stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

todays product advirories implemented

Browse Source
This commit is contained in:
master
2026-01-16 23:30:47 +02:00
parent 91ba600722
commit 77ff029205
174 changed files with 30173 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
docs-archived/implplan/SPRINT_20260117_004_CLI_sbom_ingestion.md Normal file
View File

@@ -0,0 +1,137 @@
# Sprint 004 - SBOM & Ingestion CLI
## Topic & Scope
- Surface SBOM and ingestion capabilities via CLI to match UI parity
- Enable SPDX 3.0 build attestation, CycloneDX CBOM, lineage commands, and format conversion
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with `--format json` support, unit tests with frozen fixtures
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 005-017
- Depends on existing SbomCommandGroup.cs and GraphCommandGroup.cs
## Documentation Prerequisites
- `docs/modules/sbom/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 1)
- Existing CLI patterns in `src/Cli/StellaOps.Cli/Commands/`
## Delivery Tracker
### SBI-001 - Add `stella attest build --format spdx3` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend AttestCommandGroup.cs to support SPDX 3.0 build attestation format
- Add `--format spdx3` option alongside existing formats
- Wire to attestation service for SPDX 3.0 envelope generation
Completion criteria:
- [x] `stella attest build --format spdx3 --output build.att` produces valid SPDX 3.0 attestation
- [x] Output validates against SPDX 3.0 schema
- [x] Unit tests with frozen fixture
### SBI-002 - Add `stella sbom export --type cbom --format cdx` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend SbomCommandGroup.cs to support Cryptographic BOM (CBOM) export
- Add `--type cbom` option to export command
- Wire to SBOM service for CBOM generation in CycloneDX format
Completion criteria:
- [x] `stella sbom export --type cbom --format cdx` produces valid CBOM
- [x] CBOM includes cryptographic asset inventory
- [x] Unit tests with frozen fixture
### SBI-003 - Add `stella sbom lineage list/show/export` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add lineage subcommand group to SbomCommandGroup.cs
- Implement `list` to show lineage entries
- Implement `show <id>` to display lineage details
- Implement `export <id> --format json|spdx|cdx` for lineage export
Completion criteria:
- [x] `stella sbom lineage list` returns lineage entries
- [x] `stella sbom lineage show <id>` displays lineage details
- [x] `stella sbom lineage export <id> --format json` produces valid export
- [x] All commands support `--format json` and `--output`
### SBI-004 - Enhance `stella sbom validate` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance existing validate command with additional validation rules
- Add `--strict` option for strict schema validation
- Add `--report` option for detailed validation report
Completion criteria:
- [x] `stella sbom validate --strict` performs comprehensive validation
- [x] Validation report includes specific issues and locations
- [x] Unit tests for various SBOM formats
### SBI-005 - Add `stella sbom convert` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add convert subcommand for SBOM format conversion
- Support SPDX to CycloneDX and vice versa
- Preserve semantic content during conversion
Completion criteria:
- [x] `stella sbom convert input.spdx --to cdx --output output.cdx.json`
- [x] `stella sbom convert input.cdx.json --to spdx --output output.spdx.json`
- [x] Round-trip conversion preserves essential data
- [x] Unit tests with frozen fixtures
### SBI-006 - Add `stella graph lineage show <digest|purl>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add lineage show command to GraphCommandGroup.cs
- Support lookup by digest or purl
- Wire to Graph service for lineage traversal
Completion criteria:
- [x] `stella graph lineage show sha256:abc...` returns lineage graph
- [x] `stella graph lineage show pkg:npm/express@4.18.2` returns lineage
- [x] Output supports `--format json|graphson|mermaid`
- [x] Unit tests with frozen fixture
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 1 | Planning |
| 2026-01-16 | SBI-005: Added `stella sbom convert` command to SbomCommandGroup.cs | Developer |
| 2026-01-16 | SBI-005: Added deterministic sbom convert tests with fixtures | Developer |
| 2026-01-16 | SBI-002: Added `stella sbom export --type cbom` command | Developer |
| 2026-01-16 | SBI-003: Added `stella sbom lineage list/show/export` commands | Developer |
| 2026-01-16 | SBI-004: Enhanced `stella sbom validate` with --strict and --report | Developer |
| 2026-01-16 | SBI-002, SBI-004: Added unit tests for CBOM export and SBOM validate | Developer |
| 2026-01-16 | SBI-006: Added `stella graph lineage show` command with tests and docs | Developer |
| 2026-01-16 | SBI-001: Added `stella attest build --format spdx3` command with tests | Developer |
## Decisions & Risks
- SPDX 3.0 schema may still be evolving; pin to specific version
- CBOM support requires cryptographic asset detection in scanner
- Lineage commands depend on Graph service availability
- Docs updated: [docs/modules/cli/guides/commands/reference.md](docs/modules/cli/guides/commands/reference.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

118
docs-archived/implplan/SPRINT_20260117_005_CLI_scanning_detection.md Normal file
View File

@@ -0,0 +1,118 @@
# Sprint 005 - Scanning & Detection CLI
## Topic & Scope
- Document automatic scanning capabilities and enhance SARIF export
- Add worker configuration commands for scanner performance tuning
- Working directory: `src/Cli/`, `docs/`
- Expected evidence: Updated FEATURE_MATRIX.md, enhanced CLI commands, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004, 006-017
- Sprint 018 (FE) depends on this sprint for SARIF metadata
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 2)
- Existing ScanCommandGroup.cs patterns
## Delivery Tracker
### SCD-001 - Document secrets detection as Automatic in FEATURE_MATRIX
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md to classify secrets detection as "Automatic (Class A)"
- Document that secrets detection runs implicitly during scan
- Explain where detection results appear in UI/exports
Completion criteria:
- [x] FEATURE_MATRIX.md updated with secrets detection entry
- [x] Entry marked as "Automatic" with explanation
- [x] Links to findings detail where results appear
### SCD-002 - Document OS analyzers as Automatic in FEATURE_MATRIX
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md to classify OS package analyzers as "Automatic (Class A)"
- Document supported package managers (apk, apt, yum, etc.)
- Explain where analyzer results appear in UI/exports
Completion criteria:
- [x] FEATURE_MATRIX.md updated with OS analyzers entry
- [x] Entry marked as "Automatic" with supported package managers
- [x] Links to SBOM/findings where results appear
### SCD-003 - Enhance SARIF export with metadata
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance SARIF export to include additional metadata
- Add digest, scan time, and policy profile ID to SARIF output
- Ensure schema compliance with SARIF 2.1.0
Completion criteria:
- [x] SARIF export includes `digest` in properties
- [x] SARIF export includes `scanTimestamp`
- [x] SARIF export includes `policyProfileId`
- [x] Output validates against SARIF 2.1.0 schema
- [x] Unit tests with frozen fixture
### SCD-004 - Add `stella scanner workers set/get` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add workers subcommand group to ScannerCommandGroup.cs
- Implement `get` to show current worker configuration
- Implement `set` to configure worker count and pool settings
Completion criteria:
- [x] `stella scanner workers get` displays current configuration
- [x] `stella scanner workers set --count N` updates worker count
- [x] Configuration persists across restarts
- [x] Unit tests for configuration commands
### SCD-005 - Add `stella scan run --workers N` option
Status: DONE
Dependency: SCD-004
Owners: Developer
Task description:
- Add `--workers` option to scan run command
- Allow per-scan override of worker count
- Document performance implications
Completion criteria:
- [x] `stella scan run --workers 4 <image>` uses 4 workers
- [x] Option documented in `--help` output
- [x] Validation prevents invalid worker counts
- [x] Unit tests for worker option
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 2 | Planning |
| 2026-01-16 | SCD-001, SCD-002: Updated FEATURE_MATRIX.md with Automatic Detection (Class A) section | Documentation author |
| 2026-01-16 | SCD-001, SCD-002: Added links to findings/SBOM detail docs | Documentation author |
| 2026-01-16 | SCD-003: Added SARIF metadata injection and unit test coverage | Developer |
| 2026-01-16 | SCD-004: Added scanner workers get/set with persisted config and tests | Developer |
| 2026-01-16 | SCD-005: Added scan run --workers option with validation and tests | Developer |
## Decisions & Risks
- Worker count changes may impact memory usage
- SARIF metadata additions must be backwards compatible
- Documentation tasks can be done independently
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

157
docs-archived/implplan/SPRINT_20260117_006_CLI_reachability_analysis.md Normal file
View File

@@ -0,0 +1,157 @@
# Sprint 006 - Reachability Analysis CLI
## Topic & Scope
- Complete "why blocked?" explainability via CLI commands
- Add score explanation, witness path, guards inspection, and signal inspection
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with deterministic outputs, unit tests with frozen fixtures
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-005, 007-017
- Sprint 018 (FE) depends on this sprint for API contracts
## Documentation Prerequisites
- `docs/modules/reachability/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 3)
- Existing ReachabilityCommandGroup.cs patterns
## Delivery Tracker
### RCA-001 - Add `stella score explain <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ScoreCommandGroup.cs or extend existing score commands
- Add `explain` subcommand that takes a digest argument
- Wire to RiskEngine score explanation API
- Output factor breakdown (base, CVSS, reachability adjustments, VEX)
Completion criteria:
- [x] `stella score explain sha256:abc...` returns score breakdown
- [x] Breakdown includes base score, CVSS, reachability factor, VEX adjustments
- [x] Output supports `--format table|json|markdown`
- [x] Unit tests with deterministic score explanations
### RCA-002 - Add `stella reachability explain <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `explain` subcommand to ReachabilityCommandGroup.cs
- Return overall reachability assessment with reasoning
- Include confidence score and contributing factors
Completion criteria:
- [x] `stella reachability explain sha256:abc...` returns assessment
- [x] Output includes confidence score (0-100)
- [x] Output lists contributing factors (call paths, guards, runtime signals)
- [x] Supports `--format json` for machine consumption
### RCA-003 - Add `stella reachability witness <digest> --vuln <cve>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `witness` subcommand to ReachabilityCommandGroup.cs
- Generate path witness for a specific CVE
- Support multiple output formats including Mermaid for visualization
Completion criteria:
- [x] `stella reachability witness sha256:abc... --vuln CVE-2024-1234` returns witness
- [x] Witness includes call path from entry point to vulnerable function
- [x] Supports `--format mermaid|json|graphson`
- [x] Mermaid output can be rendered in UI
- [x] Unit tests with frozen witness outputs
### RCA-004 - Add `stella reachability guards <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `guards` subcommand to ReachabilityCommandGroup.cs
- List detected security guards that affect reachability
- Include guard type, location, and effectiveness
Completion criteria:
- [x] `stella reachability guards sha256:abc...` lists guards
- [x] Output includes guard type (input validation, auth check, etc.)
- [x] Output includes location (file, function)
- [x] Supports `--cve <cve-id>` to filter guards relevant to specific CVE
- [x] Supports `--format table|json`
### RCA-005 - Add `--format mermaid|json|graphson` options
Status: DONE
Dependency: RCA-003, RCA-004
Owners: Developer
Task description:
- Ensure all reachability commands support consistent format options
- Add Mermaid format for visualization
- Add GraphSON format for graph database compatibility
Completion criteria:
- [x] All reachability commands support `--format` option
- [x] Mermaid output is valid Mermaid syntax
- [x] GraphSON output is valid GraphSON 3.0
- [x] JSON output has stable, documented schema
### RCA-006 - Add `stella signals inspect <digest|runId>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `signals` command group with `inspect` subcommand
- Return runtime signals collected for digest or run
- Include signal types, timestamps, and correlation data
Completion criteria:
- [x] `stella signals inspect sha256:abc...` returns signals
- [x] `stella signals inspect run-123` returns signals for run
- [x] Output includes signal type, timestamp, source
- [x] Supports `--format json`
### RCA-007 - Unit tests with deterministic witness outputs
Status: DONE
Dependency: RCA-001 through RCA-006
Owners: QA / Test Automation
Task description:
- Create comprehensive unit tests for all reachability commands
- Use frozen fixtures for deterministic testing
- Ensure output stability for golden file comparisons
Completion criteria:
- [x] Unit tests for each new command
- [x] Frozen fixtures for witness paths
- [x] Golden file tests for output format stability
- [x] Tests pass in CI pipeline
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 3 | Planning |
| 2026-01-16 | RCA-001: Added `stella score explain` command to ScoreReplayCommandGroup.cs | Developer |
| 2026-01-16 | RCA-001: Added deterministic score explain tests | Developer |
| 2026-01-16 | RCA-002: Added `stella reachability explain` command | Developer |
| 2026-01-16 | RCA-003: Added `stella reachability witness` with mermaid/json/graphson output | Developer |
| 2026-01-16 | RCA-004: Added `stella reachability guards` command | Developer |
| 2026-01-16 | RCA-005: All reachability commands now support multiple output formats | Developer |
| 2026-01-16 | RCA-006: Created SignalsCommandGroup.cs with inspect/list/summary commands | Developer |
| 2026-01-16 | RCA-003, RCA-004, RCA-007: Added reachability witness/guards filters and tests | Developer |
## Decisions & Risks
- Mermaid format must be compatible with UI rendering library
- GraphSON version should align with existing graph infrastructure
- Witness generation may be computationally expensive; consider caching
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

106
docs-archived/implplan/SPRINT_20260117_007_CLI_binary_analysis.md Normal file
View File

