CLI/CI contract with exit codes, offline “policy-sim-kit” packaging, and side-effect guards for shadow runs. - -# Findings – Gaps in “Runtime Posture and Observation with Zastava” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` - -**Method:** Read the advisory, cross-checked Zastava sprint `SPRINT_0144_0001_0001_zastava_runtime_signals` and Surface.Env/Secrets/FS integrations. Focused on determinism, tenant isolation, provenance, replay/audit, offline parity, observability, and safety controls. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| ZR1 | Canonical schemas & hashing | Event/admission/observation payloads lack signed/Versioned JSON Schemas, canonical JSON rules, and hash recipe for DSSE/audit bundles. | Hash/signature drift; replay unverifiable; cross-service divergence. | Publish signed schemas for observer/webhook events and admissions with canonical JSON + hash/test vectors; enforce in validators. | -| ZR2 | Tenant isolation & scope binding | Advisory assumes tenant fields but no hard binding in webhook/observer, nor cross-tenant tests or deny-by-default for missing tenant/context. | Cross-tenant leakage or spoofed admissions. | Require tenant/project bindings on all requests/events; fail closed on missing/ambiguous tenant; add isolation tests and DSSE annotations with tenant. | -| ZR3 | Determinism & time source | Runtime/admission flows lack mandated monotonic clock, timezone/locale rules, or deterministic ordering of findings/events. | Non-deterministic decisions; replay hashes drift. | Mandate monotonic+UTC time provider, stable ordering (tenant, namespace, digest), and deterministic serialization; add multi-run hash CI. | -| ZR4 | Provenance & signer identity | Observations lack required provenance fields (sensor ID, firmware/version, policy hash, graph revision, key ID) and DSSE enforcement. | Evidence unverifiable; spoofed sensors possible. | Require DSSE envelopes with signer identity, policy/graph hashes, sensor ID/firmware; verify before accept; log provenance in CAS. | -| ZR5 | Admission side-effects & escape hatches | No guardrail for side-effecting hooks, emergency bypasses, or debug flags; unclear approval path for bypass. | Unsafe bypass may disable enforcement; audit gaps. | Add side-effect allowlist; require dual-approval + DSSE-signed waiver for bypass/debug; log and expire waivers; deny unknown hooks. | -| ZR6 | Offline/air-gap parity | Offline posture noted but no bundle schema, deterministic archive flags, or verify script for observation/admission data. | Air-gapped users can’t verify or replay; integrity risk. | Provide “zastava-kit” with observations/admissions, hash manifest, DSSE signature, deterministic tar flags, and verify script (hash/signature/tenant checks). | -| ZR7 | Replay/audit linkage | Observations/admissions not linked to ledger/replay manifests or reachability/graph revisions. | Hard to audit or reproduce decisions. | Link events to ledger IDs and graph_revision_id; store replay manifest refs; include in DSSE annotations and export bundles. | -| ZR8 | Thresholds, burn-rate & anomaly policy | Storm/burn-rate thresholds not codified; no change-control or DSSE for threshold updates. | Noisy alerts or missed incidents; drift unnoticed. | Version and sign threshold config; require change log + DSSE; add alerting on threshold changes; publish budgets (latency, error rate, drop rate). | -| ZR9 | PII/redaction & log hygiene | Advisory mentions logging but no redaction allowlist, size limits, or secret/PII scan for observation payloads and webhook logs. | PII/secret leakage via logs/events. | Define redaction allowlist + size limits; run PII/secret scan in CI and at ingest; truncate with omitted counts; include redaction manifest. | -| ZR10 | Health, kill-switch & fallback | Health checks exist but no kill-switch on repeated failures, fallback policy (fail-open vs fail-closed), or DSSE record of kill events. | Unstable sensors/webhooks can flap services; enforcement may silently fail open. | Add fault counter + kill-switch with DSSE-signed disable record; configurable fail-open/closed defaults (closed for admission); expose metrics/alerts; require manual re-enable with audit. | - -## Immediate follow-ups -- Add a Zastava gaps task to Sprint `SPRINT_0144_0001_0001_zastava_runtime_signals.md` to close ZR1–ZR10 with owners/dates. -- Publish signed schemas + hash recipes; enforce tenant binding, deterministic clocks/ordering, DSSE provenance, side-effect/bypass controls, offline “zastava-kit” packaging, ledger/replay linkage, threshold governance, PII/redaction policy, and kill-switch/fallback rules with alerts and audits. - -# Findings – Gaps in “Sovereign Crypto for Regional Compliance” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` - -**Method:** Read the advisory, cross-checked Sovereign Crypto sprint `SPRINT_0514_0001_0001_sovereign_crypto_enablement.md` and crypto registry decision docs. Focused on compliance evidence, determinism, offline parity, provider governance, PQ transition, and security/operational guardrails. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| SC1 | Canonical registry schema & hashing | Registry/profiles lack signed/Versioned JSON Schemas, canonical serialization, and hash recipes for configs. | Drift across services; hashes/DSSE signatures unstable; audits fail. | Publish signed schemas for registry/profiles/providers with canonical JSON + hash/test vectors; enforce validation at startup and in CI. | -| SC2 | Compliance evidence & attestation | eIDAS/FIPS/GOST/SM claims lack required evidence (cert IDs, module versions, validation scope) and DSSE attestations for provider selection. | Compliance assertions unverifiable; regulators may reject evidence. | Require compliance evidence block (cert ID, module version, OID/SM spec, validation scope, expiry) and DSSE-signed attestation when profile is activated; store in CAS/ledger. | -| SC3 | PQ/hybrid transition rules | PQ plan noted but no concrete algorithm sets, dual-sign ordering, or migration/rollback policy. | Inconsistent PQ rollout; signatures may be non-interoperable. | Define PQ profiles (Dilithium/Falcon) with dual-sign ordering, verification precedence, rollback policy, and interop matrix; add tests/vectors. | -| SC4 | Provider trust & provenance | Provider binaries (CryptoPro, Tongsuo, OpenSSL FIPS) lack provenance/SBOM, signature verification, or supply-chain policy. | Risk of tampered binaries; audit gaps. | Require SBOM + DSSE/cosign signature for each provider; verify on ingest; store provenance in CAS; maintain allowlist of hashes. | -| SC5 | Key custody & HSM policy | Key storage guidance is high level; no M-of-N, audit rules, or per-region HSM fallback policy. | Single-operator risk; compliance gaps; inconsistent behavior across regions. | Define custody policy (M-of-N), audit requirements, allowed HSMs per region, and fallback (software/HSM) with DSSE-logged overrides; add key-state manifest. | -| SC6 | Runtime negotiation & fail-closed | Registry shows activeProfile but no fail-closed rules when profile missing/invalid or when providers unavailable. | Services might silently fall back to default/FIPS when region requires GOST/SM. | Enforce fail-closed on profile/provider mismatch; expose negotiation result; add health check/alerts; require explicit override token for fallback. | -| SC7 | Determinism across profiles | Determinism rules mention timestamps but ignore algorithm-specific randomness (ECDSA/SM2 k), padding differences, or provider-specific encoding. | Outputs may drift across providers/runs; replay hashes unstable. | Standardize deterministic signing modes where possible (RFC 6979 for ECDSA/SM2 where supported); document encoding; add golden vectors per profile/provider; hash manifests for outputs. | -| SC8 | Offline/air-gap RootPack | RootPack bundles lack deterministic packaging flags, manifest schema, DSSE signature, or verify script with time-anchor; CRL/OCSP offline handling unspecified. | Air-gapped deployments can’t verify packs; tamper risk; stale revocations. | Define RootPack schema + deterministic tar flags; include hash manifest, DSSE signature, time-anchor token; offline CRL/OCSP stapling guidance; provide verify script with exit codes. | -| SC9 | Policy/tenant binding | Profile selection not tied to tenant/env/policy IDs in tokens/attestations; no audit of who switched profiles. | Wrong profile may be used for a tenant; auditors cannot trace changes. | Bind profile ID to tenant/env in config and tokens/attestations; log DSSE-signed profile-switch events with actor/time; enforce RBAC for switches. | -| SC10 | Observability & drift detection | No metrics/alerts for profile drift, provider verification failures, or cert expiry; no periodic self-test. | Silent drift or expired certs could undermine compliance. | Add metrics/alerts for profile/provider hash mismatch, signature verification fail, cert expiry window, PQ/dual-sign success rate; schedule self-tests with DSSE-logged results. | - -## Immediate follow-ups -- Add a sovereign-crypto gaps task to Sprint `SPRINT_0514_0001_0001_sovereign_crypto_enablement.md` (or Authority/Security crypto sprint) to close SC1–SC10 with owners/dates. -- Publish signed schemas + compliance evidence blocks; enforce provider provenance checks, PQ/dual-sign rules, fail-closed negotiation, custody/HSM policy, deterministic signing vectors, RootPack schema + verify script with time-anchor, tenant-bound profile switches, and observability/self-tests for drift and expiry. - -# Findings – Gaps in “Task Pack Orchestration and Automation” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Task Pack Orchestration and Automation.md` - -**Method:** Read the advisory, cross-checked TaskRunner specs (`docs/task-packs/*.md`) and orchestration/pack sprints (0157/0158 series). Focused on determinism, safety, provenance, multi-tenant isolation, offline parity, and governance for packs, approvals, and executions. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| TP1 | Canonical schemas & plan hash recipe | Pack manifest and plan hash lack published signed schemas, canonical JSON rules, and hash recipe (ordering, normalization, casing). | Plan hash drift; DSSE attestations unverifiable; cross-host divergence. | Publish signed schemas for manifest/plan/run/approval events with canonical JSON rules and hash/test vectors; fix plan-hash recipe and enforce at build/run. | -| TP2 | Provenance & evidence completeness | Evidence bundle includes attestation but no required fields for inputs.lock, tool versions, policy/graph hashes, or approver identities. | Replay/audit weak; approvals unverifiable; mismatched tools undetected. | Require evidence block with inputs.lock (images, feed snapshots, policy/graph hash, time source), approver identities, and DSSE bundle; store in Evidence Locker/ledger. | -| TP3 | Approval governance & RBAC | Approval tokens include plan hash but no dual-approval rules, delegation limits, or DSSE-signed approval records; no expiry/renewal guidance beyond TTL. | Unauthorized or stale approvals may progress packs; audit gaps. | Enforce dual-approval/role matrix, delegation quotas, DSSE-signed approval records with expiry/nonce, and audit trail; deny on missing/expired approvals. | -| TP4 | Secrets handling & redaction | Advisory says secrets masked, but no schema/allowlist, redaction manifest, or log guard; no proof that outputs/artifacts redact secrets. | Secrets/PII could leak in logs/evidence; compliance risk. | Define secret/PII redaction policy + allowlist; include redaction manifest in evidence; add CI lint + runtime guard to block unmasked outputs; redact artifacts/exports. | -| TP5 | Determinism across step types | Parallel/map/approval/policy steps lack deterministic ordering, RNG/clock control, and retry semantics; maxParallel/map order not