stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

todays product advirories implemented

Browse Source
This commit is contained in:
master
2026-01-16 23:30:47 +02:00
parent 91ba600722
commit 77ff029205
174 changed files with 30173 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
docs-archived/implplan/SPRINT_20260117_004_CLI_sbom_ingestion.md Normal file
View File

@@ -0,0 +1,137 @@
# Sprint 004 - SBOM & Ingestion CLI
## Topic & Scope
- Surface SBOM and ingestion capabilities via CLI to match UI parity
- Enable SPDX 3.0 build attestation, CycloneDX CBOM, lineage commands, and format conversion
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with `--format json` support, unit tests with frozen fixtures
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 005-017
- Depends on existing SbomCommandGroup.cs and GraphCommandGroup.cs
## Documentation Prerequisites
- `docs/modules/sbom/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 1)
- Existing CLI patterns in `src/Cli/StellaOps.Cli/Commands/`
## Delivery Tracker
### SBI-001 - Add `stella attest build --format spdx3` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend AttestCommandGroup.cs to support SPDX 3.0 build attestation format
- Add `--format spdx3` option alongside existing formats
- Wire to attestation service for SPDX 3.0 envelope generation
Completion criteria:
- [x] `stella attest build --format spdx3 --output build.att` produces valid SPDX 3.0 attestation
- [x] Output validates against SPDX 3.0 schema
- [x] Unit tests with frozen fixture
### SBI-002 - Add `stella sbom export --type cbom --format cdx` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend SbomCommandGroup.cs to support Cryptographic BOM (CBOM) export
- Add `--type cbom` option to export command
- Wire to SBOM service for CBOM generation in CycloneDX format
Completion criteria:
- [x] `stella sbom export --type cbom --format cdx` produces valid CBOM
- [x] CBOM includes cryptographic asset inventory
- [x] Unit tests with frozen fixture
### SBI-003 - Add `stella sbom lineage list/show/export` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add lineage subcommand group to SbomCommandGroup.cs
- Implement `list` to show lineage entries
- Implement `show <id>` to display lineage details
- Implement `export <id> --format json|spdx|cdx` for lineage export
Completion criteria:
- [x] `stella sbom lineage list` returns lineage entries
- [x] `stella sbom lineage show <id>` displays lineage details
- [x] `stella sbom lineage export <id> --format json` produces valid export
- [x] All commands support `--format json` and `--output`
### SBI-004 - Enhance `stella sbom validate` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance existing validate command with additional validation rules
- Add `--strict` option for strict schema validation
- Add `--report` option for detailed validation report
Completion criteria:
- [x] `stella sbom validate --strict` performs comprehensive validation
- [x] Validation report includes specific issues and locations
- [x] Unit tests for various SBOM formats
### SBI-005 - Add `stella sbom convert` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add convert subcommand for SBOM format conversion
- Support SPDX to CycloneDX and vice versa
- Preserve semantic content during conversion
Completion criteria:
- [x] `stella sbom convert input.spdx --to cdx --output output.cdx.json`
- [x] `stella sbom convert input.cdx.json --to spdx --output output.spdx.json`
- [x] Round-trip conversion preserves essential data
- [x] Unit tests with frozen fixtures
### SBI-006 - Add `stella graph lineage show <digest|purl>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add lineage show command to GraphCommandGroup.cs
- Support lookup by digest or purl
- Wire to Graph service for lineage traversal
Completion criteria:
- [x] `stella graph lineage show sha256:abc...` returns lineage graph
- [x] `stella graph lineage show pkg:npm/express@4.18.2` returns lineage
- [x] Output supports `--format json|graphson|mermaid`
- [x] Unit tests with frozen fixture
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 1 | Planning |
| 2026-01-16 | SBI-005: Added `stella sbom convert` command to SbomCommandGroup.cs | Developer |
| 2026-01-16 | SBI-005: Added deterministic sbom convert tests with fixtures | Developer |
| 2026-01-16 | SBI-002: Added `stella sbom export --type cbom` command | Developer |
| 2026-01-16 | SBI-003: Added `stella sbom lineage list/show/export` commands | Developer |
| 2026-01-16 | SBI-004: Enhanced `stella sbom validate` with --strict and --report | Developer |
| 2026-01-16 | SBI-002, SBI-004: Added unit tests for CBOM export and SBOM validate | Developer |
| 2026-01-16 | SBI-006: Added `stella graph lineage show` command with tests and docs | Developer |
| 2026-01-16 | SBI-001: Added `stella attest build --format spdx3` command with tests | Developer |
## Decisions & Risks
- SPDX 3.0 schema may still be evolving; pin to specific version
- CBOM support requires cryptographic asset detection in scanner
- Lineage commands depend on Graph service availability
- Docs updated: [docs/modules/cli/guides/commands/reference.md](docs/modules/cli/guides/commands/reference.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

118
docs-archived/implplan/SPRINT_20260117_005_CLI_scanning_detection.md Normal file
View File

@@ -0,0 +1,118 @@
# Sprint 005 - Scanning & Detection CLI
## Topic & Scope
- Document automatic scanning capabilities and enhance SARIF export
- Add worker configuration commands for scanner performance tuning
- Working directory: `src/Cli/`, `docs/`
- Expected evidence: Updated FEATURE_MATRIX.md, enhanced CLI commands, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004, 006-017
- Sprint 018 (FE) depends on this sprint for SARIF metadata
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 2)
- Existing ScanCommandGroup.cs patterns
## Delivery Tracker
### SCD-001 - Document secrets detection as Automatic in FEATURE_MATRIX
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md to classify secrets detection as "Automatic (Class A)"
- Document that secrets detection runs implicitly during scan
- Explain where detection results appear in UI/exports
Completion criteria:
- [x] FEATURE_MATRIX.md updated with secrets detection entry
- [x] Entry marked as "Automatic" with explanation
- [x] Links to findings detail where results appear
### SCD-002 - Document OS analyzers as Automatic in FEATURE_MATRIX
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md to classify OS package analyzers as "Automatic (Class A)"
- Document supported package managers (apk, apt, yum, etc.)
- Explain where analyzer results appear in UI/exports
Completion criteria:
- [x] FEATURE_MATRIX.md updated with OS analyzers entry
- [x] Entry marked as "Automatic" with supported package managers
- [x] Links to SBOM/findings where results appear
### SCD-003 - Enhance SARIF export with metadata
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance SARIF export to include additional metadata
- Add digest, scan time, and policy profile ID to SARIF output
- Ensure schema compliance with SARIF 2.1.0
Completion criteria:
- [x] SARIF export includes `digest` in properties
- [x] SARIF export includes `scanTimestamp`
- [x] SARIF export includes `policyProfileId`
- [x] Output validates against SARIF 2.1.0 schema
- [x] Unit tests with frozen fixture
### SCD-004 - Add `stella scanner workers set/get` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add workers subcommand group to ScannerCommandGroup.cs
- Implement `get` to show current worker configuration
- Implement `set` to configure worker count and pool settings
Completion criteria:
- [x] `stella scanner workers get` displays current configuration
- [x] `stella scanner workers set --count N` updates worker count
- [x] Configuration persists across restarts
- [x] Unit tests for configuration commands
### SCD-005 - Add `stella scan run --workers N` option
Status: DONE
Dependency: SCD-004
Owners: Developer
Task description:
- Add `--workers` option to scan run command
- Allow per-scan override of worker count
- Document performance implications
Completion criteria:
- [x] `stella scan run --workers 4 <image>` uses 4 workers
- [x] Option documented in `--help` output
- [x] Validation prevents invalid worker counts
- [x] Unit tests for worker option
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 2 | Planning |
| 2026-01-16 | SCD-001, SCD-002: Updated FEATURE_MATRIX.md with Automatic Detection (Class A) section | Documentation author |
| 2026-01-16 | SCD-001, SCD-002: Added links to findings/SBOM detail docs | Documentation author |
| 2026-01-16 | SCD-003: Added SARIF metadata injection and unit test coverage | Developer |
| 2026-01-16 | SCD-004: Added scanner workers get/set with persisted config and tests | Developer |
| 2026-01-16 | SCD-005: Added scan run --workers option with validation and tests | Developer |
## Decisions & Risks
- Worker count changes may impact memory usage
- SARIF metadata additions must be backwards compatible
- Documentation tasks can be done independently
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

157
docs-archived/implplan/SPRINT_20260117_006_CLI_reachability_analysis.md Normal file
View File