@@ -0,0 +1,106 @@
# Sprint 007 - Binary Analysis CLI
## Topic & Scope
- Surface binary analysis capabilities via CLI (CLI-first, avoid UI until demanded)
- Add fingerprint export and binary diff commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, documentation updates
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-006, 008-017
- Lower priority (P2) - can be deferred if needed
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 4)
- Existing BinaryCommandGroup.cs patterns
## Delivery Tracker
### BAN-001 - Document binary analysis capabilities
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md with binary analysis capabilities
- Document fingerprint generation, corpus management, binary diff
- Classify as "CLI-first (Class B)" per advisory guidance
Completion criteria:
- [x] FEATURE_MATRIX.md includes binary analysis section
- [x] Each capability classified (A/B/C/D/E)
- [x] Usage examples provided
- [x] Links to CLI command documentation
### BAN-002 - Add `stella binary fingerprint export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `fingerprint export` subcommand to BinaryCommandGroup.cs
- Export fingerprint data for a binary artifact
- Support multiple output formats
Completion criteria:
- [x] `stella binary fingerprint export <artifact>` produces fingerprint
- [x] Output includes function hashes, section hashes, symbol table
- [x] Supports `--format json|yaml`
- [x] Supports `--output <path>`
- [x] Unit tests with frozen fixture
### BAN-003 - Add `stella binary diff <base> <candidate>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `diff` subcommand to BinaryCommandGroup.cs
- Compare two binary artifacts and report differences
- Output includes changed functions, added/removed symbols
Completion criteria:
- [x] `stella binary diff <base> <candidate>` produces diff report
- [x] Report includes function-level changes
- [x] Report includes symbol additions/removals
- [x] Supports `--format json|table`
- [x] Supports `--scope file|section|function` for granularity
- [x] Unit tests with frozen fixture
### BAN-004 - Add optional UI download links for fingerprint results
Status: DONE
Dependency: BAN-002
Owners: Developer
Task description:
- Ensure fingerprint export results can be downloaded from UI
- Add download link in Binary Index operations page
- Wire to existing Export Center infrastructure
Completion criteria:
- [x] UI displays fingerprint export option
- [x] Download produces same output as CLI command
- [x] Link available in Binary Index operations page
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 4 | Planning |
| 2026-01-16 | BAN-001: Updated FEATURE_MATRIX.md with Binary Analysis (Class B) documentation | Documentation author |
| 2026-01-16 | BAN-001: Added binary CLI command guide and links | Documentation author |
| 2026-01-16 | BAN-002: Added `stella binary fingerprint export` command with json/yaml output | Developer |
| 2026-01-16 | BAN-003: Added `stella binary diff` command with table/json format and scope options | Developer |
| 2026-01-16 | BAN-002, BAN-003: Added binary fingerprint export and diff unit tests | Developer |
| 2026-01-16 | BAN-004: Added Fingerprint Export tab to BinaryIndex ops UI with download functionality | Developer |
## Decisions & Risks
- Binary analysis is compute-intensive; exports may be slow for large binaries
- P2 priority means this sprint can be deferred if resources constrained
- UI integration is minimal per advisory guidance
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_008_CLI_advisory_sources.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 008 - Advisory Sources / Concelier CLI
## Topic & Scope
- Surface connector status and health via CLI for reduced ticket load
- Update FEATURE_MATRIX.md with connector reality (33+ connectors)
- Working directory: `src/Cli/`, `docs/`
- Expected evidence: CLI commands, documentation updates, reason codes
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-007, 009-017
- Sprint 018 (FE) uses these APIs for connector status UI
## Documentation Prerequisites
- `docs/modules/concelier/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 5)
- Concelier/Feedser service APIs
## Delivery Tracker
### ASC-001 - Update FEATURE_MATRIX.md with 33+ connectors
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Audit Concelier connector implementations
- Update FEATURE_MATRIX.md with complete connector list
- Include connector status, supported operations, authentication methods
Completion criteria:
- [x] FEATURE_MATRIX.md lists all 33+ connectors
- [x] Each connector has status (stable, beta, deprecated)
- [x] Authentication methods documented per connector
- [x] Links to connector-specific documentation
### ASC-002 - Add `stella db status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create DbCommandGroup.cs with `status` subcommand
- Report database connectivity, schema version, migration status
- Include connection pool health metrics
Completion criteria:
- [x] `stella db status` returns database health
- [x] Output includes connection status (connected/disconnected)
- [x] Output includes schema version and expected version
- [x] Output includes migration status (up-to-date/pending)
- [x] Supports `--format json`
### ASC-003 - Add `stella db connectors list` command
Status: DONE
Dependency: ASC-002
Owners: Developer
Task description:
- Add `connectors list` subcommand to DbCommandGroup.cs
- List all configured advisory connectors with their status
- Support filtering by category
Completion criteria:
- [x] `stella db connectors list` returns connector list
- [x] Each entry includes: name, category, status, last sync, error count
- [x] Status includes: healthy, degraded, failed, disabled
- [x] Supports `--format table|json`
- [x] Supports `--category` filter
- [x] Supports `--status <filter>` to filter by status
### ASC-004 - Add `stella db connectors test <name>` command
Status: DONE
Dependency: ASC-003
Owners: Developer
Task description:
- Add `connectors test` subcommand
- Execute connectivity test for specified connector
- Report test results with timing
Completion criteria:
- [x] `stella db connectors test nvd` tests NVD connector
- [x] Output includes test result (pass/fail)
- [x] Output includes response time
- [x] On failure, includes error details
- [x] Supports `--timeout` option
### ASC-005 - Output with reason codes and remediation hints
Status: DONE
Dependency: ASC-002, ASC-003, ASC-004
Owners: Developer
Task description:
- Ensure all connector commands include reason codes for failures
- Add remediation hints for common failure modes
- Use deterministic reason code format
Completion criteria:
- [x] Failed connectors include reason code (e.g., CON_TIMEOUT_001)
- [x] Reason codes map to documented failure modes
- [x] Remediation hints provided for each reason code
- [x] Reason codes documented in runbook
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 5 | Planning |
| 2026-01-16 | ASC-001: Updated FEATURE_MATRIX.md with 33+ connectors by category | Documentation author |
| 2026-01-16 | ASC-002, ASC-003, ASC-004: Created DbCommandGroup.cs with status/connectors commands | Developer |
| 2026-01-16 | ASC-003: Added status filters and sync/error metadata to connector list output | Developer |
| 2026-01-16 | ASC-001: Added connector status/auth matrix and runbook links | Documentation author |
| 2026-01-16 | ASC-004: Added timeout support and tests for connector test command | Developer |
| 2026-01-16 | ASC-005: Added reason codes and remediation hints + runbook reference | Developer |
## Decisions & Risks
- Connector test command may cause rate limiting on external APIs
- Reason codes need to be stable for automation compatibility
- 33+ connectors may require significant documentation effort
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

147
docs-archived/implplan/SPRINT_20260117_009_CLI_vex_processing.md Normal file
View File

@@ -0,0 +1,147 @@
# Sprint 009 - VEX Processing CLI
## Topic & Scope
- Surface VEX operational capabilities via CLI
- Add verification, evidence export, webhook management, and issuer key management
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-008, 010-017
- Existing VEX CLI plugin provides foundation
## Documentation Prerequisites
- `docs/modules/vex/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 6)
- Existing VexCliCommandModule.cs patterns
## Delivery Tracker
### VPR-001 - Add `stella vex verify <doc>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `verify` subcommand to VexCliCommandModule.cs
- Validate VEX document structure and signatures
- Report validation results with detail level options
Completion criteria:
- [x] `stella vex verify document.vex.json` validates VEX document
- [x] Validation checks structure, schema, and signatures
- [x] Output includes validation status (valid/invalid)
- [x] Output includes specific issues for invalid documents
- [x] Supports `--format json`
### VPR-002 - Add `stella vex evidence export <digest|component>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `evidence export` subcommand for VEX evidence extraction
- Support lookup by digest or component identifier
- Export all VEX statements affecting the target
Completion criteria:
- [x] `stella vex evidence export sha256:abc...` exports VEX evidence
- [x] `stella vex evidence export pkg:npm/lodash@4.17.21` exports evidence
- [x] Output includes all relevant VEX statements
- [x] Supports `--format json|openvex`
- [x] Supports `--output <path>`
### VPR-003 - Add `stella vex webhooks list/add/remove` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `webhooks` subcommand group to VEX CLI
- Implement `list` to show configured webhooks
- Implement `add` to register new webhook
- Implement `remove` to unregister webhook
Completion criteria:
- [x] `stella vex webhooks list` returns configured webhooks
- [x] `stella vex webhooks add --url <url> --events <events>` registers webhook
- [x] `stella vex webhooks remove <id>` unregisters webhook
- [x] Event types documented (vex.created, vex.updated, etc.)
- [x] Supports `--format json`
### VPR-004 - Add `stella issuer keys list/create/rotate/revoke` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `issuer` command group with `keys` subcommands
- Implement key lifecycle management via CLI
- Support multiple key types (RSA, ECDSA, EdDSA)
Completion criteria:
- [x] `stella issuer keys list` returns issuer keys
- [x] `stella issuer keys create --type ecdsa --name <name>` creates key
- [x] `stella issuer keys rotate <id>` rotates key
- [x] `stella issuer keys revoke <id>` revokes key
- [x] Key operations require appropriate permissions
- [x] Supports `--format json`
### VPR-005 - Improve consensus rationale explainability output
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance VEX consensus commands to include detailed rationale
- Show contributing factors to consensus decision
- Include confidence scores and source attribution
Completion criteria:
- [x] VEX consensus output includes rationale
- [x] Rationale shows contributing VEX sources
- [x] Confidence score included with breakdown
- [x] Supports `--verbose` for detailed output
### VPR-006 - Add Doctor checks for VEX document validation
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for VEX document validation infrastructure
- Verify schema validation, signature verification, and source connectivity
- Include remediation hints for common issues
Completion criteria:
- [x] `stella doctor --check check.vex.validation` runs VEX validation check
- [x] Check verifies schema validation capability
- [x] Check verifies signature verification capability
- [x] Check verifies VEX source connectivity
- [x] Remediation hints for each failure mode
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 6 | Planning |
| 2026-01-16 | VPR-001: Added `stella vex verify` command to VexCliCommandModule.cs | Developer |
| 2026-01-16 | VPR-001: Added unit tests for `stella vex verify` command | Developer |
| 2026-01-16 | VPR-002: Added `stella vex evidence export` command with tests and docs | Developer |
| 2026-01-16 | VPR-003: Added `stella vex webhooks list/add/remove` commands | Developer |
| 2026-01-16 | VPR-004: Created IssuerKeysCommandGroup.cs with list/create/rotate/revoke | Developer |
| 2026-01-16 | VPR-003: Added VEX webhooks docs and tests | Developer |
| 2026-01-16 | VPR-004: Added issuer keys tests and reference docs | Developer |
| 2026-01-16 | VPR-005: Enhanced consensus rationale output with confidence details | Developer |
| 2026-01-16 | VPR-006: Created VEX Doctor plugin with validation, schema, and issuer trust checks | Developer |
## Decisions & Risks
- Webhook registration may require external validation
- Key operations are security-sensitive; audit logging required
- Consensus rationale may expose internal scoring logic
- Docs updated: [docs/modules/cli/guides/commands/vex.md](docs/modules/cli/guides/commands/vex.md), [docs/modules/cli/guides/commands/reference.md](docs/modules/cli/guides/commands/reference.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_010_CLI_policy_engine.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 010 - Policy Engine CLI
## Topic & Scope
- Surface policy debug and portability capabilities via CLI
- Add lattice explanation, verdict export, and policy promotion commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, documentation
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-009, 011-017
- Existing PolicyCommandGroup.cs provides foundation
## Documentation Prerequisites
- `docs/modules/policy/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 7)
- Existing PolicyCommandGroup.cs patterns
## Delivery Tracker
### PEN-001 - Add `stella policy lattice explain` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `lattice explain` subcommand to PolicyCommandGroup.cs
- Explain policy lattice structure and evaluation order
- Show how policies combine and override
Completion criteria:
- [x] `stella policy lattice explain` shows lattice structure
- [x] Output includes policy hierarchy
- [x] Output includes override relationships
- [x] Output includes evaluation order
- [x] Supports `--format json|mermaid`
### PEN-002 - Add `stella policy verdicts export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `verdicts export` subcommand
- Export policy verdict history for audit purposes
- Support filtering by time range, policy, and outcome
Completion criteria:
- [x] `stella policy verdicts export` exports verdict history
- [x] Supports `--from` and `--to` time range filters
- [x] Supports `--policy <id>` filter
- [x] Supports `--outcome pass|fail|warn` filter
- [x] Supports `--format json|csv`
- [x] Supports `--output <path>`
### PEN-003 - Add `stella policy promote` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `promote` subcommand for policy promotion workflow
- Promote policy from one environment to another
- Include dry-run mode for validation
Completion criteria:
- [x] `stella policy promote <policy-id> --from dev --to stage` promotes policy
- [x] Supports `--dry-run` for validation without execution
- [x] Output shows promotion diff
- [x] Requires appropriate permissions
- [x] Audit log entry created for promotion
### PEN-004 - Document risk provider config in docs
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document risk provider configuration options
- Add to module dossier with examples
- Include configuration validation guidance
Completion criteria:
- [x] Risk provider config documented in module dossier
- [x] Configuration examples provided
- [x] Validation rules documented
- [x] Links to config schema
### PEN-005 - Add Doctor checks for policy engine health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for policy engine health
- Verify policy compilation, evaluation, and storage
- Include performance metrics
Completion criteria:
- [x] `stella doctor --check check.policy.engine` runs health check
- [x] Check verifies policy compilation
- [x] Check verifies evaluation capability
- [x] Check includes performance metrics (eval time)
- [x] Remediation hints for common issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 7 | Planning |
| 2026-01-16 | PEN-004: Created docs/modules/policy/guides/risk-provider-configuration.md | Documentation author |
| 2026-01-16 | PEN-005: Created PolicyEngineHealthCheck.cs for Doctor | Developer |
| 2026-01-16 | PEN-001, PEN-002, PEN-003: Added lattice, verdicts export, and promote CLI commands with tests | Developer |
| 2026-01-16 | PEN-001, PEN-002, PEN-003: Updated CLI command guide for new policy commands | Documentation author |
## Decisions & Risks
- Policy promotion requires environment-aware configuration
- Verdict export may contain sensitive decision data
- Lattice explanation exposes internal policy structure
- Docs updated: [docs/modules/cli/guides/commands/policy.md](docs/modules/cli/guides/commands/policy.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