fixed. | Non-deterministic runs; plan hash mismatch on replay; flaky pipelines. | Fix ordering rules (stable sort for map/parallel), enforce monotonic+UTC time provider, deterministic RNG, and retry/backoff policy per step type; add multi-run hash CI. | -| TP6 | Sandbox/resource limits & egress | Run steps lack mandated sandbox (CPU/mem/time IO), network egress policy, or per-module allowlists; no per-tenant budgets/quotas. | Pack runs can exhaust resources or exfiltrate data; noisy tenants starve others. | Define sandbox profile per module; set CPU/mem/time/IO limits, network default-deny with allowlist; quotas per tenant; enforce in runner; emit metrics/alerts. | -| TP7 | Pack registry trust & signing | Registry APIs exist but no requirement for signed packs (cosign/DSSE), SBOMs, or signature verification at publish/pull; no revocation/denylist feed. | Tampered packs could be executed; compromised registry could spread malware. | Require DSSE/cosign signatures + SBOM for packs; verify on publish/pull; maintain signed pack index with revocations/denylists; fail closed on missing/invalid sigs. | -| TP8 | Offline/air-gap pack bundles | Export/import commands shown but no deterministic bundle schema, hash manifest, DSSE signature, or verify script; approvals/tokens offline flow unspecified. | Air-gapped users cannot verify packs; tamper risk; approvals unenforceable offline. | Define pack-bundle schema with deterministic tar flags, hash manifest, DSSE signature, time anchor; include approvals/tokens/offline authority keys; ship verify script. | -| TP9 | Observability & incident hooks | Metrics listed but no SLOs/alerts, burn-rate/incident mode hooks, or linkage to ledger/timeline events. | Failures/noise may go unnoticed; incomplete auditability. | Set SLOs + alert rules (queue depth, step latency, approval SLA, failure rate); emit timeline/ledger events with trace IDs; add incident mode triggers and dashboards. | -| TP10 | Safety for policy/approval gates | Gate types outlined but no guardrails to prevent side effects or bypass when gates fail; no policy for replays after gate failure. | Gates may be bypassed; side effects may run in shadow; inconsistent promotion. | Enforce fail-closed on gate failure/expiry; block side effects until gate satisfied; require DSSE proof of gate success; define replay rules after gate failure. | - -## Immediate follow-ups -- Add a task-pack gaps task to the TaskRunner sprint (e.g., `SPRINT_0157_0001_0001_taskrunner_i.md` or `SPRINT_0158_0001_0002_taskrunner_ii.md`) to close TP1–TP10 with owners/dates. -- Publish signed schemas and plan-hash recipe; enforce DSSE/Signature + SBOM for packs, evidence inputs.lock, dual-approval governance, sandbox/egress limits, deterministic ordering/RNG/time, offline pack-bundle schema/verify script, SLO/alerting, and gate fail-closed rules. - -# Findings – Gaps in “Telemetry and Observability Patterns” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Telemetry and Observability Patterns.md` - -**Method:** Read the advisory, compared with telemetry docs (collector config, dashboards) and missing telemetry sprint. Focused on determinism, sealed-mode/offline parity, provenance, redaction, tenant isolation, and operational guardrails. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| TO1 | Canonical schemas & hashing | Metrics/traces/logs configs lack signed/Versioned schemas, canonical JSON, and hash recipe for bundle/manifest. | Drift across services; bundle hashes/DSSE unstable; replay verification weak. | Publish signed schemas for telemetry configs/exports with canonical JSON + hash/test vectors; enforce validation in collector/SDK CI. | -| TO2 | Provenance & DSSE | Collector profiles/bundles lack DSSE attestation with collector version, exporter set, redaction policy, and crypto profile. | Consumers can’t trust telemetry bundles; forensic evidence not audit-grade. | Require DSSE for profile activation and bundle export including collector build/version, exporter list, redaction policy, crypto profile; store in ledger. | -| TO3 | Determinism & sampling stability | Tail sampling rules given but no deterministic seed, priority order, or retry/backpressure policy; logs/traces ordering unspecified. | Re-runs differ; incident comparisons unreliable; bundle hashes drift. | Define deterministic sampling order/seed, backpressure rules, and stable ordering (timestamp+traceId); add multi-run hash CI for exporters. | -| TO4 | Sealed-mode / egress guards | Sealed-mode guidance shown but not enforced (no deny list of exporters, DNS/IP allowlist, or fail-closed policy). | Telemetry could exfiltrate data from air-gap; compliance risk. | Enforce sealed-mode guard that blocks non-loopback exporters; add allowlist/DNS pinning; fail closed; emit DSSE-signed seal-status record. | -| TO5 | Redaction policy & PII tests | Redaction described but no allowlist, regex/catalog, or CI tests; log processors not required to prove redaction. | PII/secret leakage via OTLP/logs. | Define redaction allowlist/catalog; add PII/secret test suite; require redaction manifest in bundles; fail bundle export if redaction violations detected. | -| TO6 | Tenant isolation & multi-tenant routing | Advisory lacks tenant binding on OTLP signals and isolation tests; no per-tenant quotas. | Cross-tenant leakage in shared collectors/backends. | Require tenant/project IDs in attributes and pipeline routing; enforce per-tenant quotas/limits; add isolation tests and metrics. | -| TO7 | Forensic triggers governance | Forensic mode triggers listed but no approval/expiry policy, DSSE record, or rollback guard. | Forensic mode could stay on or be abused; noisy costs. | Require dual-approval + DSSE record for forensic activation with expiry; log actor/time/reason; auto-expire with rollback; alert on long-running forensic mode. | -| TO8 | Offline bundle schema & verify | Bundle structure shown but no deterministic tar flags, manifest schema, hash list, or verify script/time-anchor. | Offline bundles unverifiable; tamper risk. | Define `telemetry-bundle.schema.json`, deterministic archive flags, hash manifest + DSSE signature + time-anchor token; ship verify script with exit codes. | -| TO9 | Observability of observability | Metrics/alerts listed but no SLOs/alert rules for collectors/exporters or bundle generation; no self-tests. | Telemetry pipeline failures unnoticed; forensic/offline exports may fail silently. | Set SLOs + alert rules for collector health, exporter failures, queue backpressure, bundle success rate; add periodic self-test with DSSE-logged results. | -| TO10 | CLI/pack contracts | CLI commands absent; no versioned spec for telemetry CLI/export commands or CI gating on bundle validation. | CI/pipelines may break on changes; offline ops inconsistent. | Publish CLI/pack contract (flags, exit codes, JSON schema) for telemetry exports; add compatibility tests; fail CI on invalid bundles. | - -## Immediate follow-ups -- Add a telemetry gaps task to Sprint `SPRINT_0180_0001_0001_telemetry_core.md` to close TO1–TO10 with owners/dates. -- Publish signed schemas + DSSE provenance for profiles/bundles; enforce sealed-mode/egress guards, deterministic sampling/order, redaction allowlist + PII tests, tenant binding/quotas, forensic activation governance, offline bundle schema + verify script, SLO/alerting for collectors/exporters, and CLI/pack contracts. - -# Findings – Gaps in “Vulnerability Triage UX & VEX-First Decisioning” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` - -**Method:** Read the advisory, cross-checked triage/UI sprint `SPRINT_0215_0001_0001_vuln_triage_ux` and related explainability/VEX advisories. Focused on determinism, schema completeness, evidence linkage, tenant isolation, offline parity, accessibility, and approval/decision governance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| VT1 | Schema/versioning & canonical JSON | VEX decision, vuln scan attestation, and audit bundle schemas referenced but not published or versioned; no canonical JSON rules. | UI/API may drift; hashes/DSSE signatures unstable; integrations break. | Publish signed schemas for vex-decision, vuln-scan attestation, audit-bundle index with canonical JSON + hash/test vectors; enforce in API/UI validators. | -| VT2 | Evidence linkage & explainability | Advisory calls for evidence-first UI but lacks required fields linking decisions to reachability graphs, policy hashes, and attestation IDs. | Users can’t audit or replay decisions; explainability incomplete. | Require decision payloads to include graph_revision_id, policy_hash, attestation_ids, evidence bundle refs; surface in UI cards and exports; enforce in API. | -| VT3 | Tenant isolation & RBAC | VEX modal/actions not bound to tenant/project roles; no dual-approval or reviewer metadata for high-impact decisions. | Cross-tenant leaks or unauthorized decisions; audit gaps. | Bind decisions to tenant/project; enforce RBAC/dual-approval for high-severity scope; log reviewer metadata; DSSE-sign decisions with actor IDs. | -| VT4 | Determinism & sorting | Finding lists/cards lack deterministic ordering rules and stable pagination hashes; locale/time effects not addressed. | UI/exports reorder across sessions; hashes drift; tests flaky. | Define ordering (tenant, severity desc, package, vulnId), fix locale/UTC, deterministic pagination tokens; add golden fixture tests. | -| VT5 | Accessibility & usability standards | Advisory omits a11y requirements (contrast, keyboard nav, screen reader labels, focus management) for triage workspace/VEX modal. | Non-compliance, poor UX for accessibility; potential legal risk. | Add WCAG 2.1 AA checklist: focus order, ARIA labels, keyboard shortcuts, contrast tokens; add a11y CI checks. | -| VT6 | Offline/air-gap parity | No guidance to package triage/VEX data for offline review or to verify attestation/decision bundles offline. | Air-gapped users cannot review/export decisions; integrity risk. | Provide “triage-kit” export with findings, decisions, attestations, evidence, hash manifest + DSSE signature and verify script; include UI offline view guidance. | -| VT7 | Conflict resolution & supersedes | Supersedes logic hinted (PATCH) but no deterministic rules for conflicting decisions, scope overlaps, or expiry/validFor handling. | UI may display stale/conflicting decisions; audits ambiguous. | Define supersedes/precedence rules (newer notAfter/notBefore, scope specificity, signer trust); enforce in API; show in UI with conflict badges. | -| VT8 | Attestation verification UX | Attestation tab lacks verification status rules (Rekor/bundle presence, DSSE verification, key trust) or error handling. | Users may trust unverified attestations; weak evidence chain. | Require verification state (verified/failed/unknown) with reasons; enforce DSSE/Rekor/bundle checks; display signer key/fingerprint and trust result. | -| VT9 | Privacy/redaction in UI | Evidence fields and notes not bound to redaction/allowlist; screenshots/links could leak PII/credentials. | Sensitive data exposure in UI exports and screenshots. | Apply redaction policy to evidence fields; add redaction manifest to exports; UI should mask secrets and mark redacted areas; add PII scan in pipeline. | -| VT10 | Metrics/telemetry for UX | Advisory lists dashboards/alerts elsewhere but no UX telemetry/SLIs (time-to-first-meaningful-render, modal save latency, decision success rate). | UX regressions unnoticed; SLAs unmet. | Define UX SLIs (TTFMR, VEX save p95, decision error rate, export latency); add instrumentation and alerts; include in dashboards. | - -## Immediate follow-ups -- Add a triage UX gaps task to Sprint `SPRINT_0215_0001_0001_vuln_triage_ux.md` (or related UI sprint) to close VT1–VT10 with owners/dates. -- Publish signed schemas and enforce evidence linkage, tenant/RBAC controls, deterministic ordering, a11y standards, offline triage-kit, supersedes/conflict rules, attestation verification UX, redaction policy, and UX telemetry/SLIs with alerts. - -# Findings – Gaps in “Acceptance Tests Pack for StellaOps Guardrails” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` - -**Method:** Read the advisory and mapped it to guardrail CI expectations (feed integrity, SBOM gating, replay, policy change attestation, backups). Focused on completeness, determinism, provenance, offline parity, and automated enforcement. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| AT1 | Canonical test pack schema | Pack/fixture layout not defined by signed/Versioned schema or canonical JSON rules. | Implementations may drift; CI may accept malformed tests; hashes/signatures unstable. | Publish signed schema for acceptance-pack manifest + fixtures with canonical JSON and hash/test vectors; enforce validation in CI. | -| AT2 | Deterministic fixtures & seeds | No requirement for fixed seeds, clocks (UTC), or deterministic archiving of fixtures. | Flaky acceptance runs; reproducibility claims weakened. | Require fixed seeds/time sources; deterministic tar flags for fixture bundles; multi-run hash CI on acceptance pack outputs. | -| AT3 | Coverage breadth & critical paths | Advisory covers five areas but omits runtime admission, VEX/graph drift, and auth/DPoP misuse scenarios. | Gaps leave critical regressions untested. | Expand pack to include admission/VEX/graph drift/auth binding scenarios; map each to acceptance IDs and CI jobs. | -| AT4 | Provenance & signing of bundles | Acceptance bundle signing/attestation not mandated; no provenance (tool versions, policy hashes, feed snapshots). | Tampered tests or mismatched environments may pass; audits weak. | DSSE-sign acceptance bundles with provenance (tool versions, feed snapshot IDs, policy/graph hashes); verify before run; store results in Evidence Locker. | -| AT5 | Air-gap/offline execution | Offline/air-gap execution not codified (no offline mirrors, time anchor, or verify script). | Air-gapped sites cannot run/verify acceptance pack; integrity risk. | Provide offline “guardrail-pack” with hash manifest, DSSE signature, time anchor, and verify script; forbid network during run; include mirrored feeds. | -| AT6 | SBOM/scan gating thresholds | Thresholds listed informally; no machine-enforced limits or schema for completeness/error budgets. | Inconsistent gating; teams may weaken thresholds unnoticed. | Define gating policy schema (hash coverage %, ecosystem completeness, provenance requirement) and enforce in acceptance runner with fail-closed defaults. | -| AT7 | Replay/determinism checks | Replay of graph/revision parity mentioned but no required comparison outputs or allowed tolerances. | Restores may appear “green” without verifying verdict parity; audits weak. | Require parity checks on graph_revision_id and verdict counts with zero tolerance; include expected hashes in fixtures. | -| AT8 | Policy change attestation | Authority DSSE gating described but not enforced in acceptance tests; no negative tests for missing/invalid signatures. | Unsigned policy changes could slip through; audit trail incomplete. | Add acceptance cases for valid/invalid DSSE policy change requests, require rejection on missing/invalid signatures, and record ledger entry; include sample envelopes. | -| AT9 | Backup/restore rehearsal automation | Backup cadence noted but no automated rehearsal scripts, success criteria, or CI job wiring. | Restores may silently fail; RPO/RTO claims unproven. | Add scripted PITR rehearsal with hash/parity assertions; wire into CI weekly; publish logs + hashes as artifacts. | -| AT10 | Reporting & SLOs for guardrail CI | No reporting format or SLO targets for acceptance suite (pass rate, duration, flake rate). | Leadership lacks visibility; flaky tests ignored. | Define report schema + SLOs (pass rate, max duration, flake budget); publish HTML/JSON summary; alert on SLO breaches. | - -## Immediate follow-ups -- Add an acceptance-pack gaps task to Sprint `SPRINT_300_documentation_process.md` (Docs/Process) to close AT1–AT10 with owners/dates. -- Publish signed acceptance-pack schema and deterministic fixtures; extend coverage to admission/VEX/auth cases; mandate DSSE provenance, offline guardrail-pack with verify script/time anchor, gating thresholds schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. - -# Findings – Gaps in “CVSS v4.0 Momentum in Vulnerability Management” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` - -**Method:** Read the momentum advisory and compared with StellaOps scoring/policy pipelines (CVSS receipts sprint 0190, policy/VEX/triage flows). Focused on data model, canonicalization, multi-version support, provenance, UI/API surfacing, offline parity, and operational governance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CVM1 | Canonical schemas & parsing | Advisory doesn’t mandate signed/Versioned schemas or canonical JSON for CVSS v4.0 vectors/metrics; parsing rules for Supplemental group unspecified. | Parsers drift; hashes/DSSE receipts unstable; supplemental metrics lost. | Publish signed schemas for v4 vectors + metrics (Base/Threat/Env/Supplemental) with canonical JSON and test vectors; enforce strict parser/validator and canonicalization for hashing. | -| CVM2 | Multi-version storage & receipts | No contract for storing multiple CVSS versions (v2/v3.x/v4) per finding with source/assessed_at and immutable receipts. | Overwrites destroy provenance; auditors can’t trace scorer/source; UI may show mixed data. | Model CVSS assessments as append-only records with version, source, assessed_at, receipt DSSE; expose via API/UI with version tag; keep legacy scores for compatibility but default to v4. | -| CVM3 | Supplemental/Threat/Env completeness | Advisory highlights momentum but not completeness requirements for Threat/Environmental/Supplemental fields; no “data quality” band. | Scores degrade to Base-only; uneven risk posture; explainability weak. | Require completeness thresholds (e.g., Threat present if upstream supplies; Environmental/Supplemental optional but flagged). Mark quality band and block “v4-default” if key groups missing unless explicitly allowed. | -| CVM4 | Canonical hashing for receipts | No canonical hash recipe for CVSS receipts (policy v4 work does Base hash only). | DSSE receipt hashes may drift; signatures unverifiable across services. | Define canonical hash: sorted keys, fixed precision, UTC timestamps, normalized vectors; include metric groups present flags; add test vectors. | -| CVM5 | Interop & downgrade rules | No downgrade/crosswalk rules v4→v3.1 or mixed-source merging; no precedence rules when v3.1 and v4 coexist. | UI/API may pick wrong score; pipelines inconsistent. | Define precedence (prefer v4 from trusted sources, fall back to v3.1); provide deterministic v4→v3.1 reducer with confidence tag; expose both in API/UI with source. | -| CVM6 | UI/API surfacing & exports | Advisory lists momentum but no UI/API/export spec for multiple scores, metric groups, source, and quality bands. | Users see ambiguous scores; exports non-deterministic. | Update API/UI contracts: show v4 score set (B/BT/BE/BTE), source, assessed_at, quality band; include in exports with deterministic ordering/formatting. | -| CVM7 | Offline/air-gap parity | No requirement to include CVSS v4 data, schemas, and receipts in offline bundles. | Air-gapped sites lack v4 support; replay breaks. | Ship CVSS schemas/test vectors and v4 receipts in offline kits; verify hash/signature; include reducer outputs for legacy consumers. | -| CVM8 | Monitoring & drift detection | No metrics/alerts for missing v4 data, parser failures, or receipt drift vs source (NVD/GitHub). | Silent regressions; stale scores. | Add metrics/alerts: v4 coverage %, parser failures, hash mismatch vs source, fallback to v3.1 events; surface in dashboards. | -| CVM9 | Governance & change control | Momentum noted but no change-control or versioning for parser/ruleset updates; no audit of scorer changes. | Parser changes can alter scores unnoticed. | Version parsers/rulesets; DSSE-sign releases; log scorer version in receipts; require dual-review for scoring logic changes. | -| CVM10 | Test coverage & fixtures | No golden fixtures/regression tests for v4 vectors, supplemental fields, or reducer outputs. | Regressions may ship; inconsistent outputs across services. | Publish fixture suite (v2/v3.1/v4 vectors incl. Supplemental) with expected scores and hashes; run in CI across services; include downgrade fixtures. | - -## Immediate follow-ups -- Add a CVSS momentum gaps task to Sprint `SPRINT_0190_0001_0001_cvss_v4_receipts` (or related policy/scoring sprint) to close CVM1–CVM10 with owners/dates. -- Publish signed schemas and canonical hash recipe; enforce append-only multi-version receipts with provenance, completeness bands, precedence/downgrade rules, deterministic API/UI/export formats, offline kit inclusion, monitoring/alerts, governed parser releases, and golden fixtures." - -# Findings – Gaps in “SBOM to VEX Proof Pipeline Blueprint” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` - -**Method:** Read the blueprint, compared with reachability evidence chain (Sprint 0401), policy/VEX pipelines, and evidence locker/export contracts. Focused on end-to-end determinism, DSSE/Rekor alignment, offline parity, idempotency, and testability. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| BP1 | Canonical schemas & hash chain | Blueprint shows diagrams but no signed/Versioned schemas for SBOM→scan→reachability→VEX artifacts or canonical hash recipe tying them. | Chain-of-custody unverifiable; hashes drift across services. | Publish signed schemas for each hop (SBOM, scan, reachability graph, VEX decision) with canonical JSON + hash/test vectors; define chain hash linking inputs/outputs. | -| BP2 | Predicate alignment | DSSE predicates for scan/reachability/VEX not mandated or versioned; no required fields cross-referencing each other. | Attestations may be incompatible; evidence linkage weak. | Mandate predicate set (`stella.ops/sbom@v1`, `…/scan@v1`, `…/reachability@v1`, `…/vexDecision@v1`) with required cross-refs (graph_revision_id, policy_hash, evidence bundle IDs). | -| BP3 | Idempotency & replay | No idempotency keys or replay/inputs.lock definition across pipeline stages. | Duplicate or divergent runs; replay not guaranteed. | Define inputs.lock (feed snapshots, tool images, flags) and idempotency key per artifact; require replay to validate lock and chain hashes. | -| BP4 | Transparency/log routing | Rekor/TLOG usage mentioned but no routing policy (public vs private), shard IDs, or bundle requirements. | Attestations may be unlogged or unverifiable offline. | Define routing matrix; require shard ID/log ID in envelopes; ship Sigstore bundles in offline kits. | -| BP5 | Offline/air-gap parity | Offline flow sketched but no deterministic bundle layout, verify script, time anchors, or dual-sign (PQ/FIPS) guidance. | Air-gapped verification weak; regional compliance risk. | Provide “sbom-vex-kit” with deterministic archive flags, hash manifest, DSSE signature + time anchor, dual-sign where required; include verify script with exit codes. | -| BP6 | Error taxonomy & backpressure | Failure modes/reties across stages (scan, reachability, VEX emit) not defined; no backpressure policy. | Pipelines may thrash or silently drop evidence. | Define error taxonomy + retry/backoff, DLQ for failed attestations, and backpressure metrics; fail-closed on missing links. | -| BP7 | Policy/gate binding | VEX decisions not explicitly bound to policy/lattice versions or gate evaluation results. | Decisions may be applied under wrong policy; audit gaps. | Require policy_hash/lattice_version in VEX attestation; bind gate evaluation result to decision; verify before accept. | -| BP8 | Tenant/role segregation | Tenant binding and role/RBAC for emitting/approving VEX not specified. | Cross-tenant leakage or unauthorized downgrades. | Enforce tenant field in all artifacts; require dual-approval for VEX publish; annotate attestation with actors/roles. | -| BP9 | Testing/fixtures | No golden fixtures or CI covering SBOM→scan→reachability→VEX chain with hash expectations. | Regressions undetected; chain drift unnoticed. | Publish fixture set with expected hashes/attestations for a reference image; add multi-run hash CI. | -| BP10 | Observability & SLOs | No metrics/alerts for chain integrity (hash mismatch, missing attestation, replay failure). | Failures invisible; customers get incomplete proofs. | Add metrics/alerts for chain completeness, hash drift, replay success, tlog submission errors; include in dashboards. | - -## Immediate follow-ups -- Add an SBOM→VEX pipeline gaps task to Sprint `SPRINT_300_documentation_process.md` (docs/process tracker) or relevant pipeline sprint to close BP1–BP10 with owners/dates. -- Publish signed schemas and chain hash recipe; mandate predicate alignment and inputs.lock, Rekor routing/bundles, offline kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. - -# Findings – Gaps in “SCA Failure Catalogue for StellaOps Tests” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` - -**Method:** Reviewed the failure catalogue and mapped the five cited regressions to StellaOps scanning/SBOM/DB/offline expectations. Focused on making the catalogue actionable as deterministic test vectors with provenance, thresholds, and CI wiring. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| FC1 | Test vector formalization | Catalogue lists examples but no signed/Versioned fixture pack (images/SBOMs/expected results) with hashes. | Hard to reproduce or detect regressions; provenance weak. | Create a signed fixture pack (container images, SBOMs, expected vuln sets) with hash manifest + DSSE; version it and store in Evidence Locker. | -| FC2 | Determinism & seeds | No deterministic build/scan instructions (seeds, timestamps, locales) for the vectors. | Flaky tests; inconsistent results across runs. | Provide deterministic build scripts with fixed seeds/UTC/time clamp, reproducible container builds, and multi-run hash checks. | -| FC3 | Coverage gaps | Catalogue focuses on jar detection/SBOM gaps but omits other high-risk categories (e.g., language DB schema drift, package manager parity checks, VEX/graph drift). | Critical regressions could slip. | Expand catalogue to include DB/schema drift cases, package manager vs SBOM parity, VEX/graph drift, and offline updater behavior; tag each with priority. | -| FC4 | Expected result schemas | Expected outcomes not expressed in machine-readable schema (e.g., expected vulns, counts, parity deltas). | CI can’t assert pass/fail deterministically. | Define result schema (expected vulns list, counts per severity, allowed deltas) and validate in CI; fail on deviations. | -| FC5 | Offline/air-gap validation | Offline behavior mentioned but not enforced with no-network guard or mirrored DBs. | Tests may pass online but fail in customer air-gaps. | Add offline test mode with enforced no-network (firewall/iptables), mirrored DB bundles with hashes, and verify script; fail if network access occurs. | -| FC6 | Tool/version matrix | No matrix of tool versions (Trivy/Grype/Syft/Snyk) to run against fixtures; regressions may go undetected on upgrades. | Upgrades can reintroduce failures unnoticed. | Maintain a version matrix (current, N-1, known-good) for each tool; run fixtures against all; alert on regressions. | -| FC7 | Alerting/reporting | No SLOs or reporting for acceptance pack results (pass rate, flake rate, duration). | Failures may be ignored; flaky tests linger. | Add report + SLO (pass rate, max duration, flake budget) and publish dashboards; alert on SLO breaches. | -| FC8 | Integration into CI pipelines | Catalogue not wired into CI with jobs, tags, or owners. | Tests may stay shelfware. | Add CI jobs (`sca-fixtures`) with owners, schedules, and gating rules (block release on failures); tag tests by scenario. | -| FC9 | Provenance & licensing of fixtures | External artifacts (jars/images) lack provenance/licensing notes; risk of using non-redistributable samples. | Legal risk; fixtures may be removed later. | Document provenance/licensing for each fixture; prefer MIT/Apache or self-built artifacts; store notices alongside fixtures. | -| FC10 | Documentation & discoverability | Catalogue isn’t linked to sprint tasks or module AGENTS; engineers may miss it. | Low adoption; duplicate effort. | Link fixture pack from module AGENTS and sprint docs; add README with usage; reference in ADVISORY_INDEX and sprint trackers. | - -## Immediate follow-ups -- Add an SCA fixture gaps task to Sprint `SPRINT_300_documentation_process.md` (or a test/QA sprint) to close FC1–FC10 with owners/dates. -- Produce a signed, deterministic fixture pack with schema-defined expected results, offline/no-network mode, tool/version matrix, SLO/reporting, provenance/licensing notes, and CI wiring (sca-fixtures job) with gating rules. - -# Findings – Gaps in “StellaOps – Mid-Level .NET Onboarding (Quick Start)” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` - -**Method:** Reviewed the onboarding brief against current repo state (missing UI workspace, multiple databases, DSSE/air-gap rules). Focused on completeness, determinism guarantees, offline/air-gap readiness, security posture, and handoff quality for mid-level devs. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| OB1 | Environment parity & prerequisites | Brief omits required local-nuget/offline feeds, Mongo vs Postgres choice guidance, and required tools (Cosign/Rekor client, BLAKE3) for determinism. | New devs hit restore/build failures; non-deterministic envs. | Add prerequisites table with exact versions, offline feed setup, DB selection instructions, and verification commands. | -| OB2 | Determinism verification | Only three sample tests listed; no guidance on clocks/locale/newlines/line-endings enforcement or golden snapshot update policy. | Developers may commit non-deterministic changes. | Add determinism checklist (TZ=UTC, InvariantCulture, \\n line endings), lint hooks, and policy for updating goldens with DSSE-signoff. | -| OB3 | Security posture (keys/secrets) | Brief suggests copying `.env` but not key generation/rotation, KMS/soft-HSM use, or avoiding dev secrets in repo. | Risk of shared dev keys and leaked secrets. | Document dev key workflow (per-user keys, rotation cadence, soft-HSM option), forbid committing `.env`, provide `make dev-keys` script and secret scanning hook. | -| OB4 | Air-gap/offline workflow | Instructions assume internet; no offline bootstrap steps (bundle pulls, rootpacks, mirrors). | Air-gapped onboarding fails; inconsistent envs. | Add offline bootstrap steps (load offline-kit, restore from local-nuget, import RootPack/feeds), and a “no-network” smoke test. | -| OB5 | Multi-DB guidance | Brief mentions Mongo/Postgres without migration/compat guidance or determinism notes. | Mismatched DB selection breaks tests; inconsistent hashes. | Provide matrix: which services support which DB, migrations status, and determinism notes; include commands for both. | -| OB6 | UI workspace gap | Current repo lacks Angular workspace; brief doesn’t warn or provide fallback (console/CLI). | Devs blocked on UI tasks. | Add note that UI workspace is missing; provide alternative CLI flows and link to sprint blocking item. | -| OB7 | Sample issues/tests ownership | Starter issues listed but no links to tickets, owners, or paths to tests/fixtures. | New devs waste time finding code/tests; duplicate work. | Link each starter issue to path and test project; assign guild owner; include “definition of done” bullets. | -| OB8 | DSSE/Rekor workflow details | Brief mentions `RekorMode.OfflineMirrorIfAirgapped` but not required flags, mirror paths, or verification commands. | Devs misuse Rekor/mirror; proofs incomplete. | Add step-by-step DSSE+Rekor workflow (online vs offline), mirror location, verify command, and expected hash outputs. | -| OB9 | Contribution guardrails | No mention of code style, analyzers, required test suites, or pre-commit checks. | Inconsistent code quality; reviewers rework. | Add contribution checklist: run analyzers, determinism tests, secret scan, formatting; link to STYLE.md/Analyzers. | -| OB10 | Documentation cross-links | Brief not cross-linked from AGENTS/sprints; missing references to module docs relevant to starter issues. | Discoverability low; onboarding drift. | Link quick-start from AGENTS and sprint docs; add doc map per starter issue. | - -## Immediate follow-ups -- Add an onboarding gaps task to Sprint `SPRINT_300_documentation_process.md` (docs/process tracker) to close OB1–OB10 with owners/dates. -- Expand the quick-start with prerequisites/offline steps, determinism/DSSE/secret-handling guidance, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links. - -# Findings – Gaps in “Comparative Evidence Patterns for Stella Ops” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` - -**Method:** Reviewed the comparative study across Snyk, GitHub, Aqua/Trivy, Anchore/Grype, and Prisma Cloud. Focused on turning competitive observations into StellaOps requirements for evidence, suppression/VEX, exports, accessibility, and auditability. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| CE1 | Evidence model & schemas | Comparative patterns not translated into StellaOps evidence schemas (data-flow, dependency path, attestation links) with canonical JSON. | UI/API may be inconsistent; exports non-deterministic. | Define evidence schema covering code paths, dependency paths, attestation refs, policy context; publish canonical JSON + test vectors. | -| CE2 | Suppression/VEX consistency | Advisory notes fragmentation elsewhere but does not mandate a single suppression/VEX model across scan types in StellaOps. | Risk of repeating fragmented UX; hidden suppressions. | Enforce one suppression model (VEX + policy) across SBOM/container/code/runtime; always surface suppressed counts and include suppressed items in exports on demand. | -| CE3 | Justification taxonomy & expiry | No structured justification/expiry rules for suppressions; free-text only. | Audits weak; inconsistent reasons. | Create justification enum + expiry policy; require reason + optional evidence link; DSSE-sign suppression actions. | -| CE4 | Export/ledger linkage | Exports (CSV/JSON/VEX) not required to include ledger/timeline IDs, suppression metadata, or graph revision IDs. | Audits/replay difficult; regulators lack chain-of-custody. | Require exports to carry ledger IDs, graph_revision_id, suppression/VEX status, and signer info; include deterministic ordering and hashes. | -| CE5 | Accessibility & UX parity | Comparative review doesn’t specify WCAG/a11y and UX parity across surfaces (UI/CLI/API) for evidence and suppression views. | Accessibility gaps; inconsistent operator experience. | Define a11y requirements (WCAG 2.1 AA) and ensure evidence/suppression affordances match in UI/CLI/API; add a11y tests. | -| CE6 | Offline/air-gap parity | No requirement to include evidence/suppression data in offline bundles with verify script/time anchor. | Air-gapped customers cannot audit evidence; parity breaks. | Ship “evidence-kit” with findings, evidence paths, suppressions, VEX statements, hash manifest + DSSE + time anchor; provide verify script. | -| CE7 | Observability & SLOs | No metrics/alerts for suppression usage, evidence load errors, export failures, or VEX ingestion drift. | Silent failures; UX regressions unseen. | Add metrics/alerts for suppression actions, suppressed count drift, export success rate, evidence load latency; include dashboards. | -| CE8 | Cross-product comparison fixtures | Competitive examples not turned into fixtures to test StellaOps outputs against desired patterns. | Hard to validate UX/data-model decisions. | Create fixtures mirroring “good” patterns (e.g., Snyk data-flow) and “bad” patterns (fragmented suppression) and use them in UI/API regression tests. | -| CE9 | Policy for suppressed visibility | Default visibility of suppressed items not specified (should not be hidden). | Suppressed issues may disappear from operator view. | Mandate always-visible suppressed counter, with toggle to show suppressed details; exports include suppressed items by option. | -| CE10 | Governance & change control | No change-control for suppression/evidence UX rules or export formats. | Drift/regressions may slip in without review. | Version and change-log suppression/evidence/export schemas; require dual-review for changes; DSSE-sign schema catalog. | - -## Immediate follow-ups -- Add an evidence-pattern gaps task to Sprint `SPRINT_300_documentation_process.md` (docs/process tracker) to close CE1–CE10 with owners/dates. -- Publish evidence/suppression/export schemas with canonical rules, enforce single suppression model with justification/expiry, add offline evidence-kit, a11y requirements, observability metrics, visibility policy, and versioned change control; create fixtures to validate desired patterns. - -# Findings – Gaps in “Ecosystem Reality Test Cases” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Ecosystem Reality Test Cases.md` - -**Method:** Reviewed the five public incidents/test ideas and mapped them to StellaOps acceptance/fixture requirements. Focused on determinism, provenance, offline enforcement, safety (secret leaks), and CI wiring. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| ET1 | Fixture pack & schemas | Test cases described but no signed fixture pack (images/SBOMs/DB snapshots) or schema for expected outcomes. | Hard to reproduce; results non-deterministic. | Create signed fixture pack with hash manifest + DSSE, covering all five cases; define expected-result schema. | -| ET2 | Deterministic builds/seeds | No fixed seeds, timestamps, or reproducible build scripts for fixtures (e.g., JAR images, SBOMs). | Flaky tests; hash drift. | Provide deterministic build scripts (fixed time/locale), and multi-run hash checks for each fixture. | -| ET3 | Secrets-leak guardrails | Credential-leak test lacks explicit assertions/log scrubbing rules in StellaOps pipeline. | Credentials could leak into logs/JSON exports. | Add secret-scanning of raw outputs/logs for fixture secrets; fail tests on detection; document safe flags. | -| ET4 | Offline/no-network enforcement | Trivy offline schema error test not tied to “no-network” enforcement or expected exit codes. | Offline regressions may pass unnoticed or be misinterpreted. | Enforce firewall/no-network during offline tests; assert specific exit codes/messages; treat schema mismatch as hard error. | -| ET5 | Version matrix coverage | Grype version drift test lacks required version matrix (v0.87.0 vs latest) and DB snapshot pinning. | Regression may be missed on upgrades. | Run fixtures against pinned versions + latest with pinned DB snapshots; alert on delta; store results. | -| ET6 | SBOM parity diffs | SBOM parity test (native vs container) lacks diff criteria (component count thresholds, hash expectations). | Inconsistent interpretations; noisy results. | Define parity thresholds and expected diffs; compute and assert deltas; flag when beyond tolerance. | -| ET7 | Reporting & ownership | No owners/SLAs for these tests; not wired into CI dashboards. | Failures ignored; drift persists. | Assign owners; add CI job `ecosystem-fixtures` with SLOs (pass rate, duration); alert on failure. | -| ET8 | Provenance/licensing | External artifacts’ licensing/provenance not documented. | Legal risk; fixtures may need removal. | Document provenance/licenses; prefer self-built or permissive samples; include notices in fixture pack. | -| ET9 | Export/log retention | No guidance on how long to retain raw outputs/logs from these tests or how to redact before storage. | PII/secret leakage risk; storage bloat. | Define retention + redaction policy for test artifacts; default short retention; store redacted outputs only. | -| ET10 | Cross-tool normalization | Tests compare tools but no normalization rules for IDs/aliases (CVE/GHSA/SNYK) or CVSS versions. | False diffs; noisy comparisons. | Normalize IDs/aliases and CVSS versions before comparison; include reducer utilities in test harness. - -## Immediate follow-ups -- Add an ecosystem-fixtures gaps task to Sprint `SPRINT_300_documentation_process.md` (or test/QA sprint) to close ET1–ET10 with owners/dates. -- Publish signed fixture pack + expected-result schema, deterministic builds, secret-leak assertions, offline/no-network enforcement with exit-code checks, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance notices, retention/redaction policy, and ID/CVSS normalization utilities in the harness. - -# Findings – Gaps in “Implementor Guidelines for Stella Ops” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md` - -**Method:** Reviewed the guideline advisory against current repo practices (determinism, offline, quotas, SLSA, schema versioning). Focused on making the guidelines enforceable, testable, and aligned with module AGENTS and sprint docs. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| IG1 | Enforceability & checklist | Guidelines are narrative; no enforceable checklist or CI gates (lint/analyzers/tests) to prove compliance. | Inconsistent adherence; regressions slip in. | Create enforceable checklist with CI gates (analyzers, determinism tests, schema version check, offline/no-network tests); publish in CONTRIBUTING and AGENTS. | -| IG2 | Schema/change control | No explicit versioning/change-log rule for schemas/APIs/CLIs mentioned in the guidelines. | Breaking changes can land silently; replay breaks. | Mandate SemVer + changelog for schemas/APIs/CLIs; require schema catalog update + DSSE signature on change. | -| IG3 | Determinism guardrails | Determinism noted but no required settings (TZ, culture, line endings, RNG seeds) or lint rules. | Non-deterministic outputs and hashes. | Add determinism guardrails: enforce `TZ=UTC`, `InvariantCulture`, newline normalization, stable RNG seeds; add lint/test to block violations. | -| IG4 | Offline/air-gap guarantees | Offline-first called out, but no required offline test suite or mirror verification steps. | Features may break offline unnoticed. | Add offline CI job with no-network enforcement, mirror verification, and OUK import test; document required scripts. | -| IG5 | Security/secret handling | Guidelines lack required secret-scanning/DSSE key handling steps for dev/CI; env copying risk. | Secrets leakage or shared dev keys. | Require secret scan pre-commit/CI, per-dev key generation with rotation guidance, forbid committing `.env`; add `dev-keys` script and doc. | -| IG6 | Quotas/perf enforcement | Quota and P95 targets stated but no test harness or profiling budget in guidelines. | Performance drift; quotas unenforced. | Add perf/quota tests (reference hardware profile), budget docs, and CI perf smoke; require perf notes in PR checklist. | -| IG7 | Documentation sync | “Docs in lock-step” stated but no enforcement (e.g., lint that docs paths updated). | Docs drift from code. | Add docs-sync check: PR must touch referenced docs or carry `docs: n/a` justification; add script to verify schema/docs references. | -| IG8 | Cross-module boundaries | Roles split mentioned but no guidance on shared libs vs module-local code; risk of cross-module coupling. | Boundary erosion; harder offline bundles. | Document allowed shared libraries, module boundaries, and approval needed for cross-module calls; enforce via codeowners/analyzers. | -| IG9 | SLSA/provenance specifics | SLSA target mentioned but no concrete steps (provenance format, attestation placement) in guideline. | Inconsistent provenance; audits fail. | Add required provenance format (in-toto/DSSE), storage location, signing algorithms; include sample and CI check to verify presence. | -| IG10 | Discovery & AGENTS linkage | Guidelines not linked from module AGENTS/sprints; discoverability low. | New contributors miss rules; inconsistency. | Link guideline doc from AGENTS and sprint templates; add short “read receipt” checkbox when starting tasks. | - -## Immediate follow-ups -- Add an implementor-guidelines gaps task to Sprint `SPRINT_300_documentation_process.md` to close IG1–IG10 with owners/dates. -- Publish enforceable checklist with CI gates, determinism/offline/secret/provenance requirements, schema/versioning change control, perf/quota tests, boundary rules, and AGENTS/sprint linkages. - -# Findings – Gaps in “Reachability Benchmark Fixtures Snapshot” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` - -**Method:** Reviewed snapshot against reachability benchmark goals (Sprint 0513) and evidence chain requirements. Focused on fixture governance, determinism, licensing, coverage, offline parity, and integration into StellaOps schemas/graphs. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| RB1 | Canonical fixture schema | Snapshot lists sources but no signed/Versioned schema for fixtures (metadata, ground truth, hashes, SBOM/VEX refs). | Fixtures may drift; hashes unverifiable; CI can't validate. | Publish fixture schema (YAML/JSON) with canonical rules and hash manifest + DSSE signature. | -| RB2 | Licensing/provenance | Tier-2 sources (OSS-Fuzz, Vulhub, packages) lack licensing/provenance vetting guidance. | Legal risk; fixtures may be non-redistributable. | Add licensing/provenance checklist; prefer self-owned/MIT fixtures; document license per fixture. | -| RB3 | Deterministic build/run | No deterministic build/run scripts, seeds, or time clamps for fixtures. | Non-reproducible hashes/graphs. | Provide deterministic build scripts with fixed seeds/UTC/time clamp; include multi-run hash tests. | -| RB4 | Ground truth validation | Ground truth (reachability/unreachability) not encoded in machine-readable assertions or tests. | CI can't assert correctness; false positives slip. | Encode ground truth in fixture manifest (expected graph_revision_id, reachable/not, failing property); add CI validators. | -| RB5 | Coverage breadth | Snapshot prioritizes SV-COMP/OSS-Fuzz but lacks minimum coverage matrix (languages, binary cases, configs, call-graphs). | Gaps in benchmark reduce confidence. | Define coverage matrix (C, Java, .NET, Python, binary, container) and minimum counts; plan Tier-2 expansion with milestones. | -| RB6 | Offline/air-gap kit | No packaging/verify script for offline distribution of fixtures. | Air-gapped users can't run benchmark or verify integrity. | Ship “reachability-fixtures kit” with deterministic archive flags, hash manifest + DSSE, time anchor, and verify script. | -| RB7 | Integration with evidence chain | Fixtures not aligned to SBOM/graph/VEX schemas (no required outputs/pointers). | Benchmark not usable to validate product evidence chain. | Require each fixture to emit SBOM, scan attestation, reachability graph, VEX reference with hashes and cross-links; include in manifest. | -| RB8 | Versioning/change control | No versioning strategy for fixture sets; updates could break baselines. | Benchmark comparisons unstable over time. | Version fixture set (e.g., golden-v0), maintain changelog, never delete fixtures—add new versions; DSSE-sign releases. | -| RB9 | CI wiring & owners | No CI job/owners defined to run fixtures regularly. | Regressions go unnoticed. | Add CI job `reachability-fixtures` with owners, schedule, SLOs; fail builds on hash drift. | -| RB10 | Metrics/reporting | No reporting format for benchmark results (pass/fail, hash drift, perf). | Hard to track regression trends. | Define report schema and dashboard; include hash drift, pass/fail, runtime; alert on failures. | - -## Immediate follow-ups -- Add a reachability-fixtures gaps task to Sprint `SPRINT_0513_0001_0001_public_reachability_benchmark` (or docs tracker) to close RB1–RB10 with owners/dates. -- Publish signed fixture schema and kit with deterministic builds, licensing/provenance notes, ground-truth assertions, coverage matrix, evidence chain outputs, versioning/changelog, CI job with reporting/alerts. - -# Findings – Gaps in “Evidence Bundle and Replay Contracts” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` - -**Method:** Reviewed the advisory against Evidence Locker and replay sprints (0161, 0187) and offline/DSSE requirements. Focused on schema versioning, determinism, provenance, retention/incident governance, and offline parity. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| EB1 | Bundle/manifest schema versioning | Bundle layout shown but manifest/checksums schemas not versioned/signed; no canonical JSON rules. | Producers/consumers may drift; verification may accept wrong layouts. | Publish versioned schemas (`bundle.manifest.schema.json`, `checksums.schema.json`) with canonical JSON rules and signatures; add test vectors. | -| EB2 | Hash recipe & Merkle alignment | No canonical path ordering/normalization for checksums/Merkle root. | Different packagers produce different roots; DSSE subject mismatch. | Define canonical path ordering, normalization, hash algo/encoding; document Merkle calculation; ship fixtures. | -| EB3 | DSSE predicate & log policy | Predicate type not mandated; transparency/log routing optional. | Inconsistent signing/logging; weaker trust. | Mandate `stella.ops/evidence-bundle@v1`, require DSSE and Sigstore bundle/log metadata (shard/log ID), fail-closed verification. | -| EB4 | Replay provenance completeness | Replay records lack required signer/tool/policy/graph hashes; DSSE optional. | Replay not auditable; deterministic replays may diverge. | Require provenance block (signer, tool version, policy/lattice hash, graph_revision_id) and DSSE envelope for replay manifest; verify on ingest. | -| EB5 | Size/chunking & CAS | No guidance for large observations/linksets/timeline files. | Bundles may fail or be unverifiable; memory spikes. | Set size limits; support chunk manifests with CAS URIs/hashes; store large blobs out-of-tar referenced from manifest. | -| EB6 | Incident/retention governance | Incident mode lacks signed activation records, authorization rules, or retention invariants. | Misuse or silent retention changes; weak forensic chain. | Require signed incident activation/exit records (who/when/why), legal-hold flags, retention invariants/tests, and audit events/metrics. | -| EB7 | Multi-tenant isolation & redaction | Portable bundles lack redaction rules; tenant isolation not tested. | Cross-tenant leakage in portable/offline exports. | Enforce tenant-scoped manifests; redact tenant IDs in portable bundles with DSSE-recorded redaction map; add isolation tests. | -| EB8 | Offline verifier completeness | Offline verify script not specified (revocation/log checks, crypto profile). | Offline users may skip critical checks; false positives. | Define verifier requirements (signature, checksum, manifest hash, optional log proof, crypto profile match); ship scripted verifier with exit codes/tests. | -| EB9 | Golden fixtures & determinism CI | Golden bundles/replay fixtures not mandated in advisory. | Regressions may ship unnoticed; determinism unproven. | Publish official golden bundles/replay records with hashes and multi-run hash CI checks. | -| EB10 | Versioning/change log | No SemVer/changelog for bundle/replay schemas. | Consumers can’t track breaking changes; offline kits may mix versions. | Adopt SemVer for bundle/replay schemas, maintain CHANGELOG, embed version in manifest, and block mixing major versions. | - -## Immediate follow-ups -- Add an evidence-bundle gaps task to Sprint `SPRINT_0161_0001_0001_evidencelocker` (and note for CLI replay sprint 0187) to close EB1–EB10. -- Publish versioned schemas and hashing/Merkle spec, mandate DSSE predicate/log policy, require replay provenance, add chunking/CAS rules, incident governance, tenant isolation/redaction, offline verifier requirements, golden fixtures, and SemVer/change-log governance. - -# Findings – Gaps in “Export Center and Reporting Strategy” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Export Center and Reporting Strategy.md` - -**Method:** Reviewed the export strategy against Export Center sprints (0162–0164), EvidenceLocker bundles, and distribution/adaptation needs. Focused on schema/versioning, determinism, provenance, selector governance, distribution integrity, offline parity, and performance. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| EC1 | Profile & manifest schemas | Profiles/manifests lack versioned JSON Schemas and signatures; selectors not validated. | Inconsistent profiles; invalid selectors reach adapters; reproducibility breaks. | Publish signed schemas for ExportProfile and export manifest; validate selectors; add test vectors. | -| EC2 | Adapter determinism | Determinism asserted but no per-adapter rules (JSON ordering, Trivy DB schema pin, mirror delta rules). | Different runs may emit different hashes; delta/mirror may drift. | Define determinism rules per adapter (schema version, ordering, compression flags); add CI rerun-hash checks. | -| EC3 | Provenance/attestation policy | Provenance/SLSA shown but not mandated; no required fields or log policy. | Exports may ship unsigned/unlogged; audit trail weak. | Mandate DSSE/SLSA attestation with required fields (profile, selectors, inputs, tool versions, policy hash, tenant); include Sigstore bundle/log ID. | -| EC4 | Selector governance & cross-tenant controls | Cross-tenant exports “with approval” mentioned but no enforcement/approval flow. | Possible data leakage across tenants. | Require explicit approval tokens/workflow; enforce tenant checks in profiles/runs; log decisions; deny by default. | -| EC5 | Distribution integrity (HTTP/OCI/object) | Distribution channels lack integrity requirements (checksums, signatures, immutability flags, range/partial verification). | Corrupted or tampered exports reach consumers. | Require checksum + signature headers, immutability flags, range verification; for OCI, require annotations + cosign/Sigstore bundle. | -| EC6 | Trivy/DB schema pinning | Trivy adapter supports schema v2 but no pinning/staleness rules or downgrade handling. | Schema drift may break consumers silently. | Pin supported schema versions; embed in manifest; fail fast on mismatch; provide reducer if needed. | -| EC7 | Delta correctness | Mirror delta adapter lacks formal diff rules and tombstone handling. | Deltas may miss or duplicate entries; replay fails. | Define delta algorithm (base manifest hash, added/removed lists, tombstones), include in manifest, and add fixtures. | -| EC8 | Encryption/key management | Encryption optional but key management and recipient validation not specified. | Weak encryption posture; wrong recipients; inability to decrypt offline. | Define encryption policy (age/KMS), recipient validation, key provenance in manifest, and offline decrypt instructions/tests. | -| EC9 | Performance/quotas | No throughput/size limits, concurrency caps, or run quotas per tenant/profile. | Export jobs may overwhelm infra or starve tenants. | Set quotas and limits; expose metrics/alerts; enforce backpressure. | -| EC10 | Offline/air-gap parity | Export bundles (profiles, manifests, signatures) not required to be packageable for offline import/verify. | Air-gapped consumers can’t verify or ingest exports. | Provide offline export kit schema (manifest + sig + profiles + inputs hashes) with verify script; ensure adapters produce kit-ready outputs. | - -## Immediate follow-ups -- Add an Export Center gaps task to a relevant sprint (e.g., `SPRINT_0162_0001_0001_exportcenter_i` or `SPRINT_0163_0001_0001_exportcenter_ii`) to close EC1–EC10. -- Publish versioned schemas and determinism rules per adapter; enforce attestation/log policy, selector validation, tenant controls, distribution integrity, schema pinning, delta rules, encryption policy, quotas, and offline kit packaging with verify scripts. - -# Findings – Gaps in “Findings Ledger and Immutable Audit Trail” - -**Requested label:** 2025-11-31 (note: November has 30 days) - -**Compiled:** 2025-12-01 (UTC) - -**Source reviewed:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` - -**Method:** Reviewed the ledger advisory against ledger/Merkle/export work and offline/air-gap expectations. Focused on schema governance, external anchoring, tenant isolation, redaction, determinism, and replay/export parity. - -## Gap Table -| ID | Area | Gap | Impact | Recommendation | -| -- | ---- | --- | ------ | -------------- | -| FL1 | Event/ledger schema versioning | Event and projection shapes are described but no versioned JSON Schemas or canonical serialization rules. | Producers/consumers may diverge; hash/cycle validation may fail. | Publish versioned schemas for events/projections/exports with canonical JSON rules and test vectors; sign schema catalog. | -| FL2 | Merkle config & external anchoring | Merkle anchoring noted, but no mandated external anchoring policy, shard/log metadata, or checkpoint freshness. | Tamper evidence weaker; air-gap replay cannot validate freshness. | Define Merkle policy (batch size/window/algo) plus external anchor rules (log/shard ID, checkpoint freshness SLA); include in exports. | -| FL3 | Chain fork handling & tombstones | Forks are “prohibited” but no explicit behavior/logging/audit when conflicts occur; no tombstone policy. | Fork attempts may go unnoticed; auditors lack evidence. | Require fork detection with audit events + DSSE record; tombstone/410 rules; expose metrics. | -| FL4 | Tenant isolation & redaction | Tenant mention present but no redaction rules for exports or portable bundles; no isolation tests. | Cross-tenant leakage risk in exports. | Enforce tenant-scoped chains; redact tenant IDs in portable exports with redaction manifest; add isolation tests. | -| FL5 | Payload redaction/PII | Comment text “hashed” noted but no redaction/allowlist for other fields; no size limits. | PII may leak; exports may bloat. | Define redaction/allowlist, size limits, and evidence rules; enforce before hash; document in schema. | -| FL6 | Policy/version linkage | policyVersion and evidenceBundleRef exist but lattice/version governance not mandated; no DSSE for events. | Decisions not reproducible; weak audit link between policy and ledger. | Require DSSE-signed events or batch manifests including policy hash, lattice version, graph_revision_id; verify on ingest/export. | -| FL7 | Export determinism & golden fixtures | Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports. | Regressions may go unnoticed; reproducibility claims weak. | Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering. | -| FL8 | Replay/rebuild tooling | Projection rebuild guidance minimal; no checksum for rebuild outputs. | Rebuilds may diverge from ledger state; audits fail. | Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests. | -| FL9 | Air-gap verifier | Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations). | Air-gapped audits may be incomplete. | Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests. | -| FL10 | Performance envelopes & quotas | SLOs listed but no quotas/backpressure for append/export per tenant or chain. | Hot tenants could starve others; risk of data loss under load. | Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load. | - -## Immediate follow-ups -- Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10. -- Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure. -_id; verify on ingest/export. | -| FL7 | Export determinism & golden fixtures | Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports. | Regressions may go unnoticed; reproducibility claims weak. | Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering. | -| FL8 | Replay/rebuild tooling | Projection rebuild guidance minimal; no checksum for rebuild outputs. | Rebuilds may diverge from ledger state; audits fail. | Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests. | -| FL9 | Air-gap verifier | Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations). | Air-gapped audits may be incomplete. | Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests. | -| FL10 | Performance envelopes & quotas | SLOs listed but no quotas/backpressure for append/export per tenant or chain. | Hot tenants could starve others; risk of data loss under load. | Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load. | - -## Immediate follow-ups -- Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10. -- Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure. diff --git a/docs/product-advisories/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md b/docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md similarity index 100% rename from docs/product-advisories/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md diff --git a/docs/product-advisories/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md b/docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md similarity index 100% rename from docs/product-advisories/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md diff --git a/docs/product-advisories/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md b/docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md similarity index 100% rename from docs/product-advisories/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md diff --git a/docs/product-advisories/archived/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md b/docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md similarity index 100% rename from docs/product-advisories/archived/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md diff --git a/docs/product-advisories/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md b/docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md similarity index 100% rename from docs/product-advisories/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md diff --git a/docs/product-advisories/archived/15-Nov-2025 - embedded in-toto provenance events.md b/docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - embedded in-toto provenance events.md similarity index 100% rename from docs/product-advisories/archived/15-Nov-2025 - embedded in-toto provenance events.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - embedded in-toto provenance events.md diff --git a/docs/product-advisories/archived/15-Nov-2025 - function-level vex explainability.md b/docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - function-level vex explainability.md similarity index 100% rename from docs/product-advisories/archived/15-Nov-2025 - function-level vex explainability.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - function-level vex explainability.md diff --git a/docs/product-advisories/archived/15-Nov-2025 - ipal serdica census excel import blueprint.md b/docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - ipal serdica census excel import blueprint.md similarity index 100% rename from docs/product-advisories/archived/15-Nov-2025 - ipal serdica census excel import blueprint.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - ipal serdica census excel import blueprint.md diff --git a/docs/product-advisories/archived/15-Nov-2025 - proof spine for explainable quiet alerts.md b/docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - proof spine for explainable quiet alerts.md similarity index 100% rename from docs/product-advisories/archived/15-Nov-2025 - proof spine for explainable quiet alerts.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - proof spine for explainable quiet alerts.md diff --git a/docs/product-advisories/archived/15-Nov-2025 - scanner roadmap with deterministic diff-aware rescans.md b/docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - scanner roadmap with deterministic diff-aware rescans.md similarity index 100% rename from docs/product-advisories/archived/15-Nov-2025 - scanner roadmap with deterministic diff-aware rescans.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/15-Nov-2025 - scanner roadmap with deterministic diff-aware rescans.md diff --git a/docs/product-advisories/archived/16-Nov-2025 - layer-sbom cache hash reuse.md b/docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - layer-sbom cache hash reuse.md similarity index 100% rename from docs/product-advisories/archived/16-Nov-2025 - layer-sbom cache hash reuse.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - layer-sbom cache hash reuse.md diff --git a/docs/product-advisories/archived/16-Nov-2025 - multi-runtime reachability corpus.md b/docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - multi-runtime reachability corpus.md similarity index 100% rename from docs/product-advisories/archived/16-Nov-2025 - multi-runtime reachability corpus.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - multi-runtime reachability corpus.md diff --git a/docs/product-advisories/archived/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md b/docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md similarity index 100% rename from docs/product-advisories/archived/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - spdx canonical persistence cyclonedx interchange.md diff --git a/docs/product-advisories/archived/16-Nov-2025 - validation plan for quiet scans provenance diff-ci.md b/docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - validation plan for quiet scans provenance diff-ci.md similarity index 100% rename from docs/product-advisories/archived/16-Nov-2025 - validation plan for quiet scans provenance diff-ci.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/16-Nov-2025 - validation plan for quiet scans provenance diff-ci.md diff --git a/docs/product-advisories/archived/17-Nov-2025 - SBOM-Provenance-Spine.md b/docs/product-advisories/archived/27-Nov-2025-superseded/17-Nov-2025 - SBOM-Provenance-Spine.md similarity index 100% rename from docs/product-advisories/archived/17-Nov-2025 - SBOM-Provenance-Spine.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/17-Nov-2025 - SBOM-Provenance-Spine.md diff --git a/docs/product-advisories/archived/17-Nov-2025 - Stripped-ELF-Reachability.md b/docs/product-advisories/archived/27-Nov-2025-superseded/17-Nov-2025 - Stripped-ELF-Reachability.md similarity index 100% rename from docs/product-advisories/archived/17-Nov-2025 - Stripped-ELF-Reachability.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/17-Nov-2025 - Stripped-ELF-Reachability.md diff --git a/docs/product-advisories/archived/18-Nov-2025 - Binary-Reachability-Engine.md b/docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Binary-Reachability-Engine.md similarity index 100% rename from docs/product-advisories/archived/18-Nov-2025 - Binary-Reachability-Engine.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Binary-Reachability-Engine.md diff --git a/docs/product-advisories/archived/18-Nov-2025 - CSharp-Binary-Analyzer.md b/docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - CSharp-Binary-Analyzer.md similarity index 100% rename from docs/product-advisories/archived/18-Nov-2025 - CSharp-Binary-Analyzer.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - CSharp-Binary-Analyzer.md diff --git a/docs/product-advisories/archived/18-Nov-2025 - Patch-Oracles.md b/docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Patch-Oracles.md similarity index 100% rename from docs/product-advisories/archived/18-Nov-2025 - Patch-Oracles.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Patch-Oracles.md diff --git a/docs/product-advisories/archived/18-Nov-2025 - SBOM-Provenance-Spine.md b/docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - SBOM-Provenance-Spine.md similarity index 100% rename from docs/product-advisories/archived/18-Nov-2025 - SBOM-Provenance-Spine.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - SBOM-Provenance-Spine.md diff --git a/docs/product-advisories/archived/18-Nov-2025 - Unknowns-Registry.md b/docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Unknowns-Registry.md similarity index 100% rename from docs/product-advisories/archived/18-Nov-2025 - Unknowns-Registry.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/18-Nov-2025 - Unknowns-Registry.md diff --git a/docs/product-advisories/archived/20-Nov-2025 - Branch · Attach ELF Build‑IDs for Stable PURL Mapping.md b/docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Attach ELF Build‑IDs for Stable PURL Mapping.md similarity index 100% rename from docs/product-advisories/archived/20-Nov-2025 - Branch · Attach ELF Build‑IDs for Stable PURL Mapping.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Attach ELF Build‑IDs for Stable PURL Mapping.md diff --git a/docs/product-advisories/archived/20-Nov-2025 - Branch · Model .init_array Constructors as Reachability Roots.md b/docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Model .init_array Constructors as Reachability Roots.md similarity index 100% rename from docs/product-advisories/archived/20-Nov-2025 - Branch · Model .init_array Constructors as Reachability Roots.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Model .init_array Constructors as Reachability Roots.md diff --git a/docs/product-advisories/archived/20-Nov-2025 - Branch · Reachability & Moat Watch — Verified 2025 Updates.md b/docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Reachability & Moat Watch — Verified 2025 Updates.md similarity index 100% rename from docs/product-advisories/archived/20-Nov-2025 - Branch · Reachability & Moat Watch — Verified 2025 Updates.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Branch · Reachability & Moat Watch — Verified 2025 Updates.md diff --git a/docs/product-advisories/archived/20-Nov-2025 - Encoding Binary Reachability with PURL‑Resolved Edges.md b/docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Encoding Binary Reachability with PURL‑Resolved Edges.md similarity index 100% rename from docs/product-advisories/archived/20-Nov-2025 - Encoding Binary Reachability with PURL‑Resolved Edges.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/20-Nov-2025 - Encoding Binary Reachability with PURL‑Resolved Edges.md diff --git a/docs/product-advisories/archived/23-Nov-2025 - Where Stella Ops Can Truly Lead.md b/docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Where Stella Ops Can Truly Lead.md similarity index 100% rename from docs/product-advisories/archived/23-Nov-2025 - Where Stella Ops Can Truly Lead.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Where Stella Ops Can Truly Lead.md diff --git a/docs/product-advisories/archived/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md b/docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md similarity index 100% rename from docs/product-advisories/archived/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md diff --git a/docs/product-advisories/archived/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md b/docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md similarity index 100% rename from docs/product-advisories/archived/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md diff --git a/docs/product-advisories/archived/23-Nov-2025 - Stella Ops vs Competitors.md b/docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Stella Ops vs Competitors.md similarity index 100% rename from docs/product-advisories/archived/23-Nov-2025 - Stella Ops vs Competitors.