@@ -0,0 +1,157 @@
# Sprint 006 - Reachability Analysis CLI
## Topic & Scope
- Complete "why blocked?" explainability via CLI commands
- Add score explanation, witness path, guards inspection, and signal inspection
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with deterministic outputs, unit tests with frozen fixtures
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-005, 007-017
- Sprint 018 (FE) depends on this sprint for API contracts
## Documentation Prerequisites
- `docs/modules/reachability/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 3)
- Existing ReachabilityCommandGroup.cs patterns
## Delivery Tracker
### RCA-001 - Add `stella score explain <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ScoreCommandGroup.cs or extend existing score commands
- Add `explain` subcommand that takes a digest argument
- Wire to RiskEngine score explanation API
- Output factor breakdown (base, CVSS, reachability adjustments, VEX)
Completion criteria:
- [x] `stella score explain sha256:abc...` returns score breakdown
- [x] Breakdown includes base score, CVSS, reachability factor, VEX adjustments
- [x] Output supports `--format table|json|markdown`
- [x] Unit tests with deterministic score explanations
### RCA-002 - Add `stella reachability explain <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `explain` subcommand to ReachabilityCommandGroup.cs
- Return overall reachability assessment with reasoning
- Include confidence score and contributing factors
Completion criteria:
- [x] `stella reachability explain sha256:abc...` returns assessment
- [x] Output includes confidence score (0-100)
- [x] Output lists contributing factors (call paths, guards, runtime signals)
- [x] Supports `--format json` for machine consumption
### RCA-003 - Add `stella reachability witness <digest> --vuln <cve>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `witness` subcommand to ReachabilityCommandGroup.cs
- Generate path witness for a specific CVE
- Support multiple output formats including Mermaid for visualization
Completion criteria:
- [x] `stella reachability witness sha256:abc... --vuln CVE-2024-1234` returns witness
- [x] Witness includes call path from entry point to vulnerable function
- [x] Supports `--format mermaid|json|graphson`
- [x] Mermaid output can be rendered in UI
- [x] Unit tests with frozen witness outputs
### RCA-004 - Add `stella reachability guards <digest>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `guards` subcommand to ReachabilityCommandGroup.cs
- List detected security guards that affect reachability
- Include guard type, location, and effectiveness
Completion criteria:
- [x] `stella reachability guards sha256:abc...` lists guards
- [x] Output includes guard type (input validation, auth check, etc.)
- [x] Output includes location (file, function)
- [x] Supports `--cve <cve-id>` to filter guards relevant to specific CVE
- [x] Supports `--format table|json`
### RCA-005 - Add `--format mermaid|json|graphson` options
Status: DONE
Dependency: RCA-003, RCA-004
Owners: Developer
Task description:
- Ensure all reachability commands support consistent format options
- Add Mermaid format for visualization
- Add GraphSON format for graph database compatibility
Completion criteria:
- [x] All reachability commands support `--format` option
- [x] Mermaid output is valid Mermaid syntax
- [x] GraphSON output is valid GraphSON 3.0
- [x] JSON output has stable, documented schema
### RCA-006 - Add `stella signals inspect <digest|runId>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `signals` command group with `inspect` subcommand
- Return runtime signals collected for digest or run
- Include signal types, timestamps, and correlation data
Completion criteria:
- [x] `stella signals inspect sha256:abc...` returns signals
- [x] `stella signals inspect run-123` returns signals for run
- [x] Output includes signal type, timestamp, source
- [x] Supports `--format json`
### RCA-007 - Unit tests with deterministic witness outputs
Status: DONE
Dependency: RCA-001 through RCA-006
Owners: QA / Test Automation
Task description:
- Create comprehensive unit tests for all reachability commands
- Use frozen fixtures for deterministic testing
- Ensure output stability for golden file comparisons
Completion criteria:
- [x] Unit tests for each new command
- [x] Frozen fixtures for witness paths
- [x] Golden file tests for output format stability
- [x] Tests pass in CI pipeline
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 3 | Planning |
| 2026-01-16 | RCA-001: Added `stella score explain` command to ScoreReplayCommandGroup.cs | Developer |
| 2026-01-16 | RCA-001: Added deterministic score explain tests | Developer |
| 2026-01-16 | RCA-002: Added `stella reachability explain` command | Developer |
| 2026-01-16 | RCA-003: Added `stella reachability witness` with mermaid/json/graphson output | Developer |
| 2026-01-16 | RCA-004: Added `stella reachability guards` command | Developer |
| 2026-01-16 | RCA-005: All reachability commands now support multiple output formats | Developer |
| 2026-01-16 | RCA-006: Created SignalsCommandGroup.cs with inspect/list/summary commands | Developer |
| 2026-01-16 | RCA-003, RCA-004, RCA-007: Added reachability witness/guards filters and tests | Developer |
## Decisions & Risks
- Mermaid format must be compatible with UI rendering library
- GraphSON version should align with existing graph infrastructure
- Witness generation may be computationally expensive; consider caching
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

106
docs-archived/implplan/SPRINT_20260117_007_CLI_binary_analysis.md Normal file
View File

@@ -0,0 +1,106 @@
# Sprint 007 - Binary Analysis CLI
## Topic & Scope
- Surface binary analysis capabilities via CLI (CLI-first, avoid UI until demanded)
- Add fingerprint export and binary diff commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, documentation updates
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-006, 008-017
- Lower priority (P2) - can be deferred if needed
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 4)
- Existing BinaryCommandGroup.cs patterns
## Delivery Tracker
### BAN-001 - Document binary analysis capabilities
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md with binary analysis capabilities
- Document fingerprint generation, corpus management, binary diff
- Classify as "CLI-first (Class B)" per advisory guidance
Completion criteria:
- [x] FEATURE_MATRIX.md includes binary analysis section
- [x] Each capability classified (A/B/C/D/E)
- [x] Usage examples provided
- [x] Links to CLI command documentation
### BAN-002 - Add `stella binary fingerprint export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `fingerprint export` subcommand to BinaryCommandGroup.cs
- Export fingerprint data for a binary artifact
- Support multiple output formats
Completion criteria:
- [x] `stella binary fingerprint export <artifact>` produces fingerprint
- [x] Output includes function hashes, section hashes, symbol table
- [x] Supports `--format json|yaml`
- [x] Supports `--output <path>`
- [x] Unit tests with frozen fixture
### BAN-003 - Add `stella binary diff <base> <candidate>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `diff` subcommand to BinaryCommandGroup.cs
- Compare two binary artifacts and report differences
- Output includes changed functions, added/removed symbols
Completion criteria:
- [x] `stella binary diff <base> <candidate>` produces diff report
- [x] Report includes function-level changes
- [x] Report includes symbol additions/removals
- [x] Supports `--format json|table`
- [x] Supports `--scope file|section|function` for granularity
- [x] Unit tests with frozen fixture
### BAN-004 - Add optional UI download links for fingerprint results
Status: DONE
Dependency: BAN-002
Owners: Developer
Task description:
- Ensure fingerprint export results can be downloaded from UI
- Add download link in Binary Index operations page
- Wire to existing Export Center infrastructure
Completion criteria:
- [x] UI displays fingerprint export option
- [x] Download produces same output as CLI command
- [x] Link available in Binary Index operations page
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 4 | Planning |
| 2026-01-16 | BAN-001: Updated FEATURE_MATRIX.md with Binary Analysis (Class B) documentation | Documentation author |
| 2026-01-16 | BAN-001: Added binary CLI command guide and links | Documentation author |
| 2026-01-16 | BAN-002: Added `stella binary fingerprint export` command with json/yaml output | Developer |
| 2026-01-16 | BAN-003: Added `stella binary diff` command with table/json format and scope options | Developer |
| 2026-01-16 | BAN-002, BAN-003: Added binary fingerprint export and diff unit tests | Developer |
| 2026-01-16 | BAN-004: Added Fingerprint Export tab to BinaryIndex ops UI with download functionality | Developer |
## Decisions & Risks
- Binary analysis is compute-intensive; exports may be slow for large binaries
- P2 priority means this sprint can be deferred if resources constrained
- UI integration is minimal per advisory guidance
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_008_CLI_advisory_sources.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 008 - Advisory Sources / Concelier CLI
## Topic & Scope
- Surface connector status and health via CLI for reduced ticket load
- Update FEATURE_MATRIX.md with connector reality (33+ connectors)
- Working directory: `src/Cli/`, `docs/`
- Expected evidence: CLI commands, documentation updates, reason codes
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-007, 009-017
- Sprint 018 (FE) uses these APIs for connector status UI
## Documentation Prerequisites
- `docs/modules/concelier/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 5)
- Concelier/Feedser service APIs
## Delivery Tracker
### ASC-001 - Update FEATURE_MATRIX.md with 33+ connectors
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Audit Concelier connector implementations
- Update FEATURE_MATRIX.md with complete connector list
- Include connector status, supported operations, authentication methods
Completion criteria:
- [x] FEATURE_MATRIX.md lists all 33+ connectors
- [x] Each connector has status (stable, beta, deprecated)
- [x] Authentication methods documented per connector
- [x] Links to connector-specific documentation
### ASC-002 - Add `stella db status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create DbCommandGroup.cs with `status` subcommand
- Report database connectivity, schema version, migration status
- Include connection pool health metrics
Completion criteria:
- [x] `stella db status` returns database health
- [x] Output includes connection status (connected/disconnected)
- [x] Output includes schema version and expected version
- [x] Output includes migration status (up-to-date/pending)
- [x] Supports `--format json`
### ASC-003 - Add `stella db connectors list` command
Status: DONE
Dependency: ASC-002
Owners: Developer
Task description:
- Add `connectors list` subcommand to DbCommandGroup.cs
- List all configured advisory connectors with their status
- Support filtering by category
Completion criteria:
- [x] `stella db connectors list` returns connector list
- [x] Each entry includes: name, category, status, last sync, error count
- [x] Status includes: healthy, degraded, failed, disabled
- [x] Supports `--format table|json`
- [x] Supports `--category` filter
- [x] Supports `--status <filter>` to filter by status
### ASC-004 - Add `stella db connectors test <name>` command
Status: DONE
Dependency: ASC-003
Owners: Developer
Task description:
- Add `connectors test` subcommand
- Execute connectivity test for specified connector
- Report test results with timing
Completion criteria:
- [x] `stella db connectors test nvd` tests NVD connector
- [x] Output includes test result (pass/fail)
- [x] Output includes response time
- [x] On failure, includes error details
- [x] Supports `--timeout` option
### ASC-005 - Output with reason codes and remediation hints
Status: DONE
Dependency: ASC-002, ASC-003, ASC-004
Owners: Developer
Task description:
- Ensure all connector commands include reason codes for failures
- Add remediation hints for common failure modes
- Use deterministic reason code format
Completion criteria:
- [x] Failed connectors include reason code (e.g., CON_TIMEOUT_001)
- [x] Reason codes map to documented failure modes
- [x] Remediation hints provided for each reason code
- [x] Reason codes documented in runbook
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 5 | Planning |
| 2026-01-16 | ASC-001: Updated FEATURE_MATRIX.md with 33+ connectors by category | Documentation author |
| 2026-01-16 | ASC-002, ASC-003, ASC-004: Created DbCommandGroup.cs with status/connectors commands | Developer |
| 2026-01-16 | ASC-003: Added status filters and sync/error metadata to connector list output | Developer |
| 2026-01-16 | ASC-001: Added connector status/auth matrix and runbook links | Documentation author |
| 2026-01-16 | ASC-004: Added timeout support and tests for connector test command | Developer |
| 2026-01-16 | ASC-005: Added reason codes and remediation hints + runbook reference | Developer |
## Decisions & Risks
- Connector test command may cause rate limiting on external APIs
- Reason codes need to be stable for automation compatibility
- 33+ connectors may require significant documentation effort
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