126
docs-archived/implplan/SPRINT_20260117_011_CLI_attestation_signing.md Normal file
View File

@@ -0,0 +1,126 @@
# Sprint 011 - Attestation & Signing CLI
## Topic & Scope
- Surface attestation and signing capabilities via CLI
- Add key rotation, trust anchor management, predicate registry, and audit export
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-010, 012-017
- Existing attestation and signing infrastructure provides foundation
## Documentation Prerequisites
- `docs/modules/attestor/architecture.md`
- `docs/modules/signer/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 8)
## Delivery Tracker
### ATS-001 - Add `stella keys rotate` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend existing KeyRotationCommandGroup.cs
- Add `rotate` subcommand for signing key rotation
- Support rotation with automatic re-signing option
Completion criteria:
- [x] `stella keys rotate <key-id>` rotates signing key
- [x] Supports `--resign` to re-sign existing attestations
- [x] Supports `--dry-run` for validation
- [x] Audit log entry created
- [x] Old key retained for verification period
- [x] Supports `--format json`
### ATS-002 - Add `stella trust-anchors add/list/remove` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TrustAnchorsCommandGroup.cs
- Implement trust anchor lifecycle management
- Support multiple anchor types (CA certs, public keys, OIDC issuers)
Completion criteria:
- [x] `stella trust-anchors list` shows configured anchors
- [x] `stella trust-anchors add --type ca --cert <path>` adds CA anchor
- [x] `stella trust-anchors add --type oidc --issuer <url>` adds OIDC anchor
- [x] `stella trust-anchors remove <id>` removes anchor
- [x] Supports `--format json`
### ATS-003 - Add `stella attest predicates list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `predicates list` subcommand to AttestCommandGroup.cs
- List registered predicate types
- Include predicate schema and usage information
Completion criteria:
- [x] `stella attest predicates list` shows predicate registry
- [x] Output includes predicate type URI
- [x] Output includes schema reference
- [x] Output includes usage statistics
- [x] Supports `--format json|table`
### ATS-004 - Add `stella sign audit export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `audit export` subcommand to SignCommandGroup.cs
- Export signing audit log for compliance
- Support filtering by time range and key
Completion criteria:
- [x] `stella sign audit export` exports signing audit log
- [x] Supports `--from` and `--to` time range filters
- [x] Supports `--key <id>` filter
- [x] Supports `--format json|csv`
- [x] Supports `--output <path>`
- [x] Export is deterministic and reproducible
### ATS-005 - Add Doctor checks for key material health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for signing key material health
- Verify key availability, expiration, and HSM connectivity
- Include remediation for common key issues
Completion criteria:
- [x] `stella doctor --check check.attestation.keymaterial` runs key check
- [x] Check verifies key file accessibility
- [x] Check verifies key expiration (warn if < 30 days)
- [x] Check verifies HSM/KMS connectivity if configured
- [x] Remediation hints for each failure mode
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 8 | Planning |
| 2026-01-16 | ATS-002: Created TrustAnchorsCommandGroup.cs with list/add/remove/show commands | Developer |
| 2026-01-16 | ATS-001: Created KeysCommandGroup.cs with list/rotate/status commands | Developer |
| 2026-01-16 | ATS-003: Added predicates list command to AttestCommandGroup.cs | Developer |
| 2026-01-16 | ATS-004: Added sign audit export/list commands to SignCommandGroup.cs | Developer |
| 2026-01-16 | ATS-005: Created SigningKeyExpirationCheck.cs for Doctor key health check | Developer |
## Decisions & Risks
- Key rotation is security-critical; requires careful permission handling
- Trust anchor changes affect verification across the system
- Audit export may contain sensitive operational data
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

107
docs-archived/implplan/SPRINT_20260117_012_CLI_regional_crypto.md Normal file
View File

@@ -0,0 +1,107 @@
# Sprint 012 - Regional Crypto CLI
## Topic & Scope
- Surface regional cryptography capabilities via CLI
- Add crypto profile management and plugin health commands
- Add Doctor checks for HSM/PKCS#11 and certificate chains
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-011, 013-017
- Depends on existing crypto plugin infrastructure
## Documentation Prerequisites
- `docs/modules/cryptography/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 9)
- Regional crypto standards (eIDAS, FIPS, GOST, SM)
## Delivery Tracker
### RCR-001 - Add `stella crypto profiles list/select` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend CryptoCommandGroup.cs with profile management
- List available crypto profiles (eIDAS, FIPS, GOST, SM, etc.)
- Select active profile for operations
Completion criteria:
- [x] `stella crypto profiles list` shows available profiles
- [x] Output includes profile name, algorithms, standards compliance
- [x] `stella crypto profiles select <profile>` sets active profile
- [x] Active profile persists in configuration
- [x] Supports `--format json`
### RCR-002 - Add `stella crypto plugins status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `plugins status` subcommand
- Report status of crypto plugins (HSM, PKCS#11, software)
- Include health metrics and capabilities
Completion criteria:
- [x] `stella crypto plugins status` shows plugin status
- [x] Output includes plugin name, type, status
- [x] Output includes supported algorithms
- [x] Output includes performance metrics (ops/sec)
- [x] Supports `--format json|table`
### RCR-003 - Add Doctor checks for HSM/PKCS#11 availability
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for HSM/PKCS#11 module availability
- Verify module loading, slot access, and token presence
- Include remediation for common HSM issues
Completion criteria:
- [x] `stella doctor --check check.crypto.hsm` runs HSM check
- [x] Check verifies PKCS#11 module load
- [x] Check verifies slot availability
- [x] Check verifies token presence and login capability
- [x] Remediation hints for module, slot, and token issues
### RCR-004 - Add Doctor checks for cert chain validation
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for certificate chain validation
- Verify chain completeness, trust anchor validity, and expiration
- Include remediation for common cert issues
Completion criteria:
- [x] `stella doctor --check check.crypto.certchain` runs cert check
- [x] Check verifies chain completeness (no missing intermediates)
- [x] Check verifies trust anchor validity
- [x] Check warns on expiration (< 30 days)
- [x] Remediation hints for chain, anchor, and expiration issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 9 | Planning |
| 2026-01-16 | RCR-001: Added `stella crypto profiles list/select` commands | Developer |
| 2026-01-16 | RCR-002: Added `stella crypto plugins status` command | Developer |
| 2026-01-16 | RCR-003: Created HsmPkcs11AvailabilityCheck.cs for Doctor | Developer |
| 2026-01-16 | RCR-004: Created CertChainValidationCheck.cs for Doctor | Developer |
## Decisions & Risks
- HSM/PKCS#11 checks require physical or virtual HSM for testing
- Regional crypto profiles may have export control implications
- Certificate chain validation must handle offline scenarios
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

127
docs-archived/implplan/SPRINT_20260117_013_CLI_evidence_findings.md Normal file
View File

@@ -0,0 +1,127 @@
# Sprint 013 - Evidence & Findings CLI
## Topic & Scope
- Standardize export commands for evidence, audit, lineage, and risk bundles
- Ensure all exports are deterministic, versioned, and include manifests
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with standardized output formats
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-012, 014-017
- Sprint 018 (FE) depends on this sprint for export APIs
## Documentation Prerequisites
- `docs/modules/evidence/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 10)
- Existing export command patterns
## Delivery Tracker
### EFI-001 - Add `stella export audit` standardization
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Standardize existing audit export command
- Ensure deterministic output with manifest and hashes
- Add version metadata to output
Completion criteria:
- [x] `stella export audit --digest sha256:abc...` produces audit bundle
- [x] Bundle includes manifest.json with file hashes
- [x] Bundle includes version metadata
- [x] Output is deterministic (same input = same output hash)
- [x] Supports `--format tar.gz|zip`
- [x] Supports `--output <path>`
### EFI-002 - Add `stella export lineage` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create lineage export command
- Export lineage graph for a digest or component
- Include all ancestors and descendants
Completion criteria:
- [x] `stella export lineage --digest sha256:abc...` produces lineage bundle
- [x] Bundle includes lineage graph (nodes and edges)
- [x] Bundle includes evidence for each node
- [x] Supports `--depth N` for traversal depth
- [x] Supports `--format tar.gz|zip|json`
- [x] Supports `--output <path>`
### EFI-003 - Add `stella export risk` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create risk bundle export command
- Export risk assessment with all contributing factors
- Include vulnerability details, reachability, VEX status
Completion criteria:
- [x] `stella export risk --digest sha256:abc...` produces risk bundle
- [x] Bundle includes vulnerability list with CVSS/EPSS
- [x] Bundle includes reachability assessment
- [x] Bundle includes VEX status for each vulnerability
- [x] Supports `--severity critical|high|medium|low` filter
- [x] Supports `--format tar.gz|zip|json`
- [x] Supports `--output <path>`
### EFI-004 - Add `stella export evidence-pack` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create evidence pack export command
- Comprehensive export including all evidence types
- Suitable for external audit or legal hold
Completion criteria:
- [x] `stella export evidence-pack --digest sha256:abc...` produces evidence pack
- [x] Pack includes SBOM, attestations, signatures, VEX, policy verdicts
- [x] Pack includes chain-of-custody metadata
- [x] Pack is self-verifying (includes verification instructions)
- [x] Supports `--format tar.gz|zip`
- [x] Supports `--output <path>`
### EFI-005 - Ensure exports are deterministic, versioned, with manifest
Status: DONE
Dependency: EFI-001 through EFI-004
Owners: Developer / QA
Task description:
- Audit all export commands for determinism
- Ensure version metadata in all exports
- Ensure manifest with hashes in all exports
- Add golden file tests for determinism
Completion criteria:
- [x] All export commands produce deterministic output
- [x] All exports include version metadata
- [x] All exports include manifest.json with SHA-256 hashes
- [x] Golden file tests verify determinism
- [ ] Documentation updated with determinism guarantees
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 10 | Planning |
| 2026-01-16 | EFI-001 through EFI-004: Created ExportCommandGroup.cs with audit/lineage/risk/evidence-pack | Developer |
| 2026-01-16 | EFI-005: Created DeterministicExportUtilities.cs with manifest generation | Developer |
## Decisions & Risks
- Deterministic exports require sorted keys and stable timestamps
- Large exports may require streaming implementation
- Evidence packs may contain sensitive data; access control required
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

106
docs-archived/implplan/SPRINT_20260117_014_CLI_determinism_replay.md Normal file
View File

@@ -0,0 +1,106 @@
# Sprint 014 - Determinism & Replay CLI
## Topic & Scope
- Surface determinism inspection and replay capabilities via CLI
- Add HLC status, timeline query, and score explanation commands
- Ensure all outputs support golden file testing
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with deterministic outputs, golden file tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-013, 015-017
- Depends on existing HLC and timeline infrastructure
## Documentation Prerequisites
- `docs/modules/determinism/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 11)
- HLC (Hybrid Logical Clock) specification
## Delivery Tracker
### DRP-001 - Add `stella hlc status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create HlcCommandGroup.cs with `status` subcommand
- Report HLC node status, clock drift, and sync state
- Include cluster-wide HLC coordination status
Completion criteria:
- [x] `stella hlc status` returns HLC node status
- [x] Output includes local HLC timestamp
- [x] Output includes clock drift from NTP
- [x] Output includes sync state with cluster peers
- [x] Supports `--format json`
### DRP-002 - Add `stella timeline query` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TimelineCommandGroup.cs with `query` subcommand
- Query timeline events by time range, entity, or event type
- Support deterministic pagination
Completion criteria:
- [x] `stella timeline query --from <ts> --to <ts>` returns events
- [x] Supports `--entity <id>` filter
- [x] Supports `--type <event-type>` filter
- [x] Supports `--limit N` and `--offset N` for pagination
- [x] Results are deterministically ordered by HLC timestamp
- [x] Supports `--format json|table`
### DRP-003 - Add `stella score explain` deterministic output
Status: DONE
Dependency: Sprint 006 RCA-001
Owners: Developer
Task description:
- Ensure score explain command produces deterministic output
- Sort all collections in output
- Use stable formatting for floating-point values
Completion criteria:
- [x] Score explain output is deterministic (same input = same output)
- [x] Collections are sorted alphabetically or by ID
- [x] Floating-point values have stable precision (6 decimal places)
- [x] Output includes determinism hash for verification
### DRP-004 - Add golden file tests for replay verification
Status: DONE
Dependency: DRP-001, DRP-002, DRP-003
Owners: QA / Test Automation
Task description:
- Create golden file test suite for determinism commands
- Include frozen fixtures for HLC, timeline, and score explain
- Ensure CI fails on any output change
Completion criteria:
- [x] Golden files exist for each determinism command
- [x] Test suite compares output against golden files
- [x] CI pipeline includes golden file tests
- [x] Documentation explains how to update golden files
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 11 | Planning |
| 2026-01-16 | DRP-001: Created HlcCommandGroup.cs with status and now commands | Developer |
| 2026-01-16 | DRP-002: Created TimelineCommandGroup.cs with query and export commands | Developer |
| 2026-01-16 | DRP-003: Added determinism hash to score explain, sorted factors, stable F6 precision | Developer |
| 2026-01-16 | DRP-004: Created DeterminismReplayGoldenTests.cs with frozen fixtures for HLC, timeline, score explain | QA |
## Decisions & Risks
- HLC requires cluster coordination; single-node mode may have different behavior
- Timeline queries on large ranges may be slow; consider streaming
- Deterministic output requires careful handling of maps and timestamps
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