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Stella Ops vs Competitors.md diff --git a/docs/product-advisories/archived/23-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md b/docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md similarity index 100% rename from docs/product-advisories/archived/23-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/23-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md diff --git a/docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md b/docs/product-advisories/archived/27-Nov-2025-superseded/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md similarity index 100% rename from docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md diff --git a/docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md b/docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md similarity index 100% rename from docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md diff --git a/docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md b/docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md similarity index 100% rename from docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md diff --git a/docs/product-advisories/25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md b/docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md similarity index 100% rename from docs/product-advisories/25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md diff --git a/docs/product-advisories/25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md b/docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md similarity index 100% rename from docs/product-advisories/25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md diff --git a/docs/product-advisories/25-Nov-2025 - Offline‑kit attestation essentials checklist.md b/docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Offline‑kit attestation essentials checklist.md similarity index 100% rename from docs/product-advisories/25-Nov-2025 - Offline‑kit attestation essentials checklist.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/25-Nov-2025 - Offline‑kit attestation essentials checklist.md diff --git a/docs/product-advisories/26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md b/docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md similarity index 100% rename from docs/product-advisories/26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md diff --git a/docs/product-advisories/26-Nov-2025 - Opening Up a Reachability Dataset.md b/docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Opening Up a Reachability Dataset.md similarity index 100% rename from docs/product-advisories/26-Nov-2025 - Opening Up a Reachability Dataset.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Opening Up a Reachability Dataset.md diff --git a/docs/product-advisories/26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md b/docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md similarity index 100% rename from docs/product-advisories/26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md diff --git a/docs/product-advisories/27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md diff --git a/docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md diff --git a/docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md diff --git a/docs/product-advisories/27-Nov-2025 - Late‑November SBOM & VEX competitor.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Late‑November SBOM & VEX competitor.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Late‑November SBOM & VEX competitor.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Late‑November SBOM & VEX competitor.md diff --git a/docs/product-advisories/27-Nov-2025 - Making Graphs Understandable to Humans.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Making Graphs Understandable to Humans.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Making Graphs Understandable to Humans.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Making Graphs Understandable to Humans.md diff --git a/docs/product-advisories/27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md diff --git a/docs/product-advisories/27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md b/docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md similarity index 100% rename from docs/product-advisories/27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md diff --git a/docs/product-advisories/28-Nov-2025 - Authentication and Authorization Architecture.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Authentication and Authorization Architecture.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Authentication and Authorization Architecture.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Authentication and Authorization Architecture.md diff --git a/docs/product-advisories/28-Nov-2025 - CLI Developer Experience and Command UX.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - CLI Developer Experience and Command UX.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - CLI Developer Experience and Command UX.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - CLI Developer Experience and Command UX.md diff --git a/docs/product-advisories/28-Nov-2025 - Concelier Advisory Ingestion Model.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Concelier Advisory Ingestion Model.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Concelier Advisory Ingestion Model.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Concelier Advisory Ingestion Model.md diff --git a/docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md diff --git a/docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Export Center and Reporting Strategy.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Export Center and Reporting Strategy.md diff --git a/docs/product-advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md diff --git a/docs/product-advisories/28-Nov-2025 - Graph Analytics and Dependency Insights.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Graph Analytics and Dependency Insights.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Graph Analytics and Dependency Insights.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Graph Analytics and Dependency Insights.md diff --git a/docs/product-advisories/28-Nov-2025 - Mirror and Offline Kit Strategy.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Mirror and Offline Kit Strategy.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Mirror and Offline Kit Strategy.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Mirror and Offline Kit Strategy.md diff --git a/docs/product-advisories/28-Nov-2025 - Notification Rules and Alerting Engine.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Notification Rules and Alerting Engine.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Notification Rules and Alerting Engine.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Notification Rules and Alerting Engine.md diff --git a/docs/product-advisories/28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md diff --git a/docs/product-advisories/28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md diff --git a/docs/product-advisories/28-Nov-2025 - Policy Simulation and Shadow Gates.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Policy Simulation and Shadow Gates.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Policy Simulation and Shadow Gates.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Policy Simulation and Shadow Gates.md diff --git a/docs/product-advisories/28-Nov-2025 - Runtime Posture and Observation with Zastava.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Runtime Posture and Observation with Zastava.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Runtime Posture and Observation with Zastava.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Runtime Posture and Observation with Zastava.md diff --git a/docs/product-advisories/28-Nov-2025 - Sovereign Crypto for Regional Compliance.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Sovereign Crypto for Regional Compliance.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Sovereign Crypto for Regional Compliance.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Sovereign Crypto for Regional Compliance.md diff --git a/docs/product-advisories/28-Nov-2025 - Task Pack Orchestration and Automation.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Task Pack Orchestration and Automation.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Task Pack Orchestration and Automation.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Task Pack Orchestration and Automation.md diff --git a/docs/product-advisories/28-Nov-2025 - Telemetry and Observability Patterns.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Telemetry and Observability Patterns.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Telemetry and Observability Patterns.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Telemetry and Observability Patterns.md diff --git a/docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md b/docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md similarity index 100% rename from docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md diff --git a/docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md b/docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md similarity index 100% rename from docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md diff --git a/docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md b/docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md similarity index 100% rename from docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md diff --git a/docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md b/docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md similarity index 100% rename from docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md diff --git a/docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md b/docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md similarity index 100% rename from docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md diff --git a/docs/product-advisories/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md b/docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md similarity index 100% rename from docs/product-advisories/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md rename to docs/product-advisories/archived/27-Nov-2025-superseded/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md diff --git a/docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md diff --git a/docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Ecosystem Reality Test Cases.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Ecosystem Reality Test Cases.md diff --git a/docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Implementor Guidelines for Stella Ops.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Implementor Guidelines for Stella Ops.md diff --git a/docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md diff --git a/docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md diff --git a/docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Standup Sprint Kickstarters.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Standup Sprint Kickstarters.md diff --git a/docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - UI Micro-Interactions for StellaOps.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - UI Micro-Interactions for StellaOps.md diff --git a/docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md b/docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md similarity index 100% rename from docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md rename to docs/product-advisories/archived/27-Nov-2025-superseded/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md