147
docs-archived/implplan/SPRINT_20260117_009_CLI_vex_processing.md Normal file
View File

@@ -0,0 +1,147 @@
# Sprint 009 - VEX Processing CLI
## Topic & Scope
- Surface VEX operational capabilities via CLI
- Add verification, evidence export, webhook management, and issuer key management
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-008, 010-017
- Existing VEX CLI plugin provides foundation
## Documentation Prerequisites
- `docs/modules/vex/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 6)
- Existing VexCliCommandModule.cs patterns
## Delivery Tracker
### VPR-001 - Add `stella vex verify <doc>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `verify` subcommand to VexCliCommandModule.cs
- Validate VEX document structure and signatures
- Report validation results with detail level options
Completion criteria:
- [x] `stella vex verify document.vex.json` validates VEX document
- [x] Validation checks structure, schema, and signatures
- [x] Output includes validation status (valid/invalid)
- [x] Output includes specific issues for invalid documents
- [x] Supports `--format json`
### VPR-002 - Add `stella vex evidence export <digest|component>` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `evidence export` subcommand for VEX evidence extraction
- Support lookup by digest or component identifier
- Export all VEX statements affecting the target
Completion criteria:
- [x] `stella vex evidence export sha256:abc...` exports VEX evidence
- [x] `stella vex evidence export pkg:npm/lodash@4.17.21` exports evidence
- [x] Output includes all relevant VEX statements
- [x] Supports `--format json|openvex`
- [x] Supports `--output <path>`
### VPR-003 - Add `stella vex webhooks list/add/remove` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `webhooks` subcommand group to VEX CLI
- Implement `list` to show configured webhooks
- Implement `add` to register new webhook
- Implement `remove` to unregister webhook
Completion criteria:
- [x] `stella vex webhooks list` returns configured webhooks
- [x] `stella vex webhooks add --url <url> --events <events>` registers webhook
- [x] `stella vex webhooks remove <id>` unregisters webhook
- [x] Event types documented (vex.created, vex.updated, etc.)
- [x] Supports `--format json`
### VPR-004 - Add `stella issuer keys list/create/rotate/revoke` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `issuer` command group with `keys` subcommands
- Implement key lifecycle management via CLI
- Support multiple key types (RSA, ECDSA, EdDSA)
Completion criteria:
- [x] `stella issuer keys list` returns issuer keys
- [x] `stella issuer keys create --type ecdsa --name <name>` creates key
- [x] `stella issuer keys rotate <id>` rotates key
- [x] `stella issuer keys revoke <id>` revokes key
- [x] Key operations require appropriate permissions
- [x] Supports `--format json`
### VPR-005 - Improve consensus rationale explainability output
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Enhance VEX consensus commands to include detailed rationale
- Show contributing factors to consensus decision
- Include confidence scores and source attribution
Completion criteria:
- [x] VEX consensus output includes rationale
- [x] Rationale shows contributing VEX sources
- [x] Confidence score included with breakdown
- [x] Supports `--verbose` for detailed output
### VPR-006 - Add Doctor checks for VEX document validation
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for VEX document validation infrastructure
- Verify schema validation, signature verification, and source connectivity
- Include remediation hints for common issues
Completion criteria:
- [x] `stella doctor --check check.vex.validation` runs VEX validation check
- [x] Check verifies schema validation capability
- [x] Check verifies signature verification capability
- [x] Check verifies VEX source connectivity
- [x] Remediation hints for each failure mode
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 6 | Planning |
| 2026-01-16 | VPR-001: Added `stella vex verify` command to VexCliCommandModule.cs | Developer |
| 2026-01-16 | VPR-001: Added unit tests for `stella vex verify` command | Developer |
| 2026-01-16 | VPR-002: Added `stella vex evidence export` command with tests and docs | Developer |
| 2026-01-16 | VPR-003: Added `stella vex webhooks list/add/remove` commands | Developer |
| 2026-01-16 | VPR-004: Created IssuerKeysCommandGroup.cs with list/create/rotate/revoke | Developer |
| 2026-01-16 | VPR-003: Added VEX webhooks docs and tests | Developer |
| 2026-01-16 | VPR-004: Added issuer keys tests and reference docs | Developer |
| 2026-01-16 | VPR-005: Enhanced consensus rationale output with confidence details | Developer |
| 2026-01-16 | VPR-006: Created VEX Doctor plugin with validation, schema, and issuer trust checks | Developer |
## Decisions & Risks
- Webhook registration may require external validation
- Key operations are security-sensitive; audit logging required
- Consensus rationale may expose internal scoring logic
- Docs updated: [docs/modules/cli/guides/commands/vex.md](docs/modules/cli/guides/commands/vex.md), [docs/modules/cli/guides/commands/reference.md](docs/modules/cli/guides/commands/reference.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_010_CLI_policy_engine.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 010 - Policy Engine CLI
## Topic & Scope
- Surface policy debug and portability capabilities via CLI
- Add lattice explanation, verdict export, and policy promotion commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, documentation
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-009, 011-017
- Existing PolicyCommandGroup.cs provides foundation
## Documentation Prerequisites
- `docs/modules/policy/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 7)
- Existing PolicyCommandGroup.cs patterns
## Delivery Tracker
### PEN-001 - Add `stella policy lattice explain` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `lattice explain` subcommand to PolicyCommandGroup.cs
- Explain policy lattice structure and evaluation order
- Show how policies combine and override
Completion criteria:
- [x] `stella policy lattice explain` shows lattice structure
- [x] Output includes policy hierarchy
- [x] Output includes override relationships
- [x] Output includes evaluation order
- [x] Supports `--format json|mermaid`
### PEN-002 - Add `stella policy verdicts export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `verdicts export` subcommand
- Export policy verdict history for audit purposes
- Support filtering by time range, policy, and outcome
Completion criteria:
- [x] `stella policy verdicts export` exports verdict history
- [x] Supports `--from` and `--to` time range filters
- [x] Supports `--policy <id>` filter
- [x] Supports `--outcome pass|fail|warn` filter
- [x] Supports `--format json|csv`
- [x] Supports `--output <path>`
### PEN-003 - Add `stella policy promote` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `promote` subcommand for policy promotion workflow
- Promote policy from one environment to another
- Include dry-run mode for validation
Completion criteria:
- [x] `stella policy promote <policy-id> --from dev --to stage` promotes policy
- [x] Supports `--dry-run` for validation without execution
- [x] Output shows promotion diff
- [x] Requires appropriate permissions
- [x] Audit log entry created for promotion
### PEN-004 - Document risk provider config in docs
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document risk provider configuration options
- Add to module dossier with examples
- Include configuration validation guidance
Completion criteria:
- [x] Risk provider config documented in module dossier
- [x] Configuration examples provided
- [x] Validation rules documented
- [x] Links to config schema
### PEN-005 - Add Doctor checks for policy engine health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for policy engine health
- Verify policy compilation, evaluation, and storage
- Include performance metrics
Completion criteria:
- [x] `stella doctor --check check.policy.engine` runs health check
- [x] Check verifies policy compilation
- [x] Check verifies evaluation capability
- [x] Check includes performance metrics (eval time)
- [x] Remediation hints for common issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 7 | Planning |
| 2026-01-16 | PEN-004: Created docs/modules/policy/guides/risk-provider-configuration.md | Documentation author |
| 2026-01-16 | PEN-005: Created PolicyEngineHealthCheck.cs for Doctor | Developer |
| 2026-01-16 | PEN-001, PEN-002, PEN-003: Added lattice, verdicts export, and promote CLI commands with tests | Developer |
| 2026-01-16 | PEN-001, PEN-002, PEN-003: Updated CLI command guide for new policy commands | Documentation author |
## Decisions & Risks
- Policy promotion requires environment-aware configuration
- Verdict export may contain sensitive decision data
- Lattice explanation exposes internal policy structure
- Docs updated: [docs/modules/cli/guides/commands/policy.md](docs/modules/cli/guides/commands/policy.md)
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

126
docs-archived/implplan/SPRINT_20260117_011_CLI_attestation_signing.md Normal file
View File