127
docs-archived/implplan/SPRINT_20260117_015_CLI_operations.md Normal file
View File

@@ -0,0 +1,127 @@
# Sprint 015 - Operations CLI
## Topic & Scope
- Surface orchestrator and scheduler capabilities via CLI
- Add job management, dead-letter handling, and scheduler preview
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-014, 016-017
- Depends on existing Orchestrator and Scheduler services
## Documentation Prerequisites
- `docs/modules/orchestrator/architecture.md`
- `docs/modules/scheduler/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 12)
## Delivery Tracker
### OPS-001 - Add `stella orchestrator jobs list/show` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create OrchestratorCommandGroup.cs with jobs subcommands
- List jobs with filtering by status, type, and time range
- Show detailed job information including steps and timing
Completion criteria:
- [x] `stella orchestrator jobs list` returns job list
- [x] Supports `--status pending|running|completed|failed` filter
- [x] Supports `--type <job-type>` filter
- [x] Supports `--from` and `--to` time range
- [x] `stella orchestrator jobs show <job-id>` returns job details
- [x] Supports `--format json|table`
### OPS-002 - Add `stella orchestrator jobs retry/cancel` commands
Status: DONE
Dependency: OPS-001
Owners: Developer
Task description:
- Add job lifecycle management commands
- Retry failed jobs with optional parameter override
- Cancel pending or running jobs
Completion criteria:
- [x] `stella orchestrator jobs retry <job-id>` retries failed job
- [x] Supports `--force` to retry non-failed jobs
- [x] `stella orchestrator jobs cancel <job-id>` cancels job
- [x] Cancel only works on pending/running jobs
- [x] Operations require appropriate permissions
### OPS-003 - Add `stella orchestrator deadletter list/show/replay` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add dead-letter queue management commands
- List messages in dead-letter queue
- Show message details and failure reason
- Replay messages back to processing queue
Completion criteria:
- [x] `stella orchestrator deadletter list` returns DLQ messages
- [ ] `stella orchestrator deadletter show <msg-id>` shows message details
- [x] Details include original message, failure reason, retry count
- [x] `stella orchestrator deadletter replay <msg-id>` replays message
- [x] `stella orchestrator deadletter replay --all` replays all messages
- [x] Supports `--format json|table`
### OPS-004 - Add `stella scheduler preview` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add scheduler preview command
- Show upcoming scheduled jobs for a time window
- Include job type, schedule expression, and next run time
Completion criteria:
- [x] `stella scheduler preview` shows upcoming jobs
- [x] Supports `--window 24h|7d|30d` for preview window
- [x] Output includes job name, schedule, next run time
- [x] Supports `--format json|table`
### OPS-005 - Add Doctor checks for job queue health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for job queue health
- Monitor queue depth, processing rate, and DLQ size
- Alert on backlog or high DLQ count
Completion criteria:
- [x] `stella doctor --check check.operations.queue` runs queue check
- [x] Check monitors pending job count
- [x] Check monitors processing rate
- [x] Check monitors DLQ size
- [x] Warns on backlog > threshold
- [x] Warns on DLQ > threshold
- [x] Remediation hints for queue issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 12 | Planning |
| 2026-01-16 | OPS-001, OPS-002: Created OrchestratorCommandGroup.cs with jobs commands | Developer |
| 2026-01-16 | OPS-003: Added deadletter list/replay commands | Developer |
| 2026-01-16 | OPS-004: Created scheduler preview and list commands | Developer |
| 2026-01-16 | OPS-005: Created Operations Doctor plugin with job queue, dead letter, and scheduler checks | Developer |
## Decisions & Risks
- Job retry may cause duplicate processing; idempotency required
- DLQ replay should preserve original message context
- Scheduler preview accuracy depends on cron parsing
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

146
docs-archived/implplan/SPRINT_20260117_016_CLI_auth_access.md Normal file
View File

@@ -0,0 +1,146 @@
# Sprint 016 - Auth & Access Control CLI
## Topic & Scope
- Surface auth administration capabilities via CLI for automation
- Add client, role, scope, token, and API key management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-015, 017
- Depends on existing Authority service
## Documentation Prerequisites
- `docs/modules/authority/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 14)
- OAuth 2.0 / OIDC specifications
## Delivery Tracker
### AAC-001 - Add `stella auth clients list/create/delete` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create AuthCommandGroup.cs with clients subcommands
- List OAuth clients with filtering
- Create new clients with configurable grants and scopes
- Delete clients with confirmation
Completion criteria:
- [x] `stella auth clients list` returns client list
- [x] Supports `--type public|confidential` filter
- [x] `stella auth clients create --name <name> --type <type>` creates client
- [x] Supports `--grants` and `--scopes` options
- [x] `stella auth clients delete <client-id>` deletes client
- [x] Requires `--confirm` for deletion
- [x] Supports `--format json|table`
### AAC-002 - Add `stella auth roles list/assign` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add roles subcommand group
- List available roles with permissions
- Assign roles to users or clients
Completion criteria:
- [x] `stella auth roles list` returns role list
- [x] Output includes role name, description, permissions
- [x] `stella auth roles assign <role> --user <user-id>` assigns to user
- [x] `stella auth roles assign <role> --client <client-id>` assigns to client
- [ ] `stella auth roles revoke <role> --user <user-id>` revokes from user
- [x] Supports `--format json|table`
### AAC-003 - Add `stella auth scopes list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add scopes list command
- Show all available OAuth scopes
- Include scope description and resource access
Completion criteria:
- [x] `stella auth scopes list` returns scope list
- [x] Output includes scope name, description
- [x] Output includes resources the scope grants access to
- [x] Supports `--format json|table`
### AAC-004 - Add `stella auth token inspect` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add token inspect command for debugging
- Parse and display token claims
- Validate token signature and expiration
Completion criteria:
- [x] `stella auth token inspect <token>` inspects JWT
- [x] Output includes header, payload (claims)
- [x] Output includes validation status (signature, expiration)
- [x] Supports `--format json|table`
- [x] Sensitive claims can be masked with `--mask`
### AAC-005 - Add `stella auth api-keys list/create/revoke` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add api-keys subcommand group
- List API keys with filtering by user or status
- Create new API keys with scope and expiration
- Revoke API keys
Completion criteria:
- [x] `stella auth api-keys list` returns API key list
- [ ] Supports `--user <user-id>` filter
- [ ] Supports `--status active|revoked` filter
- [x] `stella auth api-keys create --name <name> --scopes <scopes>` creates key
- [x] Supports `--expires <duration>` option
- [x] `stella auth api-keys revoke <key-id>` revokes key
- [x] Key secret only shown once at creation
- [x] Supports `--format json|table`
### AAC-006 - Add Doctor checks for auth configuration
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for auth configuration health
- Verify OIDC provider connectivity
- Verify signing key availability
- Check token service health
Completion criteria:
- [x] `stella doctor --check check.auth.config` runs auth check
- [x] Check verifies OIDC provider connectivity (if configured)
- [x] Check verifies signing key availability
- [x] Check verifies token service responds
- [x] Remediation hints for common auth issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 14 | Planning |
| 2026-01-16 | AAC-001 through AAC-005: Created AuthCommandGroup.cs with clients/roles/scopes/token/api-keys | Developer |
| 2026-01-16 | AAC-006: Created Auth Doctor plugin with config, OIDC, signing key, and token service checks | Developer |
## Decisions & Risks
- Client credentials are sensitive; secure output handling required
- API key secrets must never be logged or stored
- Role assignment changes are security-sensitive; audit logging required
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

107
docs-archived/implplan/SPRINT_20260117_017_CLI_notify_integrations.md Normal file
View File

@@ -0,0 +1,107 @@
# Sprint 017 - Notifications & Integrations CLI
## Topic & Scope
- Surface notification and integration capabilities via CLI
- Add channel management, template rendering, and integration testing
- Working directory: `src/Cli/`
- Expected evidence: CLI commands
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-016
- Depends on existing Notify service and integration infrastructure
## Documentation Prerequisites
- `docs/modules/notify/architecture.md`
- `docs/modules/integrations/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 15)
## Delivery Tracker
### NIN-001 - Add `stella notify channels list/test` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create NotifyCommandGroup.cs with channels subcommands
- List configured notification channels
- Test channel connectivity with sample notification
Completion criteria:
- [x] `stella notify channels list` returns channel list
- [x] Output includes channel name, type (email, slack, webhook, etc.)
- [x] Output includes status (enabled/disabled)
- [x] `stella notify channels test <channel-id>` sends test notification
- [x] Test result includes delivery status
- [x] Supports `--format json|table`
### NIN-002 - Add `stella notify templates list/render` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add templates subcommand group
- List available notification templates
- Render template with sample data for preview
Completion criteria:
- [x] `stella notify templates list` returns template list
- [x] Output includes template name, event type, channels
- [x] `stella notify templates render <template-id>` renders template
- [x] Supports `--data <json>` for custom template variables
- [x] Output shows rendered notification content
- [x] Supports `--format json|text`
### NIN-003 - Add `stella integrations test` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create IntegrationsCommandGroup.cs with test command
- Test connectivity and authentication for configured integrations
- Report test results with timing
Completion criteria:
- [x] `stella integrations test` tests all integrations
- [x] `stella integrations test <integration-id>` tests specific integration
- [x] Test verifies connectivity, authentication, basic operation
- [x] Output includes test result (pass/fail), timing, error details
- [x] Supports `--format json|table`
### NIN-004 - Add `stella notify preferences export/import` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add preferences subcommand group
- Export user notification preferences
- Import preferences for bulk configuration
Completion criteria:
- [x] `stella notify preferences export` exports preferences
- [x] Supports `--user <user-id>` to export specific user
- [x] Exports to JSON format
- [x] `stella notify preferences import <file>` imports preferences
- [x] Import validates format before applying
- [x] Supports `--dry-run` for validation only
- [x] Supports `--output <path>` for export
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 15 | Planning |
| 2026-01-16 | NIN-001 through NIN-004: Created NotifyCommandGroup.cs with channels/templates/preferences and integrations commands | Developer |
## Decisions & Risks
- Channel testing may trigger actual notifications; use test recipients
- Template rendering with user data may expose sensitive information
- Integration testing may hit external rate limits
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

198
docs-archived/implplan/SPRINT_20260117_018_FE_ux_components.md Normal file
View File