@@ -0,0 +1,126 @@
# Sprint 011 - Attestation & Signing CLI
## Topic & Scope
- Surface attestation and signing capabilities via CLI
- Add key rotation, trust anchor management, predicate registry, and audit export
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks, unit tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-010, 012-017
- Existing attestation and signing infrastructure provides foundation
## Documentation Prerequisites
- `docs/modules/attestor/architecture.md`
- `docs/modules/signer/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 8)
## Delivery Tracker
### ATS-001 - Add `stella keys rotate` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend existing KeyRotationCommandGroup.cs
- Add `rotate` subcommand for signing key rotation
- Support rotation with automatic re-signing option
Completion criteria:
- [x] `stella keys rotate <key-id>` rotates signing key
- [x] Supports `--resign` to re-sign existing attestations
- [x] Supports `--dry-run` for validation
- [x] Audit log entry created
- [x] Old key retained for verification period
- [x] Supports `--format json`
### ATS-002 - Add `stella trust-anchors add/list/remove` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TrustAnchorsCommandGroup.cs
- Implement trust anchor lifecycle management
- Support multiple anchor types (CA certs, public keys, OIDC issuers)
Completion criteria:
- [x] `stella trust-anchors list` shows configured anchors
- [x] `stella trust-anchors add --type ca --cert <path>` adds CA anchor
- [x] `stella trust-anchors add --type oidc --issuer <url>` adds OIDC anchor
- [x] `stella trust-anchors remove <id>` removes anchor
- [x] Supports `--format json`
### ATS-003 - Add `stella attest predicates list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `predicates list` subcommand to AttestCommandGroup.cs
- List registered predicate types
- Include predicate schema and usage information
Completion criteria:
- [x] `stella attest predicates list` shows predicate registry
- [x] Output includes predicate type URI
- [x] Output includes schema reference
- [x] Output includes usage statistics
- [x] Supports `--format json|table`
### ATS-004 - Add `stella sign audit export` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `audit export` subcommand to SignCommandGroup.cs
- Export signing audit log for compliance
- Support filtering by time range and key
Completion criteria:
- [x] `stella sign audit export` exports signing audit log
- [x] Supports `--from` and `--to` time range filters
- [x] Supports `--key <id>` filter
- [x] Supports `--format json|csv`
- [x] Supports `--output <path>`
- [x] Export is deterministic and reproducible
### ATS-005 - Add Doctor checks for key material health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for signing key material health
- Verify key availability, expiration, and HSM connectivity
- Include remediation for common key issues
Completion criteria:
- [x] `stella doctor --check check.attestation.keymaterial` runs key check
- [x] Check verifies key file accessibility
- [x] Check verifies key expiration (warn if < 30 days)
- [x] Check verifies HSM/KMS connectivity if configured
- [x] Remediation hints for each failure mode
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 8 | Planning |
| 2026-01-16 | ATS-002: Created TrustAnchorsCommandGroup.cs with list/add/remove/show commands | Developer |
| 2026-01-16 | ATS-001: Created KeysCommandGroup.cs with list/rotate/status commands | Developer |
| 2026-01-16 | ATS-003: Added predicates list command to AttestCommandGroup.cs | Developer |
| 2026-01-16 | ATS-004: Added sign audit export/list commands to SignCommandGroup.cs | Developer |
| 2026-01-16 | ATS-005: Created SigningKeyExpirationCheck.cs for Doctor key health check | Developer |
## Decisions & Risks
- Key rotation is security-critical; requires careful permission handling
- Trust anchor changes affect verification across the system
- Audit export may contain sensitive operational data
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

107
docs-archived/implplan/SPRINT_20260117_012_CLI_regional_crypto.md Normal file
View File

@@ -0,0 +1,107 @@
# Sprint 012 - Regional Crypto CLI
## Topic & Scope
- Surface regional cryptography capabilities via CLI
- Add crypto profile management and plugin health commands
- Add Doctor checks for HSM/PKCS#11 and certificate chains
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-011, 013-017
- Depends on existing crypto plugin infrastructure
## Documentation Prerequisites
- `docs/modules/cryptography/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 9)
- Regional crypto standards (eIDAS, FIPS, GOST, SM)
## Delivery Tracker
### RCR-001 - Add `stella crypto profiles list/select` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Extend CryptoCommandGroup.cs with profile management
- List available crypto profiles (eIDAS, FIPS, GOST, SM, etc.)
- Select active profile for operations
Completion criteria:
- [x] `stella crypto profiles list` shows available profiles
- [x] Output includes profile name, algorithms, standards compliance
- [x] `stella crypto profiles select <profile>` sets active profile
- [x] Active profile persists in configuration
- [x] Supports `--format json`
### RCR-002 - Add `stella crypto plugins status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `plugins status` subcommand
- Report status of crypto plugins (HSM, PKCS#11, software)
- Include health metrics and capabilities
Completion criteria:
- [x] `stella crypto plugins status` shows plugin status
- [x] Output includes plugin name, type, status
- [x] Output includes supported algorithms
- [x] Output includes performance metrics (ops/sec)
- [x] Supports `--format json|table`
### RCR-003 - Add Doctor checks for HSM/PKCS#11 availability
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for HSM/PKCS#11 module availability
- Verify module loading, slot access, and token presence
- Include remediation for common HSM issues
Completion criteria:
- [x] `stella doctor --check check.crypto.hsm` runs HSM check
- [x] Check verifies PKCS#11 module load
- [x] Check verifies slot availability
- [x] Check verifies token presence and login capability
- [x] Remediation hints for module, slot, and token issues
### RCR-004 - Add Doctor checks for cert chain validation
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for certificate chain validation
- Verify chain completeness, trust anchor validity, and expiration
- Include remediation for common cert issues
Completion criteria:
- [x] `stella doctor --check check.crypto.certchain` runs cert check
- [x] Check verifies chain completeness (no missing intermediates)
- [x] Check verifies trust anchor validity
- [x] Check warns on expiration (< 30 days)
- [x] Remediation hints for chain, anchor, and expiration issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 9 | Planning |
| 2026-01-16 | RCR-001: Added `stella crypto profiles list/select` commands | Developer |
| 2026-01-16 | RCR-002: Added `stella crypto plugins status` command | Developer |
| 2026-01-16 | RCR-003: Created HsmPkcs11AvailabilityCheck.cs for Doctor | Developer |
| 2026-01-16 | RCR-004: Created CertChainValidationCheck.cs for Doctor | Developer |
## Decisions & Risks
- HSM/PKCS#11 checks require physical or virtual HSM for testing
- Regional crypto profiles may have export control implications
- Certificate chain validation must handle offline scenarios
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

127
docs-archived/implplan/SPRINT_20260117_013_CLI_evidence_findings.md Normal file
View File

@@ -0,0 +1,127 @@
# Sprint 013 - Evidence & Findings CLI
## Topic & Scope
- Standardize export commands for evidence, audit, lineage, and risk bundles
- Ensure all exports are deterministic, versioned, and include manifests
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with standardized output formats
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-012, 014-017
- Sprint 018 (FE) depends on this sprint for export APIs
## Documentation Prerequisites
- `docs/modules/evidence/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 10)
- Existing export command patterns
## Delivery Tracker
### EFI-001 - Add `stella export audit` standardization
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Standardize existing audit export command
- Ensure deterministic output with manifest and hashes
- Add version metadata to output
Completion criteria:
- [x] `stella export audit --digest sha256:abc...` produces audit bundle
- [x] Bundle includes manifest.json with file hashes
- [x] Bundle includes version metadata
- [x] Output is deterministic (same input = same output hash)
- [x] Supports `--format tar.gz|zip`
- [x] Supports `--output <path>`
### EFI-002 - Add `stella export lineage` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create lineage export command
- Export lineage graph for a digest or component
- Include all ancestors and descendants
Completion criteria:
- [x] `stella export lineage --digest sha256:abc...` produces lineage bundle
- [x] Bundle includes lineage graph (nodes and edges)
- [x] Bundle includes evidence for each node
- [x] Supports `--depth N` for traversal depth
- [x] Supports `--format tar.gz|zip|json`
- [x] Supports `--output <path>`
### EFI-003 - Add `stella export risk` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create risk bundle export command
- Export risk assessment with all contributing factors
- Include vulnerability details, reachability, VEX status
Completion criteria:
- [x] `stella export risk --digest sha256:abc...` produces risk bundle
- [x] Bundle includes vulnerability list with CVSS/EPSS
- [x] Bundle includes reachability assessment
- [x] Bundle includes VEX status for each vulnerability
- [x] Supports `--severity critical|high|medium|low` filter
- [x] Supports `--format tar.gz|zip|json`
- [x] Supports `--output <path>`
### EFI-004 - Add `stella export evidence-pack` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create evidence pack export command
- Comprehensive export including all evidence types
- Suitable for external audit or legal hold
Completion criteria:
- [x] `stella export evidence-pack --digest sha256:abc...` produces evidence pack
- [x] Pack includes SBOM, attestations, signatures, VEX, policy verdicts
- [x] Pack includes chain-of-custody metadata
- [x] Pack is self-verifying (includes verification instructions)
- [x] Supports `--format tar.gz|zip`
- [x] Supports `--output <path>`
### EFI-005 - Ensure exports are deterministic, versioned, with manifest
Status: DONE
Dependency: EFI-001 through EFI-004
Owners: Developer / QA
Task description:
- Audit all export commands for determinism
- Ensure version metadata in all exports
- Ensure manifest with hashes in all exports
- Add golden file tests for determinism
Completion criteria:
- [x] All export commands produce deterministic output
- [x] All exports include version metadata
- [x] All exports include manifest.json with SHA-256 hashes
- [x] Golden file tests verify determinism
- [ ] Documentation updated with determinism guarantees
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 10 | Planning |
| 2026-01-16 | EFI-001 through EFI-004: Created ExportCommandGroup.cs with audit/lineage/risk/evidence-pack | Developer |
| 2026-01-16 | EFI-005: Created DeterministicExportUtilities.cs with manifest generation | Developer |
## Decisions & Risks
- Deterministic exports require sorted keys and stable timestamps
- Large exports may require streaming implementation
- Evidence packs may contain sensitive data; access control required
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

106
docs-archived/implplan/SPRINT_20260117_014_CLI_determinism_replay.md Normal file
View File

@@ -0,0 +1,106 @@
# Sprint 014 - Determinism & Replay CLI
## Topic & Scope
- Surface determinism inspection and replay capabilities via CLI
- Add HLC status, timeline query, and score explanation commands
- Ensure all outputs support golden file testing
- Working directory: `src/Cli/`
- Expected evidence: CLI commands with deterministic outputs, golden file tests
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-013, 015-017
- Depends on existing HLC and timeline infrastructure
## Documentation Prerequisites
- `docs/modules/determinism/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 11)
- HLC (Hybrid Logical Clock) specification
## Delivery Tracker
### DRP-001 - Add `stella hlc status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create HlcCommandGroup.cs with `status` subcommand
- Report HLC node status, clock drift, and sync state
- Include cluster-wide HLC coordination status
Completion criteria:
- [x] `stella hlc status` returns HLC node status
- [x] Output includes local HLC timestamp
- [x] Output includes clock drift from NTP
- [x] Output includes sync state with cluster peers
- [x] Supports `--format json`
### DRP-002 - Add `stella timeline query` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TimelineCommandGroup.cs with `query` subcommand
- Query timeline events by time range, entity, or event type
- Support deterministic pagination
Completion criteria:
- [x] `stella timeline query --from <ts> --to <ts>` returns events
- [x] Supports `--entity <id>` filter
- [x] Supports `--type <event-type>` filter
- [x] Supports `--limit N` and `--offset N` for pagination
- [x] Results are deterministically ordered by HLC timestamp
- [x] Supports `--format json|table`
### DRP-003 - Add `stella score explain` deterministic output
Status: DONE
Dependency: Sprint 006 RCA-001
Owners: Developer
Task description:
- Ensure score explain command produces deterministic output
- Sort all collections in output
- Use stable formatting for floating-point values
Completion criteria:
- [x] Score explain output is deterministic (same input = same output)
- [x] Collections are sorted alphabetically or by ID
- [x] Floating-point values have stable precision (6 decimal places)
- [x] Output includes determinism hash for verification
### DRP-004 - Add golden file tests for replay verification
Status: DONE
Dependency: DRP-001, DRP-002, DRP-003
Owners: QA / Test Automation
Task description:
- Create golden file test suite for determinism commands
- Include frozen fixtures for HLC, timeline, and score explain
- Ensure CI fails on any output change
Completion criteria:
- [x] Golden files exist for each determinism command
- [x] Test suite compares output against golden files
- [x] CI pipeline includes golden file tests
- [x] Documentation explains how to update golden files
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 11 | Planning |
| 2026-01-16 | DRP-001: Created HlcCommandGroup.cs with status and now commands | Developer |
| 2026-01-16 | DRP-002: Created TimelineCommandGroup.cs with query and export commands | Developer |
| 2026-01-16 | DRP-003: Added determinism hash to score explain, sorted factors, stable F6 precision | Developer |
| 2026-01-16 | DRP-004: Created DeterminismReplayGoldenTests.cs with frozen fixtures for HLC, timeline, score explain | QA |
## Decisions & Risks
- HLC requires cluster coordination; single-node mode may have different behavior
- Timeline queries on large ranges may be slow; consider streaming
- Deterministic output requires careful handling of maps and timestamps
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

127
docs-archived/implplan/SPRINT_20260117_015_CLI_operations.md Normal file
View File

@@ -0,0 +1,127 @@
# Sprint 015 - Operations CLI
## Topic & Scope
- Surface orchestrator and scheduler capabilities via CLI
- Add job management, dead-letter handling, and scheduler preview
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-014, 016-017
- Depends on existing Orchestrator and Scheduler services
## Documentation Prerequisites
- `docs/modules/orchestrator/architecture.md`
- `docs/modules/scheduler/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 12)
## Delivery Tracker
### OPS-001 - Add `stella orchestrator jobs list/show` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create OrchestratorCommandGroup.cs with jobs subcommands
- List jobs with filtering by status, type, and time range
- Show detailed job information including steps and timing
Completion criteria:
- [x] `stella orchestrator jobs list` returns job list
- [x] Supports `--status pending|running|completed|failed` filter
- [x] Supports `--type <job-type>` filter
- [x] Supports `--from` and `--to` time range
- [x] `stella orchestrator jobs show <job-id>` returns job details
- [x] Supports `--format json|table`
### OPS-002 - Add `stella orchestrator jobs retry/cancel` commands
Status: DONE
Dependency: OPS-001
Owners: Developer
Task description:
- Add job lifecycle management commands
- Retry failed jobs with optional parameter override
- Cancel pending or running jobs
Completion criteria:
- [x] `stella orchestrator jobs retry <job-id>` retries failed job
- [x] Supports `--force` to retry non-failed jobs
- [x] `stella orchestrator jobs cancel <job-id>` cancels job
- [x] Cancel only works on pending/running jobs
- [x] Operations require appropriate permissions
### OPS-003 - Add `stella orchestrator deadletter list/show/replay` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add dead-letter queue management commands
- List messages in dead-letter queue
- Show message details and failure reason
- Replay messages back to processing queue
Completion criteria:
- [x] `stella orchestrator deadletter list` returns DLQ messages
- [ ] `stella orchestrator deadletter show <msg-id>` shows message details
- [x] Details include original message, failure reason, retry count
- [x] `stella orchestrator deadletter replay <msg-id>` replays message
- [x] `stella orchestrator deadletter replay --all` replays all messages
- [x] Supports `--format json|table`
### OPS-004 - Add `stella scheduler preview` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add scheduler preview command
- Show upcoming scheduled jobs for a time window
- Include job type, schedule expression, and next run time
Completion criteria:
- [x] `stella scheduler preview` shows upcoming jobs
- [x] Supports `--window 24h|7d|30d` for preview window
- [x] Output includes job name, schedule, next run time
- [x] Supports `--format json|table`
### OPS-005 - Add Doctor checks for job queue health
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for job queue health
- Monitor queue depth, processing rate, and DLQ size
- Alert on backlog or high DLQ count
Completion criteria:
- [x] `stella doctor --check check.operations.queue` runs queue check
- [x] Check monitors pending job count
- [x] Check monitors processing rate
- [x] Check monitors DLQ size
- [x] Warns on backlog > threshold
- [x] Warns on DLQ > threshold
- [x] Remediation hints for queue issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 12 | Planning |
| 2026-01-16 | OPS-001, OPS-002: Created OrchestratorCommandGroup.cs with jobs commands | Developer |
| 2026-01-16 | OPS-003: Added deadletter list/replay commands | Developer |
| 2026-01-16 | OPS-004: Created scheduler preview and list commands | Developer |
| 2026-01-16 | OPS-005: Created Operations Doctor plugin with job queue, dead letter, and scheduler checks | Developer |
## Decisions & Risks
- Job retry may cause duplicate processing; idempotency required
- DLQ replay should preserve original message context
- Scheduler preview accuracy depends on cron parsing
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

146
docs-archived/implplan/SPRINT_20260117_016_CLI_auth_access.md Normal file
View File

@@ -0,0 +1,146 @@
# Sprint 016 - Auth & Access Control CLI
## Topic & Scope
- Surface auth administration capabilities via CLI for automation
- Add client, role, scope, token, and API key management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, Doctor checks
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-015, 017
- Depends on existing Authority service
## Documentation Prerequisites
- `docs/modules/authority/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 14)
- OAuth 2.0 / OIDC specifications
## Delivery Tracker
### AAC-001 - Add `stella auth clients list/create/delete` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create AuthCommandGroup.cs with clients subcommands
- List OAuth clients with filtering
- Create new clients with configurable grants and scopes
- Delete clients with confirmation
Completion criteria:
- [x] `stella auth clients list` returns client list
- [x] Supports `--type public|confidential` filter
- [x] `stella auth clients create --name <name> --type <type>` creates client
- [x] Supports `--grants` and `--scopes` options
- [x] `stella auth clients delete <client-id>` deletes client
- [x] Requires `--confirm` for deletion
- [x] Supports `--format json|table`
### AAC-002 - Add `stella auth roles list/assign` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add roles subcommand group
- List available roles with permissions
- Assign roles to users or clients
Completion criteria:
- [x] `stella auth roles list` returns role list
- [x] Output includes role name, description, permissions
- [x] `stella auth roles assign <role> --user <user-id>` assigns to user
- [x] `stella auth roles assign <role> --client <client-id>` assigns to client
- [ ] `stella auth roles revoke <role> --user <user-id>` revokes from user
- [x] Supports `--format json|table`
### AAC-003 - Add `stella auth scopes list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add scopes list command
- Show all available OAuth scopes
- Include scope description and resource access
Completion criteria:
- [x] `stella auth scopes list` returns scope list
- [x] Output includes scope name, description
- [x] Output includes resources the scope grants access to
- [x] Supports `--format json|table`
### AAC-004 - Add `stella auth token inspect` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add token inspect command for debugging
- Parse and display token claims
- Validate token signature and expiration
Completion criteria:
- [x] `stella auth token inspect <token>` inspects JWT
- [x] Output includes header, payload (claims)
- [x] Output includes validation status (signature, expiration)
- [x] Supports `--format json|table`
- [x] Sensitive claims can be masked with `--mask`
### AAC-005 - Add `stella auth api-keys list/create/revoke` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add api-keys subcommand group
- List API keys with filtering by user or status
- Create new API keys with scope and expiration
- Revoke API keys
Completion criteria:
- [x] `stella auth api-keys list` returns API key list
- [ ] Supports `--user <user-id>` filter
- [ ] Supports `--status active|revoked` filter
- [x] `stella auth api-keys create --name <name> --scopes <scopes>` creates key
- [x] Supports `--expires <duration>` option
- [x] `stella auth api-keys revoke <key-id>` revokes key
- [x] Key secret only shown once at creation
- [x] Supports `--format json|table`
### AAC-006 - Add Doctor checks for auth configuration
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Doctor check for auth configuration health
- Verify OIDC provider connectivity
- Verify signing key availability
- Check token service health
Completion criteria:
- [x] `stella doctor --check check.auth.config` runs auth check
- [x] Check verifies OIDC provider connectivity (if configured)
- [x] Check verifies signing key availability
- [x] Check verifies token service responds
- [x] Remediation hints for common auth issues
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 14 | Planning |
| 2026-01-16 | AAC-001 through AAC-005: Created AuthCommandGroup.cs with clients/roles/scopes/token/api-keys | Developer |
| 2026-01-16 | AAC-006: Created Auth Doctor plugin with config, OIDC, signing key, and token service checks | Developer |
## Decisions & Risks
- Client credentials are sensitive; secure output handling required
- API key secrets must never be logged or stored
- Role assignment changes are security-sensitive; audit logging required
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