@@ -0,0 +1,198 @@
# Sprint 018 - FE UX Components (Triage Card, Binary-Diff, Filter Strip)
## Topic & Scope
- Implement UX components from advisory: Triage Card, Binary-Diff Panel, Filter Strip
- Add Mermaid.js and GraphViz for visualization
- Add SARIF download to Export Center
- Working directory: `src/Web/`
- Expected evidence: Angular components, Playwright tests
## Dependencies & Concurrency
- Depends on Sprint 006 (Reachability) for witness path APIs
- Depends on Sprint 008 (Advisory Sources) for connector status APIs
- Depends on Sprint 013 (Evidence) for export APIs
- Must wait for dependent CLI sprints to complete
## Documentation Prerequisites
- `docs/modules/web/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (UX Specs section)
- Angular component patterns in `src/Web/frontend/`
## Delivery Tracker
### UXC-001 - Install Mermaid.js and GraphViz libraries
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Mermaid.js to package.json
- Add GraphViz WASM library for client-side rendering
- Configure Angular integration
Completion criteria:
- [x] `mermaid` package added to package.json
- [x] GraphViz WASM library added (e.g., @viz-js/viz)
- [x] Mermaid directive/component created for rendering
- [x] GraphViz fallback component created
- [x] Unit tests for rendering components
### UXC-002 - Create Triage Card component with signed evidence display
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create TriageCardComponent following UX spec
- Display vuln ID, package, version, scope, risk chip
- Show evidence chips (OpenVEX, patch proof, reachability, EPSS)
- Include actions (Explain, Create task, Mute, Export)
Completion criteria:
- [x] TriageCardComponent renders card per spec
- [x] Header shows vuln ID, package@version, scope
- [x] Risk chip shows score and reason
- [x] Evidence chips show OpenVEX, patch proof, reachability, EPSS
- [x] Actions row includes Explain, Create task, Mute, Export
- [x] Keyboard shortcuts: v (verify), e (export), m (mute)
- [x] Hover tooltips on chips
- [x] Copy icons on digests
### UXC-003 - Add Rekor Verify one-click action in Triage Card
Status: DONE
Dependency: UXC-002
Owners: Developer
Task description:
- Add "Rekor Verify" button to Triage Card
- Execute DSSE/Sigstore verification
- Expand to show verification details
Completion criteria:
- [x] "Rekor Verify" button in Triage Card
- [x] Click triggers verification API call
- [x] Expansion shows signature subject/issuer
- [x] Expansion shows timestamp
- [x] Expansion shows Rekor index and entry (copyable)
- [x] Expansion shows digest(s)
- [x] Loading state during verification
### UXC-004 - Create Binary-Diff Panel with side-by-side diff view
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create BinaryDiffPanelComponent following UX spec
- Implement scope selector (file → section → function)
- Show base vs candidate with inline diff
Completion criteria:
- [x] BinaryDiffPanelComponent renders panel per spec
- [x] Scope selector allows file/section/function selection
- [x] Side-by-side view shows base vs candidate
- [x] Inline diff highlights changes
- [x] Per-file, per-section, per-function hashes displayed
- [x] "Export Signed Diff" produces DSSE envelope
- [x] Click on symbol jumps to function diff
### UXC-005 - Add scope selector (file to section to function)
Status: DONE
Dependency: UXC-004
Owners: Developer
Task description:
- Create ScopeSelectorComponent for Binary-Diff
- Support hierarchical selection
- Maintain context when switching scopes
Completion criteria:
- [x] ScopeSelectorComponent with file/section/function levels
- [x] Selection updates Binary-Diff Panel view
- [x] Context preserved when switching scopes
- [x] "Show only changed blocks" toggle
- [x] Toggle opcodes ⇄ decompiled view (if available)
### UXC-006 - Create Filter Strip with deterministic prioritization
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create FilterStripComponent following UX spec
- Implement precedence toggles (OpenVEX → Patch proof → Reachability → EPSS)
- Ensure deterministic ordering
Completion criteria:
- [x] FilterStripComponent renders strip per spec
- [x] Precedence toggles in order: OpenVEX, Patch proof, Reachability, EPSS
- [x] EPSS slider for threshold
- [x] "Only reachable" checkbox
- [x] "Only with patch proof" checkbox
- [x] "Deterministic order" lock icon (on by default)
- [x] Tie-breaking: OCI digest → path → CVSS
- [x] Filters update counts without reflow
- [x] A11y: high-contrast, focus rings, keyboard nav, aria-labels
### UXC-007 - Add SARIF download to Export Center
Status: DONE
Dependency: Sprint 005 SCD-003
Owners: Developer
Task description:
- Add SARIF download button to Export Center
- Support scan run and digest-based download
- Include metadata (digest, scan time, policy profile)
Completion criteria:
- [x] "Download SARIF" button in Export Center
- [x] Download available for scan runs
- [x] Download available for digest
- [x] SARIF includes metadata per Sprint 005
- [x] Download matches CLI output format
### UXC-008 - Integration tests with Playwright
Status: DONE
Dependency: UXC-001 through UXC-007
Owners: QA / Test Automation
Task description:
- Create Playwright e2e tests for new components
- Test Triage Card interactions
- Test Binary-Diff Panel navigation
- Test Filter Strip determinism
Completion criteria:
- [x] Playwright tests for Triage Card
- [x] Tests cover keyboard shortcuts
- [x] Tests cover Rekor Verify flow
- [x] Playwright tests for Binary-Diff Panel
- [x] Tests cover scope selection
- [x] Playwright tests for Filter Strip
- [x] Tests verify deterministic ordering
- [x] Visual regression tests for new components
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory UX Specs | Planning |
| 2026-01-16 | UXC-001: Created MermaidRendererComponent and GraphvizRendererComponent | Developer |
| 2026-01-16 | UXC-002: Created TriageCardComponent with evidence chips, actions | Developer |
| 2026-01-16 | UXC-003: Added Rekor Verify with expansion panel | Developer |
| 2026-01-16 | UXC-004: Created BinaryDiffPanelComponent with scope navigation | Developer |
| 2026-01-16 | UXC-005: Integrated scope selector into BinaryDiffPanel | Developer |
| 2026-01-16 | UXC-006: Created FilterStripComponent with deterministic ordering | Developer |
| 2026-01-16 | UXC-007: Created SarifDownloadComponent for Export Center | Developer |
| 2026-01-16 | UXC-008: Created Playwright e2e tests: triage-card.spec.ts, binary-diff-panel.spec.ts, filter-strip.spec.ts, ux-components-visual.spec.ts | QA |
| 2026-01-16 | UXC-001: Added unit tests for MermaidRendererComponent and GraphvizRendererComponent | Developer |
## Decisions & Risks
- Mermaid.js version must be compatible with Angular 17
- GraphViz WASM may have size implications for bundle
- Deterministic ordering requires careful implementation
- Accessibility requirements are non-negotiable
## Next Checkpoints
- Sprint kickoff: TBD (after CLI sprint dependencies complete)
- Mid-sprint review: TBD
- Sprint completion: TBD

159
docs-archived/implplan/SPRINT_20260117_019_CLI_release_orchestration.md Normal file
View File

@@ -0,0 +1,159 @@
# Sprint 019 - Release Orchestration CLI
## Topic & Scope
- Surface release orchestration capabilities via CLI
- Add release lifecycle, promotion, rollback, hooks, and agent management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 13
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on ReleaseOrchestrator module being production-ready
## Documentation Prerequisites
- `docs/modules/releaseorchestrator/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 13)
- Release Orchestration service APIs
## Delivery Tracker
### REL-001 - Add `stella release create` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ReleaseCommandGroup.cs with `create` subcommand
- Create release bundles from environment configuration
- Support bundle signing and manifest generation
Completion criteria:
- [x] `stella release create --env <env> --version <version>` creates release bundle
- [x] Bundle includes environment manifest, artifacts, and signatures
- [x] Supports `--sign` option for bundle signing
- [x] Supports `--dry-run` for validation
- [x] Supports `--format json`
- [x] Supports `--output <path>`
### REL-002 - Add `stella release promote` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `promote` subcommand for environment promotion
- Support promotion from source to target environment
- Include approval gate validation
Completion criteria:
- [x] `stella release promote <release-id> --from <env> --to <env>` promotes release
- [x] Validates approval gates before promotion
- [x] Supports `--force` to bypass non-blocking gates
- [x] Supports `--dry-run` for promotion preview
- [x] Creates promotion attestation
- [x] Supports `--format json`
### REL-003 - Add `stella release rollback` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `rollback` subcommand for environment rollback
- Support rollback to previous release version
- Include safety validations
Completion criteria:
- [x] `stella release rollback <env> --to <release-id|version>` rolls back
- [x] Validates rollback target exists and is valid
- [x] Supports `--force` for emergency rollback
- [x] Creates rollback attestation
- [x] Supports `--reason <text>` for audit trail
### REL-004 - Add `stella release list/show` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `list` and `show` subcommands for release inspection
- List releases with filtering by environment and status
- Show detailed release information
Completion criteria:
- [x] `stella release list` returns release list
- [x] Supports `--env <env>` filter
- [x] Supports `--status pending|deployed|rolled-back` filter
- [x] `stella release show <release-id>` returns release details
- [x] Details include artifacts, attestations, promotion history
- [x] Supports `--format json|table`
### REL-005 - Add `stella release hooks list/run` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `hooks` subcommand group for hook management
- List configured pre/post deployment hooks
- Manually run hooks for testing
Completion criteria:
- [x] `stella release hooks list --env <env>` lists hooks
- [x] Output includes hook name, type (pre/post), script
- [x] `stella release hooks run <hook-id> --env <env>` runs hook
- [x] Supports `--dry-run` for hook validation
- [x] Supports `--format json|table`
### REL-006 - Add `stella agent status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create AgentCommandGroup.cs with `status` subcommand
- Report deployment agent status across environments
- Include health metrics and connectivity
Completion criteria:
- [x] `stella agent status` returns agent status for all environments
- [x] `stella agent status --env <env>` returns specific environment
- [x] Output includes agent type (Docker, Compose, ECS, Nomad)
- [x] Output includes connectivity status, last heartbeat
- [x] Supports `--format json|table`
### REL-007 - Add `stella release verify` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `verify` subcommand for release verification
- Verify release bundle integrity and signatures
- Run deployment verification tests
Completion criteria:
- [x] `stella release verify <release-id>` verifies release
- [x] Verifies bundle signatures and manifests
- [x] Optionally runs verification tests with `--tests`
- [x] Reports verification status
- [x] Supports `--format json`
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 13 | Planning |
| 2026-01-16 | REL-001 through REL-005, REL-007: Created ReleaseCommandGroup.cs | Developer |
| 2026-01-16 | REL-006: Created AgentCommandGroup.cs with status/list/health | Developer |
## Decisions & Risks
- Release orchestration module must be production-ready before CLI work
- Promotion commands affect production environments; require confirmation
- Agent connectivity depends on deployment infrastructure
## Next Checkpoints
- Sprint kickoff: TBD (after Release Orchestration module ready)
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_020_CLI_zastava_webhooks.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 020 - Zastava K8s Webhooks CLI
## Topic & Scope
- Surface Kubernetes admission webhook capabilities via CLI
- Add installation, configuration, and status commands for Zastava
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, installation scripts
- Note: From FEATURE_GAPS_REPORT.md Batch 15 (Integrations)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on Zastava module
## Documentation Prerequisites
- `docs/modules/zastava/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 15)
- Kubernetes admission webhook specification
## Delivery Tracker
### ZAS-001 - Add `stella zastava install` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ZastavaCommandGroup.cs with `install` subcommand
- Generate Kubernetes manifests for admission webhook
- Support multiple installation modes
Completion criteria:
- [x] `stella zastava install` generates K8s manifests
- [x] Supports `--namespace <ns>` for target namespace
- [x] Supports `--mode validating|mutating|both`
- [x] Supports `--output <path>` for manifest output
- [x] Supports `--apply` to directly apply to cluster
- [x] Generates TLS certificates if needed
### ZAS-002 - Add `stella zastava configure` command
Status: DONE
Dependency: ZAS-001
Owners: Developer
Task description:
- Add `configure` subcommand for webhook configuration
- Configure policy enforcement rules
- Set image allow/deny lists
Completion criteria:
- [x] `stella zastava configure --policy <policy-id>` sets policy
- [x] Supports `--allow-registries <list>` for allowlist
- [x] Supports `--block-unsigned` to require signatures
- [x] Supports `--block-critical` to block critical CVEs
- [x] Configuration persists in ConfigMap
- [x] Supports `--format json`
### ZAS-003 - Add `stella zastava status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `status` subcommand for webhook health
- Report webhook registration and connectivity
- Include admission decision statistics
Completion criteria:
- [x] `stella zastava status` returns webhook status
- [x] Output includes registration status with API server
- [x] Output includes certificate expiration
- [x] Output includes admission statistics (allowed/denied/errors)
- [x] Supports `--namespace <ns>` filter
- [x] Supports `--format json|table`
### ZAS-004 - Add `stella zastava logs` command
Status: DONE
Dependency: ZAS-003
Owners: Developer
Task description:
- Add `logs` subcommand for webhook logs
- Stream or tail webhook pod logs
- Filter by admission decision type
Completion criteria:
- [x] `stella zastava logs` shows recent logs
- [x] Supports `--follow` for streaming
- [x] Supports `--since <duration>` for time filter
- [x] Supports `--decision allowed|denied|error` filter
- [x] Supports `--image <pattern>` to filter by image
### ZAS-005 - Add `stella zastava uninstall` command
Status: DONE
Dependency: ZAS-001
Owners: Developer
Task description:
- Add `uninstall` subcommand for webhook removal
- Remove webhook registration and resources
- Include safety confirmation
Completion criteria:
- [x] `stella zastava uninstall` removes webhook
- [x] Requires `--confirm` for safety
- [x] Supports `--namespace <ns>` for specific namespace
- [x] Removes ValidatingWebhookConfiguration/MutatingWebhookConfiguration
- [x] Optionally removes TLS secrets with `--remove-secrets`
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 15 | Planning |
| 2026-01-16 | ZAS-001 through ZAS-005: Created ZastavaCommandGroup.cs | Developer |
## Decisions & Risks
- K8s webhook installation requires cluster-admin permissions
- TLS certificate management adds complexity
- Webhook failures can block deployments; need failOpen option
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_021_CLI_taskrunner.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 021 - TaskRunner CLI
## Topic & Scope
- Surface TaskRunner capabilities via CLI
- Add task execution, monitoring, and artifact management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 12 (Operations)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on TaskRunner service
## Documentation Prerequisites
- `docs/modules/taskrunner/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 12)
- TaskRunner service APIs
## Delivery Tracker
### TRN-001 - Add `stella taskrunner status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TaskRunnerCommandGroup.cs with `status` subcommand
- Report TaskRunner service health and capacity
- Include worker pool metrics
Completion criteria:
- [x] `stella taskrunner status` returns service status
- [x] Output includes service health (healthy/degraded/unhealthy)
- [x] Output includes worker count and capacity
- [x] Output includes queue depth
- [x] Supports `--format json|table`
### TRN-002 - Add `stella taskrunner tasks list/show` commands
Status: DONE
Dependency: TRN-001
Owners: Developer
Task description:
- Add `tasks` subcommand group for task inspection
- List tasks with filtering by status and type
- Show detailed task information
Completion criteria:
- [x] `stella taskrunner tasks list` returns task list
- [x] Supports `--status pending|running|completed|failed` filter
- [x] Supports `--type <task-type>` filter
- [x] Supports `--from` and `--to` time range
- [x] `stella taskrunner tasks show <task-id>` returns task details
- [x] Details include steps, timing, artifacts
- [x] Supports `--format json|table`
### TRN-003 - Add `stella taskrunner tasks cancel` command
Status: DONE
Dependency: TRN-002
Owners: Developer
Task description:
- Add `cancel` subcommand for task cancellation
- Cancel running or pending tasks
- Include graceful shutdown option
Completion criteria:
- [x] `stella taskrunner tasks cancel <task-id>` cancels task
- [x] Supports `--graceful` for graceful shutdown
- [x] Supports `--force` for immediate termination
- [x] Returns cancellation status
- [x] Only works on running/pending tasks
### TRN-004 - Add `stella taskrunner artifacts list/get` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `artifacts` subcommand group for artifact management
- List artifacts captured by tasks
- Download artifacts to local filesystem
Completion criteria:
- [x] `stella taskrunner artifacts list --task <task-id>` lists artifacts
- [x] Output includes artifact name, type, size, digest
- [x] `stella taskrunner artifacts get <artifact-id>` downloads artifact
- [x] Supports `--output <path>` for download location
- [x] Verifies artifact digest after download
- [x] Supports `--format json|table`
### TRN-005 - Add `stella taskrunner logs` command
Status: DONE
Dependency: TRN-002
Owners: Developer
Task description:
- Add `logs` subcommand for task log retrieval
- Stream or download task execution logs
- Filter by step and log level
Completion criteria:
- [x] `stella taskrunner logs <task-id>` shows task logs
- [x] Supports `--follow` for streaming
- [x] Supports `--step <step-name>` filter
- [x] Supports `--level error|warn|info|debug` filter
- [x] Supports `--output <path>` for log download
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 12 | Planning |
| 2026-01-16 | TRN-001 through TRN-005: Created TaskRunnerCommandGroup.cs | Developer |
## Decisions & Risks
- Task cancellation may leave resources in inconsistent state
- Artifact download may be slow for large artifacts
- Log streaming requires WebSocket or SSE support
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