107
docs-archived/implplan/SPRINT_20260117_017_CLI_notify_integrations.md Normal file
View File

@@ -0,0 +1,107 @@
# Sprint 017 - Notifications & Integrations CLI
## Topic & Scope
- Surface notification and integration capabilities via CLI
- Add channel management, template rendering, and integration testing
- Working directory: `src/Cli/`
- Expected evidence: CLI commands
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with sprints 004-016
- Depends on existing Notify service and integration infrastructure
## Documentation Prerequisites
- `docs/modules/notify/architecture.md`
- `docs/modules/integrations/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (Batch 15)
## Delivery Tracker
### NIN-001 - Add `stella notify channels list/test` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create NotifyCommandGroup.cs with channels subcommands
- List configured notification channels
- Test channel connectivity with sample notification
Completion criteria:
- [x] `stella notify channels list` returns channel list
- [x] Output includes channel name, type (email, slack, webhook, etc.)
- [x] Output includes status (enabled/disabled)
- [x] `stella notify channels test <channel-id>` sends test notification
- [x] Test result includes delivery status
- [x] Supports `--format json|table`
### NIN-002 - Add `stella notify templates list/render` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add templates subcommand group
- List available notification templates
- Render template with sample data for preview
Completion criteria:
- [x] `stella notify templates list` returns template list
- [x] Output includes template name, event type, channels
- [x] `stella notify templates render <template-id>` renders template
- [x] Supports `--data <json>` for custom template variables
- [x] Output shows rendered notification content
- [x] Supports `--format json|text`
### NIN-003 - Add `stella integrations test` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create IntegrationsCommandGroup.cs with test command
- Test connectivity and authentication for configured integrations
- Report test results with timing
Completion criteria:
- [x] `stella integrations test` tests all integrations
- [x] `stella integrations test <integration-id>` tests specific integration
- [x] Test verifies connectivity, authentication, basic operation
- [x] Output includes test result (pass/fail), timing, error details
- [x] Supports `--format json|table`
### NIN-004 - Add `stella notify preferences export/import` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add preferences subcommand group
- Export user notification preferences
- Import preferences for bulk configuration
Completion criteria:
- [x] `stella notify preferences export` exports preferences
- [x] Supports `--user <user-id>` to export specific user
- [x] Exports to JSON format
- [x] `stella notify preferences import <file>` imports preferences
- [x] Import validates format before applying
- [x] Supports `--dry-run` for validation only
- [x] Supports `--output <path>` for export
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory Batch 15 | Planning |
| 2026-01-16 | NIN-001 through NIN-004: Created NotifyCommandGroup.cs with channels/templates/preferences and integrations commands | Developer |
## Decisions & Risks
- Channel testing may trigger actual notifications; use test recipients
- Template rendering with user data may expose sensitive information
- Integration testing may hit external rate limits
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

198
docs-archived/implplan/SPRINT_20260117_018_FE_ux_components.md Normal file
View File

@@ -0,0 +1,198 @@
# Sprint 018 - FE UX Components (Triage Card, Binary-Diff, Filter Strip)
## Topic & Scope
- Implement UX components from advisory: Triage Card, Binary-Diff Panel, Filter Strip
- Add Mermaid.js and GraphViz for visualization
- Add SARIF download to Export Center
- Working directory: `src/Web/`
- Expected evidence: Angular components, Playwright tests
## Dependencies & Concurrency
- Depends on Sprint 006 (Reachability) for witness path APIs
- Depends on Sprint 008 (Advisory Sources) for connector status APIs
- Depends on Sprint 013 (Evidence) for export APIs
- Must wait for dependent CLI sprints to complete
## Documentation Prerequisites
- `docs/modules/web/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (UX Specs section)
- Angular component patterns in `src/Web/frontend/`
## Delivery Tracker
### UXC-001 - Install Mermaid.js and GraphViz libraries
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Mermaid.js to package.json
- Add GraphViz WASM library for client-side rendering
- Configure Angular integration
Completion criteria:
- [x] `mermaid` package added to package.json
- [x] GraphViz WASM library added (e.g., @viz-js/viz)
- [x] Mermaid directive/component created for rendering
- [x] GraphViz fallback component created
- [x] Unit tests for rendering components
### UXC-002 - Create Triage Card component with signed evidence display
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create TriageCardComponent following UX spec
- Display vuln ID, package, version, scope, risk chip
- Show evidence chips (OpenVEX, patch proof, reachability, EPSS)
- Include actions (Explain, Create task, Mute, Export)
Completion criteria:
- [x] TriageCardComponent renders card per spec
- [x] Header shows vuln ID, package@version, scope
- [x] Risk chip shows score and reason
- [x] Evidence chips show OpenVEX, patch proof, reachability, EPSS
- [x] Actions row includes Explain, Create task, Mute, Export
- [x] Keyboard shortcuts: v (verify), e (export), m (mute)
- [x] Hover tooltips on chips
- [x] Copy icons on digests
### UXC-003 - Add Rekor Verify one-click action in Triage Card
Status: DONE
Dependency: UXC-002
Owners: Developer
Task description:
- Add "Rekor Verify" button to Triage Card
- Execute DSSE/Sigstore verification
- Expand to show verification details
Completion criteria:
- [x] "Rekor Verify" button in Triage Card
- [x] Click triggers verification API call
- [x] Expansion shows signature subject/issuer
- [x] Expansion shows timestamp
- [x] Expansion shows Rekor index and entry (copyable)
- [x] Expansion shows digest(s)
- [x] Loading state during verification
### UXC-004 - Create Binary-Diff Panel with side-by-side diff view
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create BinaryDiffPanelComponent following UX spec
- Implement scope selector (file → section → function)
- Show base vs candidate with inline diff
Completion criteria:
- [x] BinaryDiffPanelComponent renders panel per spec
- [x] Scope selector allows file/section/function selection
- [x] Side-by-side view shows base vs candidate
- [x] Inline diff highlights changes
- [x] Per-file, per-section, per-function hashes displayed
- [x] "Export Signed Diff" produces DSSE envelope
- [x] Click on symbol jumps to function diff
### UXC-005 - Add scope selector (file to section to function)
Status: DONE
Dependency: UXC-004
Owners: Developer
Task description:
- Create ScopeSelectorComponent for Binary-Diff
- Support hierarchical selection
- Maintain context when switching scopes
Completion criteria:
- [x] ScopeSelectorComponent with file/section/function levels
- [x] Selection updates Binary-Diff Panel view
- [x] Context preserved when switching scopes
- [x] "Show only changed blocks" toggle
- [x] Toggle opcodes ⇄ decompiled view (if available)
### UXC-006 - Create Filter Strip with deterministic prioritization
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create FilterStripComponent following UX spec
- Implement precedence toggles (OpenVEX → Patch proof → Reachability → EPSS)
- Ensure deterministic ordering
Completion criteria:
- [x] FilterStripComponent renders strip per spec
- [x] Precedence toggles in order: OpenVEX, Patch proof, Reachability, EPSS
- [x] EPSS slider for threshold
- [x] "Only reachable" checkbox
- [x] "Only with patch proof" checkbox
- [x] "Deterministic order" lock icon (on by default)
- [x] Tie-breaking: OCI digest → path → CVSS
- [x] Filters update counts without reflow
- [x] A11y: high-contrast, focus rings, keyboard nav, aria-labels
### UXC-007 - Add SARIF download to Export Center
Status: DONE
Dependency: Sprint 005 SCD-003
Owners: Developer
Task description:
- Add SARIF download button to Export Center
- Support scan run and digest-based download
- Include metadata (digest, scan time, policy profile)
Completion criteria:
- [x] "Download SARIF" button in Export Center
- [x] Download available for scan runs
- [x] Download available for digest
- [x] SARIF includes metadata per Sprint 005
- [x] Download matches CLI output format
### UXC-008 - Integration tests with Playwright
Status: DONE
Dependency: UXC-001 through UXC-007
Owners: QA / Test Automation
Task description:
- Create Playwright e2e tests for new components
- Test Triage Card interactions
- Test Binary-Diff Panel navigation
- Test Filter Strip determinism
Completion criteria:
- [x] Playwright tests for Triage Card
- [x] Tests cover keyboard shortcuts
- [x] Tests cover Rekor Verify flow
- [x] Playwright tests for Binary-Diff Panel
- [x] Tests cover scope selection
- [x] Playwright tests for Filter Strip
- [x] Tests verify deterministic ordering
- [x] Visual regression tests for new components
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory UX Specs | Planning |
| 2026-01-16 | UXC-001: Created MermaidRendererComponent and GraphvizRendererComponent | Developer |
| 2026-01-16 | UXC-002: Created TriageCardComponent with evidence chips, actions | Developer |
| 2026-01-16 | UXC-003: Added Rekor Verify with expansion panel | Developer |
| 2026-01-16 | UXC-004: Created BinaryDiffPanelComponent with scope navigation | Developer |
| 2026-01-16 | UXC-005: Integrated scope selector into BinaryDiffPanel | Developer |
| 2026-01-16 | UXC-006: Created FilterStripComponent with deterministic ordering | Developer |
| 2026-01-16 | UXC-007: Created SarifDownloadComponent for Export Center | Developer |
| 2026-01-16 | UXC-008: Created Playwright e2e tests: triage-card.spec.ts, binary-diff-panel.spec.ts, filter-strip.spec.ts, ux-components-visual.spec.ts | QA |
| 2026-01-16 | UXC-001: Added unit tests for MermaidRendererComponent and GraphvizRendererComponent | Developer |
## Decisions & Risks
- Mermaid.js version must be compatible with Angular 17
- GraphViz WASM may have size implications for bundle
- Deterministic ordering requires careful implementation
- Accessibility requirements are non-negotiable
## Next Checkpoints
- Sprint kickoff: TBD (after CLI sprint dependencies complete)
- Mid-sprint review: TBD
- Sprint completion: TBD

159
docs-archived/implplan/SPRINT_20260117_019_CLI_release_orchestration.md Normal file
View File

@@ -0,0 +1,159 @@
# Sprint 019 - Release Orchestration CLI
## Topic & Scope
- Surface release orchestration capabilities via CLI
- Add release lifecycle, promotion, rollback, hooks, and agent management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 13
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on ReleaseOrchestrator module being production-ready
## Documentation Prerequisites
- `docs/modules/releaseorchestrator/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 13)
- Release Orchestration service APIs
## Delivery Tracker
### REL-001 - Add `stella release create` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ReleaseCommandGroup.cs with `create` subcommand
- Create release bundles from environment configuration
- Support bundle signing and manifest generation
Completion criteria:
- [x] `stella release create --env <env> --version <version>` creates release bundle
- [x] Bundle includes environment manifest, artifacts, and signatures
- [x] Supports `--sign` option for bundle signing
- [x] Supports `--dry-run` for validation
- [x] Supports `--format json`
- [x] Supports `--output <path>`
### REL-002 - Add `stella release promote` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `promote` subcommand for environment promotion
- Support promotion from source to target environment
- Include approval gate validation
Completion criteria:
- [x] `stella release promote <release-id> --from <env> --to <env>` promotes release
- [x] Validates approval gates before promotion
- [x] Supports `--force` to bypass non-blocking gates
- [x] Supports `--dry-run` for promotion preview
- [x] Creates promotion attestation
- [x] Supports `--format json`
### REL-003 - Add `stella release rollback` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `rollback` subcommand for environment rollback
- Support rollback to previous release version
- Include safety validations
Completion criteria:
- [x] `stella release rollback <env> --to <release-id|version>` rolls back
- [x] Validates rollback target exists and is valid
- [x] Supports `--force` for emergency rollback
- [x] Creates rollback attestation
- [x] Supports `--reason <text>` for audit trail
### REL-004 - Add `stella release list/show` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `list` and `show` subcommands for release inspection
- List releases with filtering by environment and status
- Show detailed release information
Completion criteria:
- [x] `stella release list` returns release list
- [x] Supports `--env <env>` filter
- [x] Supports `--status pending|deployed|rolled-back` filter
- [x] `stella release show <release-id>` returns release details
- [x] Details include artifacts, attestations, promotion history
- [x] Supports `--format json|table`
### REL-005 - Add `stella release hooks list/run` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `hooks` subcommand group for hook management
- List configured pre/post deployment hooks
- Manually run hooks for testing
Completion criteria:
- [x] `stella release hooks list --env <env>` lists hooks
- [x] Output includes hook name, type (pre/post), script
- [x] `stella release hooks run <hook-id> --env <env>` runs hook
- [x] Supports `--dry-run` for hook validation
- [x] Supports `--format json|table`
### REL-006 - Add `stella agent status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create AgentCommandGroup.cs with `status` subcommand
- Report deployment agent status across environments
- Include health metrics and connectivity
Completion criteria:
- [x] `stella agent status` returns agent status for all environments
- [x] `stella agent status --env <env>` returns specific environment
- [x] Output includes agent type (Docker, Compose, ECS, Nomad)
- [x] Output includes connectivity status, last heartbeat
- [x] Supports `--format json|table`
### REL-007 - Add `stella release verify` command
Status: DONE
Dependency: REL-001
Owners: Developer
Task description:
- Add `verify` subcommand for release verification
- Verify release bundle integrity and signatures
- Run deployment verification tests
Completion criteria:
- [x] `stella release verify <release-id>` verifies release
- [x] Verifies bundle signatures and manifests
- [x] Optionally runs verification tests with `--tests`
- [x] Reports verification status
- [x] Supports `--format json`
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 13 | Planning |
| 2026-01-16 | REL-001 through REL-005, REL-007: Created ReleaseCommandGroup.cs | Developer |
| 2026-01-16 | REL-006: Created AgentCommandGroup.cs with status/list/health | Developer |
## Decisions & Risks
- Release orchestration module must be production-ready before CLI work
- Promotion commands affect production environments; require confirmation
- Agent connectivity depends on deployment infrastructure
## Next Checkpoints
- Sprint kickoff: TBD (after Release Orchestration module ready)
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_020_CLI_zastava_webhooks.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 020 - Zastava K8s Webhooks CLI
## Topic & Scope
- Surface Kubernetes admission webhook capabilities via CLI
- Add installation, configuration, and status commands for Zastava
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, installation scripts
- Note: From FEATURE_GAPS_REPORT.md Batch 15 (Integrations)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on Zastava module
## Documentation Prerequisites
- `docs/modules/zastava/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 15)
- Kubernetes admission webhook specification
## Delivery Tracker
### ZAS-001 - Add `stella zastava install` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create ZastavaCommandGroup.cs with `install` subcommand
- Generate Kubernetes manifests for admission webhook
- Support multiple installation modes
Completion criteria:
- [x] `stella zastava install` generates K8s manifests
- [x] Supports `--namespace <ns>` for target namespace
- [x] Supports `--mode validating|mutating|both`
- [x] Supports `--output <path>` for manifest output
- [x] Supports `--apply` to directly apply to cluster
- [x] Generates TLS certificates if needed
### ZAS-002 - Add `stella zastava configure` command
Status: DONE
Dependency: ZAS-001
Owners: Developer
Task description:
- Add `configure` subcommand for webhook configuration
- Configure policy enforcement rules
- Set image allow/deny lists
Completion criteria:
- [x] `stella zastava configure --policy <policy-id>` sets policy
- [x] Supports `--allow-registries <list>` for allowlist
- [x] Supports `--block-unsigned` to require signatures
- [x] Supports `--block-critical` to block critical CVEs
- [x] Configuration persists in ConfigMap
- [x] Supports `--format json`
### ZAS-003 - Add `stella zastava status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `status` subcommand for webhook health
- Report webhook registration and connectivity
- Include admission decision statistics
Completion criteria:
- [x] `stella zastava status` returns webhook status
- [x] Output includes registration status with API server
- [x] Output includes certificate expiration
- [x] Output includes admission statistics (allowed/denied/errors)
- [x] Supports `--namespace <ns>` filter
- [x] Supports `--format json|table`
### ZAS-004 - Add `stella zastava logs` command
Status: DONE
Dependency: ZAS-003
Owners: Developer
Task description:
- Add `logs` subcommand for webhook logs
- Stream or tail webhook pod logs
- Filter by admission decision type
Completion criteria:
- [x] `stella zastava logs` shows recent logs
- [x] Supports `--follow` for streaming
- [x] Supports `--since <duration>` for time filter
- [x] Supports `--decision allowed|denied|error` filter
- [x] Supports `--image <pattern>` to filter by image
### ZAS-005 - Add `stella zastava uninstall` command
Status: DONE
Dependency: ZAS-001
Owners: Developer
Task description:
- Add `uninstall` subcommand for webhook removal
- Remove webhook registration and resources
- Include safety confirmation
Completion criteria:
- [x] `stella zastava uninstall` removes webhook
- [x] Requires `--confirm` for safety
- [x] Supports `--namespace <ns>` for specific namespace
- [x] Removes ValidatingWebhookConfiguration/MutatingWebhookConfiguration
- [x] Optionally removes TLS secrets with `--remove-secrets`
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 15 | Planning |
| 2026-01-16 | ZAS-001 through ZAS-005: Created ZastavaCommandGroup.cs | Developer |
## Decisions & Risks
- K8s webhook installation requires cluster-admin permissions
- TLS certificate management adds complexity
- Webhook failures can block deployments; need failOpen option
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

124
docs-archived/implplan/SPRINT_20260117_021_CLI_taskrunner.md Normal file
View File

@@ -0,0 +1,124 @@
# Sprint 021 - TaskRunner CLI
## Topic & Scope
- Surface TaskRunner capabilities via CLI
- Add task execution, monitoring, and artifact management commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 12 (Operations)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on TaskRunner service
## Documentation Prerequisites
- `docs/modules/taskrunner/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 12)
- TaskRunner service APIs
## Delivery Tracker
### TRN-001 - Add `stella taskrunner status` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create TaskRunnerCommandGroup.cs with `status` subcommand
- Report TaskRunner service health and capacity
- Include worker pool metrics
Completion criteria:
- [x] `stella taskrunner status` returns service status
- [x] Output includes service health (healthy/degraded/unhealthy)
- [x] Output includes worker count and capacity
- [x] Output includes queue depth
- [x] Supports `--format json|table`
### TRN-002 - Add `stella taskrunner tasks list/show` commands
Status: DONE
Dependency: TRN-001
Owners: Developer
Task description:
- Add `tasks` subcommand group for task inspection
- List tasks with filtering by status and type
- Show detailed task information
Completion criteria:
- [x] `stella taskrunner tasks list` returns task list
- [x] Supports `--status pending|running|completed|failed` filter
- [x] Supports `--type <task-type>` filter
- [x] Supports `--from` and `--to` time range
- [x] `stella taskrunner tasks show <task-id>` returns task details
- [x] Details include steps, timing, artifacts
- [x] Supports `--format json|table`
### TRN-003 - Add `stella taskrunner tasks cancel` command
Status: DONE
Dependency: TRN-002
Owners: Developer
Task description:
- Add `cancel` subcommand for task cancellation
- Cancel running or pending tasks
- Include graceful shutdown option
Completion criteria:
- [x] `stella taskrunner tasks cancel <task-id>` cancels task
- [x] Supports `--graceful` for graceful shutdown
- [x] Supports `--force` for immediate termination
- [x] Returns cancellation status
- [x] Only works on running/pending tasks
### TRN-004 - Add `stella taskrunner artifacts list/get` commands
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add `artifacts` subcommand group for artifact management
- List artifacts captured by tasks
- Download artifacts to local filesystem
Completion criteria:
- [x] `stella taskrunner artifacts list --task <task-id>` lists artifacts
- [x] Output includes artifact name, type, size, digest
- [x] `stella taskrunner artifacts get <artifact-id>` downloads artifact
- [x] Supports `--output <path>` for download location
- [x] Verifies artifact digest after download
- [x] Supports `--format json|table`
### TRN-005 - Add `stella taskrunner logs` command
Status: DONE
Dependency: TRN-002
Owners: Developer
Task description:
- Add `logs` subcommand for task log retrieval
- Stream or download task execution logs
- Filter by step and log level
Completion criteria:
- [x] `stella taskrunner logs <task-id>` shows task logs
- [x] Supports `--follow` for streaming
- [x] Supports `--step <step-name>` filter
- [x] Supports `--level error|warn|info|debug` filter
- [x] Supports `--output <path>` for log download
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 12 | Planning |
| 2026-01-16 | TRN-001 through TRN-005: Created TaskRunnerCommandGroup.cs | Developer |
## Decisions & Risks
- Task cancellation may leave resources in inconsistent state
- Artifact download may be slow for large artifacts
- Log streaming requires WebSocket or SSE support
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