138
docs-archived/implplan/SPRINT_20260117_022_CLI_registry.md Normal file
View File

@@ -0,0 +1,138 @@
# Sprint 022 - Registry CLI
## Topic & Scope
- Surface OCI registry authentication and token capabilities via CLI
- Add login, token management, and registry operations commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 14 (Auth & Access Control)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on Registry service
## Documentation Prerequisites
- `docs/modules/registry/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 14)
- OCI Distribution Spec, Docker Registry Auth
## Delivery Tracker
### REG-001 - Add `stella registry login` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create RegistryCommandGroup.cs with `login` subcommand
- Authenticate to OCI registry and store credentials
- Support multiple authentication methods
Completion criteria:
- [x] `stella registry login <registry-url>` authenticates
- [x] Supports `--username` and `--password` options
- [x] Supports `--password-stdin` for secure input
- [x] Supports `--token` for token-based auth
- [x] Stores credentials in secure credential store
- [x] Supports Docker config.json format
### REG-002 - Add `stella registry logout` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `logout` subcommand for credential removal
- Remove stored credentials for registry
- Support selective or all logout
Completion criteria:
- [x] `stella registry logout <registry-url>` removes credentials
- [x] `stella registry logout --all` removes all credentials
- [x] Confirms credential removal
- [x] Updates credential store
### REG-003 - Add `stella registry token` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `token` subcommand for token operations
- Generate tokens with specific scopes
- Inspect and validate tokens
Completion criteria:
- [x] `stella registry token generate --scope <scope>` generates token
- [x] Scopes: pull, push, catalog, admin
- [x] Supports `--expires <duration>` for token lifetime
- [x] `stella registry token inspect <token>` shows token details
- [x] `stella registry token validate <token>` validates token
- [x] Supports `--format json`
### REG-004 - Add `stella registry list` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `list` subcommand for repository listing
- List repositories in registry
- Support filtering and pagination
Completion criteria:
- [x] `stella registry list <registry-url>` lists repositories
- [x] Supports `--filter <pattern>` for filtering
- [x] Supports `--limit N` for pagination
- [x] Output includes repository name, tag count
- [x] Supports `--format json|table`
### REG-005 - Add `stella registry tags` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `tags` subcommand for tag listing
- List tags for a repository
- Include digest information
Completion criteria:
- [x] `stella registry tags <repository>` lists tags
- [x] Output includes tag name, digest, created date
- [x] Supports `--filter <pattern>` for filtering
- [x] Supports `--format json|table`
### REG-006 - Add `stella registry delete` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `delete` subcommand for manifest/tag deletion
- Delete tags or manifests from registry
- Include safety confirmation
Completion criteria:
- [x] `stella registry delete <repository>:<tag>` deletes tag
- [x] `stella registry delete <repository>@<digest>` deletes manifest
- [x] Requires `--confirm` for safety
- [x] Supports `--dry-run` for preview
- [x] Returns deletion status
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 14 | Planning |
| 2026-01-16 | REG-001 through REG-006: Created RegistryCommandGroup.cs with all commands | Developer |
## Decisions & Risks
- Credential storage must be secure (keychain, credential manager)
- Token generation requires appropriate permissions
- Delete operations are destructive; need strong confirmation
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

159
docs-archived/implplan/SPRINT_20260117_023_CLI_evidence_holds.md Normal file
View File

@@ -0,0 +1,159 @@
# Sprint 023 - Evidence Holds & Incident Mode CLI
## Topic & Scope
- Surface evidence holds and incident mode capabilities via CLI
- Add legal hold management and incident response commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 10 (Evidence & Findings)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on EvidenceLocker and Findings services
## Documentation Prerequisites
- `docs/modules/evidence/architecture.md`
- `docs/modules/findings/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 10)
## Delivery Tracker
### EHI-001 - Add `stella evidence holds list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create EvidenceCommandGroup.cs holds subcommand group
- List active evidence holds
- Include hold metadata and scope
Completion criteria:
- [x] `stella evidence holds list` returns active holds
- [x] Output includes hold ID, name, created date, scope
- [x] Supports `--status active|released` filter
- [x] Supports `--format json|table`
### EHI-002 - Add `stella evidence holds create` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `create` subcommand for evidence hold creation
- Create legal holds on evidence artifacts
- Support various hold scopes
Completion criteria:
- [x] `stella evidence holds create --name <name> --scope <scope>` creates hold
- [x] Scopes: digest, component, time-range, all
- [x] Supports `--digest <digest>` for specific artifact
- [x] Supports `--component <purl>` for component-based hold
- [x] Supports `--from` and `--to` for time-range hold
- [x] Supports `--reason <text>` for audit trail
- [x] Returns hold ID
- [x] Supports `--format json`
### EHI-003 - Add `stella evidence holds release` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `release` subcommand for hold release
- Release evidence holds with audit trail
- Include safety confirmation
Completion criteria:
- [x] `stella evidence holds release <hold-id>` releases hold
- [x] Requires `--confirm` for safety
- [x] Supports `--reason <text>` for release reason
- [x] Creates audit log entry
- [x] Held evidence becomes eligible for retention policy
### EHI-004 - Add `stella evidence holds show` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `show` subcommand for hold details
- Display detailed hold information
- List affected artifacts
Completion criteria:
- [x] `stella evidence holds show <hold-id>` returns hold details
- [x] Output includes hold metadata
- [x] Output includes affected artifact count
- [x] Supports `--artifacts` to list affected artifacts
- [x] Supports `--format json|table`
### EHI-005 - Add `stella findings incident start` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create incident subcommand group in FindingsCommandGroup.cs
- Start incident mode for elevated response
- Configure incident parameters
Completion criteria:
- [x] `stella findings incident start --name <name>` starts incident
- [x] Supports `--severity critical|high|medium|low`
- [x] Supports `--scope <scope>` for affected area
- [x] Automatically creates evidence hold
- [x] Returns incident ID
- [x] Supports `--format json`
### EHI-006 - Add `stella findings incident status` command
Status: DONE
Dependency: EHI-005
Owners: Developer
Task description:
- Add `status` subcommand for incident status
- Report current incident state
- Include timeline and actions
Completion criteria:
- [x] `stella findings incident status` shows active incidents
- [x] `stella findings incident status <incident-id>` shows specific incident
- [x] Output includes incident timeline
- [x] Output includes actions taken
- [x] Supports `--format json|table`
### EHI-007 - Add `stella findings incident end` command
Status: DONE
Dependency: EHI-005
Owners: Developer
Task description:
- Add `end` subcommand for incident closure
- Close incident with resolution
- Include post-incident report option
Completion criteria:
- [x] `stella findings incident end <incident-id>` closes incident
- [x] Requires `--resolution <text>` for closure reason
- [x] Supports `--release-hold` to release associated hold
- [x] Supports `--report` to generate incident report
- [x] Creates audit log entry
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 10 | Planning |
| 2026-01-16 | EHI-001 through EHI-004: Created EvidenceHoldsCommandGroup.cs | Developer |
| 2026-01-16 | EHI-005 through EHI-007: Created IncidentCommandGroup.cs | Developer |
## Decisions & Risks
- Evidence holds have legal implications; require proper authorization
- Incident mode affects system behavior; document side effects
- Hold release is potentially irreversible; need strong confirmation
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

250
docs-archived/implplan/SPRINT_20260117_024_DOCS_feature_matrix_updates.md Normal file
View File

@@ -0,0 +1,250 @@
# Sprint 024 - FEATURE_MATRIX.md Documentation Updates
## Topic & Scope
- Address critical documentation gaps identified in FEATURE_GAPS_REPORT.md
- Update FEATURE_MATRIX.md to reflect actual codebase capabilities
- Working directory: `docs/`
- Expected evidence: Updated FEATURE_MATRIX.md, module dossiers
- Note: From FEATURE_GAPS_REPORT.md Summary section
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with CLI sprints
- Documentation-only sprint
## Documentation Prerequisites
- `docs/FEATURE_GAPS_REPORT.md` (all batches)
- `docs/FEATURE_MATRIX.md` (current state)
- Module architecture documents
## Delivery Tracker
### DOC-001 - Update Advisory Sources section (CRITICAL)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md Advisory Sources from 11 to 33+ connectors
- Add Vendor PSIRTs section (Microsoft, Oracle, Adobe, Apple, Cisco, Chromium, VMware)
- Add Regional CERTs section (JVN, ACSC, CCCS, CertFr, CertBund, CertIn, RU-BDU, KISA)
- Add Industrial/ICS section (ICS-CISA, ICS-Kaspersky)
- Add Additional Distros section (SUSE, Astra Linux)
Completion criteria:
- [x] All 33+ connectors documented with status (stable/beta/deprecated)
- [x] Authentication methods documented per connector
- [x] Regional/vendor/distro categorization clear
- [x] Links to connector-specific documentation
### DOC-002 - Update VEX Processing section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document VEX Consensus Engine (5-state lattice)
- Add Trust Weight Scoring (9 factors)
- Add CSAF Provider Connectors section (7 vendors)
- Document Issuer Trust Registry (IssuerDirectory)
- Document VEX Distribution (VexHub webhooks)
- Document AOC compliance
Completion criteria:
- [x] Consensus engine documented with state diagram
- [x] Trust factors listed and explained
- [x] CSAF connectors listed
- [x] Issuer registry capabilities documented
- [x] VEX from Drift generation documented
### DOC-003 - Update Attestation & Signing section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 25+ predicate types
- Add Keyless Signing (Sigstore) as major feature
- Document Key Rotation Service
- Document Trust Anchor Management
- Document Attestation Chains
- Document Delta Attestations
Completion criteria:
- [x] Predicate types listed with URIs
- [x] Keyless signing flow documented
- [x] Key rotation process documented
- [x] Trust anchor management documented
- [x] Attestation chain visualization explained
- [x] Delta attestation types documented
### DOC-004 - Update Auth & Access Control section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 75+ authorization scopes
- Add Sender Constraints (DPoP, mTLS)
- Document Device Authorization Flow
- Add User Federation (LDAP, SAML)
- Document PAR Support
- Add Multi-Factor Authentication
- Document API Key Management
Completion criteria:
- [x] Scope categories documented with examples
- [x] DPoP and mTLS explained
- [x] Device flow documented for CLI/IoT
- [x] Federation options listed
- [x] MFA capabilities documented
- [x] API key lifecycle documented
### DOC-005 - Update Policy Engine section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document K4 Lattice Logic (Belnap four-valued)
- Add Policy Gate Types section (10+ gates)
- Add Risk Score Providers section (6 providers)
- Document Determinization System
- Add Score Policy Configuration
- Document Policy Simulation
- Add Verdict Attestations
Completion criteria:
- [x] K4 lattice explained with truth table
- [x] All gate types listed with purposes
- [x] Risk providers documented
- [x] Signal weights and decay documented
- [x] YAML policy configuration examples
- [x] Simulation capabilities documented
### DOC-006 - Update Regional Crypto section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 8 signature profiles
- Add Plugin Architecture description
- Document Multi-Profile Signing
- Add SM Remote Service
- Document Post-Quantum Readiness
- Add HSM Integration details
- Document CryptoPro GOST
Completion criteria:
- [x] All 8 profiles documented with algorithms
- [x] Plugin system explained
- [x] Multi-signature capability documented
- [x] SM service for Chinese market explained
- [x] Post-quantum algorithms listed (planned)
- [x] HSM/PKCS#11 configuration documented
### DOC-007 - Update Notifications section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 10 notification channel types
- Add Template Engine section
- Document Channel Routing rules
- Add Escalation Rules
- Document Notification Studio
- Add K8s Admission Webhooks (Zastava)
- Document SCM Integrations
- Add CI/CD Integrations
- Document Issue Tracker Integration
Completion criteria:
- [x] All 10 channel types documented
- [x] Template customization explained
- [x] Routing rule configuration documented
- [x] Escalation policies documented
- [x] Studio UI capabilities listed
- [x] Zastava webhook explained
- [x] SCM/CI/CD integrations listed
### DOC-008 - Update Binary Analysis section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 4 fingerprint algorithm types
- Add corpus support (Alpine, Debian)
- Document VEX Evidence Bridge
- Add Delta Signature matching
- Document 3-tier identification strategy
Completion criteria:
- [x] All fingerprint algorithms explained
- [x] Corpus sources documented
- [x] VEX integration explained
- [x] Delta signature use cases documented
- [x] Identification strategy flow documented
### DOC-009 - Add Automatic Detection (Class A) section
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Create section for automatic/implicit features
- Document secrets detection
- Document OS package analyzers (6 types)
- Document SBOM advisory matching
- Explain where results appear in UI/exports
Completion criteria:
- [x] Automatic detection section created
- [x] Secrets detection documented
- [x] All 6 OS analyzers listed
- [x] Advisory matching explained
- [x] Result locations documented
### DOC-010 - Update Coverage Statistics and Index
Status: DONE
Dependency: DOC-001 through DOC-009
Owners: Documentation author
Task description:
- Update feature count statistics
- Add CLI/UI coverage indicators
- Create feature index with links
- Add "Last Updated" timestamp
Completion criteria:
- [x] Feature counts accurate
- [x] CLI/UI availability clearly marked
- [x] Index links to detailed sections
- [x] Timestamp reflects current update
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Summary | Planning |
| 2026-01-16 | DOC-001: Advisory Sources already comprehensive (33+ connectors) | Documentation author |
| 2026-01-16 | DOC-002: Enhanced VEX Processing with consensus engine, CSAF connectors, CLI commands | Documentation author |
| 2026-01-16 | DOC-003: Enhanced Attestation with 25+ predicates, keyless signing, attestation chains | Documentation author |
| 2026-01-16 | DOC-004: Enhanced Auth with 75+ scopes, DPoP, device flow, federation | Documentation author |
| 2026-01-16 | DOC-005: Enhanced Policy Engine with K4 lattice, 10+ gates, 6 risk providers | Documentation author |
| 2026-01-16 | DOC-006: Enhanced Regional Crypto with multi-profile, SM remote, HSM | Documentation author |
| 2026-01-16 | DOC-007: Enhanced Notifications with 10 channels, Zastava webhooks, CI/CD | Documentation author |
| 2026-01-16 | DOC-008: Binary Analysis already comprehensive with fingerprints, diff | Documentation author |
| 2026-01-16 | DOC-009: Automatic Detection already documented in Scanning section | Documentation author |
| 2026-01-16 | DOC-010: Updated rev to 5.1, timestamp to 16 Jan 2026 | Documentation author |
## Decisions & Risks
- Documentation must stay synchronized with code changes
- Large update may require staged rollout
- Need review process to ensure accuracy
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

647
docs-archived/product/advisories/17-Jan-2026 - Features Gap.md Normal file
View File

@@ -0,0 +1,647 @@
# Product Advisory: Interface Surfacing Strategy for “Hidden” Backend Capabilities
ID: ADVISORY-20260116-IFACE-SURFACING
Status: ACTIVE
Owner intent: Product-wide directive
Applies to: FEATURE_MATRIX.md, CLI, Web UI, Doctor, module dossiers, sprints
## 0) Why this advisory exists
The Feature Gaps Report shows a typical problem in fast-moving monorepos:
- capabilities exist in code,
- but are not surfaced in CLI/UI,
- and therefore are not usable, not supportable, and not credibly marketable.
This product advisory is based features discovered and documented on file FEATURE_GAPS_REPORT.md in code but not listed in FEATURE_MATRIX.md
Therefore, interface work must do two things:
1) reduce support burden (“Doctor-first operability”), and
2) strengthen the suites moat (evidence-grade decisions, explainability, determinism).
This advisory defines which backend capabilities should be surfaced via **CLI** and/or **UI**, and the minimal “how” to do it.
---
## 1) Non-negotiable principles (solo-scale rules)
### P1: No “capability theatre”
If a capability is claimed in FEATURE_MATRIX.md as “available”, it must have:
- a supported activation path (**UI or CLI or config + Doctor validation**), and
- documentation that explains how to use it.
If not, it must be marked as:
- **Automatic (always-on)**, or
- **Internal (not supported / not marketed)**, or
- **Planned**.
### P2: Prefer “exports” and “inspectors” over new UI pages
To avoid UI explosion, surface many capabilities as:
- **Export profiles** (downloadable artifacts)
- **Inspector views** (read-only detail panes)
- **Minimal admin actions** (rotate key, test connector, download SARIF)
Avoid building bespoke UI workflows unless they materially reduce operator labor.
### P3: CLI is the control plane for automation and air-gap
Anything used in:
- CI,
- offline operations,
- bulk admin,
- reproducibility / debugging,
must have a CLI path.
UI is for:
- day-to-day operator workflows,
- triage,
- explainability (“why blocked?”),
- visualizations.
### P4: Doctor-first for support reduction
If a feature is likely to generate tickets (connectors, crypto, queues, replay),
it must have:
- a Doctor check (and a Doctor bundle payload),
- deterministic “reason codes” for failures,
- a runbook entry.
### P5: Progressive disclosure
Dont overwhelm users with advanced controls.
Expose:
- simple defaults in UI,
- advanced knobs in CLI/config,
- deep internals only in Doctor bundles.
---
## 2) Decision rubric: UI vs CLI vs Doc-only
Classify each discovered capability into exactly one of these:
### Class A — Automatic (Doc-only)
Use when the capability:
- runs implicitly as part of scan/policy/evidence workflows, and
- doesnt require user input to be valuable.
Requirement:
- Document it in FEATURE_MATRIX.md as **Automatic**.
- Ensure its outcomes show up in existing UI/exports (e.g., findings detail, evidence packet).
Examples:
- Secrets detection that runs during scan
- OS package analyzers invoked implicitly
- Symlink/whiteout handling in layered filesystem
### Class B — CLI-first (automation/admin/offline)
Use when the capability:
- is primarily an operator/admin action,
- is needed in automation/CI,
- is needed offline,
- or is a bulk/advanced workflow.
Requirement:
- Add CLI commands with `--format json` and `--output`.
- Update docs with copy/paste examples.
- Add Doctor checks if it can fail due to environment dependencies.
Examples:
- SBOM convert/validate
- Key rotation, trust anchors
- Policy verdict export
- Timeline/HLC inspection
### Class C — UI-first (triage/explainability)
Use when the capability:
- improves human decision-making,
- reduces triage effort,
- is part of “why blocked/approved”.
Requirement:
- Add a minimal UI surface (read-only or download action).
- Provide deterministic “reason” traces and evidence links.
Examples:
- Path witness visualization for reachability
- SARIF download in the UI
- Connector status dashboard
### Class D — Both (high-value + frequent usage)
Use when the capability:
- is used in pipelines (CLI), and
- is also used in investigations/audits (UI).
Examples:
- Audit bundle export
- VEX consensus/verification
- Evidence packs
### Class E — Internal (do not surface yet)
Use when the capability:
- is not stable enough to support,
- would multiply permutations,
- or is not aligned with current product focus.
Requirement:
- Do not list as a primary feature in FEATURE_MATRIX.md.
- It may remain in a “Known internal capabilities” appendix for engineering only.
---
## 3) Priority: what to surface first (P0/P1/P2)
### P0 (must surface) — Moat + Support reduction
These directly improve “why blocked?”, auditability, operability, and adoption.
#### P0-1: Exports and evidence surfaces
- Add/standardize CLI:
- `stella export audit ...`
- `stella export lineage ...`
- `stella export risk ...`
- `stella export evidence-pack ...`
- UI: ensure Export Center supports:
- download audit bundles,
- download lineage evidence packs,
- download risk bundles.
Acceptance:
- Export outputs are deterministic, versioned, and include a manifest with hashes.
- Doctor validates export prerequisites (storage, permissions, disk space).
#### P0-2: “Why blocked?” explainability completeness
- CLI:
- `stella score explain <digest|runId> --format json`
- `stella reachability witness <digest> --vuln <cve> --format mermaid|json`
- `stella reachability guards <digest> --format json`
- UI:
- add “Witness Path” view for reachable findings (Mermaid/GraphViz render),
- show confidence breakdown (path/guard/runtime components),
- link to evidence URIs (`stella://...`) and replay manifests where available.
Acceptance:
- For any blocked decision, UI can show:
- which gate blocked,
- what evidence triggered it,
- and at least one witness or explanation trace.
#### P0-3: SARIF in UI (high adoption win)
- UI: add “Download SARIF” for a scan run and/or digest.
- CLI already exists (`stella scan sarif`).
Acceptance:
- UI downloads match CLI outputs (same schema/version).
- Exports include metadata (digest, scan time, policy profile id).
#### P0-4: Concelier connector truth (reduce ticket load)
- Docs: update FEATURE_MATRIX.md to reflect connector reality (33+ connectors).
- UI: add a “Feeds & Connectors Status” page:
- list connectors, last success, last error, next scheduled run (if applicable),
- link to logs and Doctor bundle instructions.
- CLI:
- `stella db status`
- `stella db connectors list`
- `stella db connectors test <name>`
Acceptance:
- Any ingestion failure has a reason code and remediation hint.
---
### P1 (next) — Admin confidence + advanced workflows
These increase operational safety and enterprise readiness without large UI build.
#### P1-1: SBOM lineage CLI parity (UI already exists)
- Add:
- `stella sbom lineage list`
- `stella sbom lineage show <id>`
- `stella sbom lineage export <id> --format json|spdx|cdx`
#### P1-2: VEX operational completeness
- CLI:
- `stella vex verify <doc>`
- `stella vex evidence export <digest|component>`
- `stella vex webhooks list/add/remove`
- `stella issuer keys list/create/rotate/revoke`
- UI:
- minimal webhook management screen (list + add/remove),
- issuer keys page can remain UI-only if already present, but CLI needed for automation.
#### P1-3: Policy debug and portability
- CLI:
- `stella policy lattice explain ...`
- `stella policy verdicts export ...`
- `stella policy promote ...` (if promotion pipeline exists)
- UI:
- add “download verdict” and “download decision capsule” actions in policy and release views.
#### P1-4: Auth/admin CLI coverage
- Add CLI wrappers for UI-only admin tasks:
- `stella auth clients list/create/...`
- `stella auth roles ...`
- `stella auth scopes list`
- `stella auth token inspect`
- `stella auth api-keys ...`
---
### P2 (later) — Nice-to-have / heavy UI
These can be strong, but risk expanding support and UI scope.
- BinaryIndex corpus ingestion UI
- Fingerprint visualization UI
- Evidence holds (legal hold) management UI
- Incident mode workflows and dashboards beyond a basic toggle + export hooks
- Full timeline UI (unless needed for core workflows)
---
## 4) Mapping: discovered gaps -> recommended surfacing
This section is the “agent checklist”.
### Batch 1: SBOM & ingestion
- SPDX 3.0 Build Attestation
- Class: D (Both) if used for audits; otherwise B (CLI-first)
- CLI: `stella attest build --format spdx3 --output ...`
- UI: Export Center adds “Build Attestation (SPDX 3.0)”
- CycloneDX CBOM Support
- Class: B (CLI-first) + Doc
- CLI: `stella sbom export --type cbom --format cdx`
- Layer SBOM composition
- Class: B (CLI-first) + Doc
- Ensure docs explain when/why layer SBOM is useful (base image triage, provenance).
- SBOM advisory matching
- Class: A (Automatic) + UI visibility
- UI: show “matched advisory sources” in SBOM/finding details; doc-only if already visible.
- Graph lineage service (UI exists)
- Class: B (CLI-first) to match UI
- CLI: `stella graph lineage show <digest|purl>`
- SBOM validation pipeline / format conversion
- Class: B (CLI-first)
- CLI: `stella sbom validate`, `stella sbom convert`
- Trivy DB export (offline)
- Class: B (CLI-first) + optional UI under Offline Kit
- UI: optional “download trivy db” action if it reduces ticket load.
### Batch 2: scanning & detection
- Secrets detection, OS analyzers
- Class: A (Automatic) + Document
- Update FEATURE_MATRIX.md: “runs during scan; shown in findings”.
- Symbol-level vulnerability matching
- Class: C (UI-first) if it materially improves triage
- UI: “Symbol match” tab in finding detail (no heavy workflow).
- SARIF export
- Class: D (Both)
- Add UI download.
- Concurrent worker config
- Class: B (CLI-first)
- CLI: `stella scanner workers set/get` or `stella scan run --workers N`.
### Batch 3: reachability analysis
- Confidence calculator / EWS explanation
- Class: D (Both)
- CLI: `stella score explain`, `stella reachability explain`
- UI: confidence breakdown and witness.
- Path witness generation
- Class: C (UI-first) + keep CLI support
- UI: render witness (Mermaid/GraphViz).
- Runtime signal correlation
- Class: B (CLI-first) to complement UI
- CLI: `stella signals inspect <digest|runId>`
- Gate detection (guards)
- Class: B (CLI-first) + UI is already present
- CLI: `stella reachability guards <digest>`.
### Batch 4: binary analysis
- Keep CLI-first; avoid UI until demanded.
- Add minimal doc + optional UI download links (export fingerprint result) later.
### Batch 5: advisory sources / Concelier
- Primary action: documentation correction + connector status.
- UI: Feeds & Connectors Status page (P0).
- CLI: connector list/status/test.
### Batch 6: VEX processing
- P1: CLI for verify/evidence export/webhooks/issuer keys.
- UI: minimal webhook mgmt + improve “consensus rationale” explainability.
### Batch 7: policy engine
- P1: CLI lattice explain, verdict export, risk provider config exposure (at least in docs + config validation + Doctor).
- UI: provide download actions; avoid building policy authoring wizard.
### Batch 8: attestation & signing
- Key rotation and trust anchors:
- Class: B (CLI-first), optionally UI later
- CLI: `stella keys rotate`, `stella trust-anchors add/list/remove`
- Predicate registry browser:
- Class: B (CLI-first)
- CLI: `stella attest predicates list`
- Signer audit logs:
- Class: B (CLI-first)
- CLI: `stella sign audit export`.
### Batch 9: regional crypto
- Crypto profiles and plugin health:
- Class: B (CLI-first)
- CLI: `stella crypto profiles list/select`, `stella crypto plugins status`
- Doctor checks required (HSM/PKCS#11 availability, cert chains, etc.)
### Batch 10: evidence & findings
- Audit bundle export:
- Class: D (Both)
- CLI: `stella export audit`
- UI: ensure its a first-class export action.
- Evidence holds / incident mode:
- Class: P2 unless required by early customers; keep as internal or config-only with docs.
### Batch 11: determinism & replay
- HLC inspection, timeline query, scoring explanation:
- Class: B (CLI-first) for diagnostics
- CLI: `stella hlc status`, `stella timeline query`, `stella score explain`.
### Batch 12: operations
- Where UI exists but CLI missing:
- Class: B (CLI-first)
- Add:
- `stella orchestrator jobs list/show/retry/cancel`
- `stella orchestrator deadletter list/show/replay`
- `stella scheduler preview`
### Batch 13: release orchestration
- (When release orchestration is shipped)
- Class: D (Both)
- CLI parity required:
- `stella release create/promote/rollback`
- `stella release hooks ...`
- `stella agent status`
### Batch 14: auth & access control
- Class: B (CLI-first)
- Add admin CLI wrappers for: scopes, clients, roles, api-keys, token inspect.
### Batch 15: notifications & integrations
- UI exists; add CLI for automation/testing:
- `stella notify channels list/test`
- `stella notify templates list/render`
- `stella integrations test`
- `stella notify preferences export/import`
---
## 5) Documentation requirements (must be done alongside surfacing)
When surfacing a capability:
1) Update FEATURE_MATRIX.md (and the correct category).
2) Update the relevant module dossier (`docs/modules/<module>/architecture.md` or a dedicated guide).
3) Add examples (copy/paste) for CLI usage and for UI navigation paths.
4) If the capability is automatic, document where its output appears.
Also: do not claim “UI support” if it is “API-only”.
---
## 6) Implementation pattern (avoid interface sprawl)
### Preferred UI patterns
- “Download” button for exportable artifacts (SARIF, audit bundle, evidence pack).
- “Inspector” panels inside existing pages (Findings detail, VEX detail, Policy detail).
- One consolidated “Ops” section for status dashboards.
- One consolidated “Integrations” section for connectors and tests.
### Preferred CLI patterns
- Command groups match product nouns:
- `stella sbom ...`
- `stella export ...`
- `stella vex ...`
- `stella policy ...`
- `stella auth ...`
- `stella keys ...`
- `stella reachability ...`
- `stella orchestrator ...`
- Every new CLI command must support:
- `--format json` (machine use)
- `--output <path>` (CI use)
- deterministic ordering and stable schemas
---
## 7) Definition of Done (interface surfacing)
For any interface surfacing task:
DOD-1: Feature matrix updated with correct classification (A/B/C/D/E)
DOD-2: CLI/UI path implemented (as required by classification)
DOD-3: Docs updated with copy/paste examples and screenshots where appropriate
DOD-4: Doctor coverage added if failures are environment-dependent
DOD-5: Determinism tests added if outputs are exported/signed/hashed
DOD-6: Reason codes and explainability exist for decision-related features
---
## 8) Immediate next sprints (recommended)
1) P0 exports completeness: Export Center + `stella export ...` standardization
2) P0 explainability: witness path UI + `stella score explain`
3) P0 SARIF UI download
4) P0 Feeds/connectors status UI + CLI
5) P1 SBOM lineage CLI parity
6) P1 VEX verify/evidence export + webhooks mgmt
7) P1 Policy debug + verdict export
8) P1 Admin CLI (auth/keys/crypto profiles)
Archive this advisory only when superseded by a newer interface strategy directive.
---
Heres a tight UX spec you can drop into StellaOps to make “prooffirst” triage obvious and quiet by default.
# Triage Card (Signed Evidence Card)
* **Purpose:** Show one issue = one verifiable proof bundle.
* **Header:** vuln id + package@version + scope (image/layer/path). Right side: **Risk chip** (score + reason).
* **Oneclick “Rekor Verify”:** Runs DSSE/Sigstore verify and expands to show:
* ✅ signature subject/issuer, ✅ timestamp, ✅ Rekor index + raw entry (copyable), ✅ digest(s).
* **Evidence chips:** OpenVEX status (affected/not_affected), patch proof (binary/backport), reachability (stack path), EPSS band.
* **Actions:** “Explain” (AI note), “Create task,” “Mute (reasoned),” “Export evidence (.dsse)”.
* **Microinteractions:**
* Hover on chips → minitooltip with why.
* Copy icons on digests/Rekor IDs.
* Keyboard shortcuts: `v` verify, `e` export, `m` mute.
# BinaryDiff Panel
* **Purpose:** Prove fixes at the **binary** level, not just SBOM claims.
* **Scope selector:** `file → section → function`.
* **Layers:** Base vs candidate (or pre vs postpatch) with inline diff.
* **Hashes:** Perfile SHA256, persection, perfunction rolling hashes.
* **Context:** CWE + symbol names, addresses, and relocation notes.
* **Artifacts:**
* **Export “Signed Diff”** → DSSE envelope (hash map + metadata + signer + timestamp).
* Attach to the triage card as “Patch proof”.
* **Microinteractions:**
* Click on symbol in callgraph to jump to function diff.
* Toggle opcodes ⇄ decompiled view (if available).
* “Show only changed blocks” toggle.
# Quiet/Accessible Filter Strip
* **Purpose:** Deterministic, lownoise prioritization—no casino lights.
* **Precedence toggles (left→right strongest to weakest):**
1. **OpenVEX** (not_affected/affected)
2. **Patch proof present**
3. **Reachability** (callpath to runtime)
4. **EPSS** (≥ threshold)
* **Determinism:** When ties occur, sort by OCI digest, then path, then CVSS.
* **Controls:**
* EPSS slider; “Only reachable” checkbox; “Only with patch proof” checkbox.
* “Deterministic order” lock icon (on by default).
* **A11y:** Highcontrast theme, focus rings, full keyboard nav, prefersreducedmotion honored; all chips have arialabels.
* **Microinteractions:** Filters update counts without reflow; announcement region reads changes.
---
## Why this matters
* **Trustable triage:** Users see cryptographic evidence (signatures, Rekor entries, perfunction hashes), not just scanner claims.
* **Noisefree:** Precedence rules (OpenVEX → patch proof → reachability → EPSS) cut alert fatigue predictably.
* **Auditready:** Every click can emit an exportable **DSSEsigned** artifact for tickets, audits, and vendors.
---
## Minimal data model additions
* `EvidencePacket { sbom_ref, dsse_envelope, rekor_index, signer, timestamp }`
* `BinaryProof { file_hashes[], section_hashes[], function_hashes[], diff_summary }`
* `TriageMeta { openvex_status, reachability_path[], epss_score, precedence_tuple }`
---
## DonemeansDone checks
* Triage card verify shows **raw Rekor JSON** + signature details.
* Binarydiff export produces a DSSE file that reverifies offline.
* Filter strip yields identical ordering given the same inputs (golden test).
* Keyboardonly usage covers: open card, verify, export, toggle filters, navigate diffs.
Want me to turn this into three Figmaready wireframes (with exact layout specs and arialabels), or generate sample DSSE envelopes + Rekor verify outputs so your team can test endtoend?
--
Heres a tight, practical first pass for a **“doctor” setup wizard** that runs right after install and anytime from Settings → Diagnostics. It gives instant confidence that StellaOps is wired correctly, without needing full integrations configured.
---
# What the “doctor” does (in plain terms)
It runs a few lightweight health checks to confirm your system can:
* talk to its database,
* reach its attestation store (for signed proofs),
* verify a sample artifact endtoend (SBOM + VEX).
If these pass, your install is sound and you can add integrations later at your pace.
---
# Mandatory checks (first pass)
1. **DB connectivity + schema version**
* **Why**: If the DB is unreachable or the schema is outdated, nothing else matters.
* **Checks**:
* TCP/connect to Postgres URI.
* `SELECT 1;` liveness.
* Read `schema_version` from `stella.meta` (or your flyway/liquibase table).
* Compare to the apps expected version; warn if migrations pending.
* **CLI sketch**:
```bash
stella doctor db \
--url "$STELLA_DB_URL" \
--expect-schema "2026.01.0"
```
* **Pass criteria**: reachable + current (or actionable “run migrations” hint).
2. **Attestation store availability (Rekor/Cosign)**
* **Why**: Stella relies on signed evidence; if the ledger/store isnt reachable, you cant prove integrity.
* **Checks**:
* Resolve/HTTP 200 for Rekor base URL (or your mirror).
* Cosign key material present (KMS, keyless, or offline bundle).
* Clock skew sanity (<5s) for signature verification.
* **CLI sketch**:
```bash
stella doctor attest \
--rekor-url "$STELLA_REKOR_URL" \
--cosign-key "$STELLA_COSIGN_KEY" \
--mode "online|offline"
```
* **Pass criteria**: ledger reachable (or offline bundle found) + keys valid.
3. **Artifact verification pipeline run (SBOM + VEX sample)**
* **Why**: Proves the *whole* trust path works—fetch, verify, evaluate policy.
* **Checks**:
* Pull a tiny, known test artifact by **digest** (immutable).
* Verify signature/attestations (DSSE in Rekor or offline bundle).
* Fetch/validate **SBOM** (CycloneDX/SPDX) and a sample **VEX**.
* Run policy engine: “nogo if critical vulns without VEX justification.”
* **CLI sketch**:
```bash
stella doctor verify \
--artifact "oci://registry.example/test@sha256:deadbeef..." \
--require-sbom \
--require-vex
```
* **Pass criteria**: signature + SBOM + VEX validate; policy engine returns ✅.
---
# Output & UX
* **Onescreen summary** with green/yellow/red statuses and terse fixes.
* **Copypaste remediations** (DB URI example, Rekor URL, cosign key path).
* **Evidence links** (e.g., “View attestation entry” or “Open policy run”).
* **Export**: `stella doctor --json > doctor-report.json` for support.
---
# Where this fits in the installer/wizard
* **UI & CLI** both follow the same steps:
1. DB setup → quick migration → **Doctor: DB**
2. Choose attestation mode (Rekor/cosign keyless/offline bundle) → **Doctor: Attest**
3. Minimal “verification pipeline” config (test registry creds or bundled sample) → **Doctor: Verify**
* Each step has **defaults** (Postgres + Rekor URL + bundled demo artifact) and a **“Skip for now”** with a reminder tile in Settings → Integrations.
---
# Failure → Suggested fixes (examples)
* **DB schema mismatch** → “Run `stella migrate up` to 2026.01.0.”
* **Rekor unreachable** → “Check DNS/proxy; or switch to Offline Attestations in Settings.”
* **Cosign key missing** → “Add key (KMS/file) or enable keyless; see Keys → Add.”
* **SBOM/VEX missing** → “Enable Generate SBOM on build and Collect VEX from vendors, or load a demo bundle.”
---
# Next steps (beyond first pass)
* Optional checks the wizard can add later:
* **Registry** reachability (pull by digest).
* **Settings store** (Valkey cache reachability).
* **Notifications** (send test webhook/email).
* **SCM/Vault/LDAP** plugin stubs: ping + auth flow (but not required to pass install).
If you want, I can turn this into:
* a readytoship **CLI command spec**,
* a **UI wireframe** of the three-step doctor,
* or **JSON schemas** for the doctors machinereadable report.