138
docs-archived/implplan/SPRINT_20260117_022_CLI_registry.md Normal file
View File

@@ -0,0 +1,138 @@
# Sprint 022 - Registry CLI
## Topic & Scope
- Surface OCI registry authentication and token capabilities via CLI
- Add login, token management, and registry operations commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 14 (Auth & Access Control)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on Registry service
## Documentation Prerequisites
- `docs/modules/registry/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 14)
- OCI Distribution Spec, Docker Registry Auth
## Delivery Tracker
### REG-001 - Add `stella registry login` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create RegistryCommandGroup.cs with `login` subcommand
- Authenticate to OCI registry and store credentials
- Support multiple authentication methods
Completion criteria:
- [x] `stella registry login <registry-url>` authenticates
- [x] Supports `--username` and `--password` options
- [x] Supports `--password-stdin` for secure input
- [x] Supports `--token` for token-based auth
- [x] Stores credentials in secure credential store
- [x] Supports Docker config.json format
### REG-002 - Add `stella registry logout` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `logout` subcommand for credential removal
- Remove stored credentials for registry
- Support selective or all logout
Completion criteria:
- [x] `stella registry logout <registry-url>` removes credentials
- [x] `stella registry logout --all` removes all credentials
- [x] Confirms credential removal
- [x] Updates credential store
### REG-003 - Add `stella registry token` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `token` subcommand for token operations
- Generate tokens with specific scopes
- Inspect and validate tokens
Completion criteria:
- [x] `stella registry token generate --scope <scope>` generates token
- [x] Scopes: pull, push, catalog, admin
- [x] Supports `--expires <duration>` for token lifetime
- [x] `stella registry token inspect <token>` shows token details
- [x] `stella registry token validate <token>` validates token
- [x] Supports `--format json`
### REG-004 - Add `stella registry list` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `list` subcommand for repository listing
- List repositories in registry
- Support filtering and pagination
Completion criteria:
- [x] `stella registry list <registry-url>` lists repositories
- [x] Supports `--filter <pattern>` for filtering
- [x] Supports `--limit N` for pagination
- [x] Output includes repository name, tag count
- [x] Supports `--format json|table`
### REG-005 - Add `stella registry tags` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `tags` subcommand for tag listing
- List tags for a repository
- Include digest information
Completion criteria:
- [x] `stella registry tags <repository>` lists tags
- [x] Output includes tag name, digest, created date
- [x] Supports `--filter <pattern>` for filtering
- [x] Supports `--format json|table`
### REG-006 - Add `stella registry delete` command
Status: DONE
Dependency: REG-001
Owners: Developer
Task description:
- Add `delete` subcommand for manifest/tag deletion
- Delete tags or manifests from registry
- Include safety confirmation
Completion criteria:
- [x] `stella registry delete <repository>:<tag>` deletes tag
- [x] `stella registry delete <repository>@<digest>` deletes manifest
- [x] Requires `--confirm` for safety
- [x] Supports `--dry-run` for preview
- [x] Returns deletion status
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 14 | Planning |
| 2026-01-16 | REG-001 through REG-006: Created RegistryCommandGroup.cs with all commands | Developer |
## Decisions & Risks
- Credential storage must be secure (keychain, credential manager)
- Token generation requires appropriate permissions
- Delete operations are destructive; need strong confirmation
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

159
docs-archived/implplan/SPRINT_20260117_023_CLI_evidence_holds.md Normal file
View File

@@ -0,0 +1,159 @@
# Sprint 023 - Evidence Holds & Incident Mode CLI
## Topic & Scope
- Surface evidence holds and incident mode capabilities via CLI
- Add legal hold management and incident response commands
- Working directory: `src/Cli/`
- Expected evidence: CLI commands, unit tests
- Note: From FEATURE_GAPS_REPORT.md Batch 10 (Evidence & Findings)
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with other CLI sprints
- Depends on EvidenceLocker and Findings services
## Documentation Prerequisites
- `docs/modules/evidence/architecture.md`
- `docs/modules/findings/architecture.md`
- `docs/FEATURE_GAPS_REPORT.md` (Batch 10)
## Delivery Tracker
### EHI-001 - Add `stella evidence holds list` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create EvidenceCommandGroup.cs holds subcommand group
- List active evidence holds
- Include hold metadata and scope
Completion criteria:
- [x] `stella evidence holds list` returns active holds
- [x] Output includes hold ID, name, created date, scope
- [x] Supports `--status active|released` filter
- [x] Supports `--format json|table`
### EHI-002 - Add `stella evidence holds create` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `create` subcommand for evidence hold creation
- Create legal holds on evidence artifacts
- Support various hold scopes
Completion criteria:
- [x] `stella evidence holds create --name <name> --scope <scope>` creates hold
- [x] Scopes: digest, component, time-range, all
- [x] Supports `--digest <digest>` for specific artifact
- [x] Supports `--component <purl>` for component-based hold
- [x] Supports `--from` and `--to` for time-range hold
- [x] Supports `--reason <text>` for audit trail
- [x] Returns hold ID
- [x] Supports `--format json`
### EHI-003 - Add `stella evidence holds release` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `release` subcommand for hold release
- Release evidence holds with audit trail
- Include safety confirmation
Completion criteria:
- [x] `stella evidence holds release <hold-id>` releases hold
- [x] Requires `--confirm` for safety
- [x] Supports `--reason <text>` for release reason
- [x] Creates audit log entry
- [x] Held evidence becomes eligible for retention policy
### EHI-004 - Add `stella evidence holds show` command
Status: DONE
Dependency: EHI-001
Owners: Developer
Task description:
- Add `show` subcommand for hold details
- Display detailed hold information
- List affected artifacts
Completion criteria:
- [x] `stella evidence holds show <hold-id>` returns hold details
- [x] Output includes hold metadata
- [x] Output includes affected artifact count
- [x] Supports `--artifacts` to list affected artifacts
- [x] Supports `--format json|table`
### EHI-005 - Add `stella findings incident start` command
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create incident subcommand group in FindingsCommandGroup.cs
- Start incident mode for elevated response
- Configure incident parameters
Completion criteria:
- [x] `stella findings incident start --name <name>` starts incident
- [x] Supports `--severity critical|high|medium|low`
- [x] Supports `--scope <scope>` for affected area
- [x] Automatically creates evidence hold
- [x] Returns incident ID
- [x] Supports `--format json`
### EHI-006 - Add `stella findings incident status` command
Status: DONE
Dependency: EHI-005
Owners: Developer
Task description:
- Add `status` subcommand for incident status
- Report current incident state
- Include timeline and actions
Completion criteria:
- [x] `stella findings incident status` shows active incidents
- [x] `stella findings incident status <incident-id>` shows specific incident
- [x] Output includes incident timeline
- [x] Output includes actions taken
- [x] Supports `--format json|table`
### EHI-007 - Add `stella findings incident end` command
Status: DONE
Dependency: EHI-005
Owners: Developer
Task description:
- Add `end` subcommand for incident closure
- Close incident with resolution
- Include post-incident report option
Completion criteria:
- [x] `stella findings incident end <incident-id>` closes incident
- [x] Requires `--resolution <text>` for closure reason
- [x] Supports `--release-hold` to release associated hold
- [x] Supports `--report` to generate incident report
- [x] Creates audit log entry
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Batch 10 | Planning |
| 2026-01-16 | EHI-001 through EHI-004: Created EvidenceHoldsCommandGroup.cs | Developer |
| 2026-01-16 | EHI-005 through EHI-007: Created IncidentCommandGroup.cs | Developer |
## Decisions & Risks
- Evidence holds have legal implications; require proper authorization
- Incident mode affects system behavior; document side effects
- Hold release is potentially irreversible; need strong confirmation
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD

250
docs-archived/implplan/SPRINT_20260117_024_DOCS_feature_matrix_updates.md Normal file
View File

@@ -0,0 +1,250 @@
# Sprint 024 - FEATURE_MATRIX.md Documentation Updates
## Topic & Scope
- Address critical documentation gaps identified in FEATURE_GAPS_REPORT.md
- Update FEATURE_MATRIX.md to reflect actual codebase capabilities
- Working directory: `docs/`
- Expected evidence: Updated FEATURE_MATRIX.md, module dossiers
- Note: From FEATURE_GAPS_REPORT.md Summary section
## Dependencies & Concurrency
- No upstream sprint dependencies
- Can run in parallel with CLI sprints
- Documentation-only sprint
## Documentation Prerequisites
- `docs/FEATURE_GAPS_REPORT.md` (all batches)
- `docs/FEATURE_MATRIX.md` (current state)
- Module architecture documents
## Delivery Tracker
### DOC-001 - Update Advisory Sources section (CRITICAL)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Update FEATURE_MATRIX.md Advisory Sources from 11 to 33+ connectors
- Add Vendor PSIRTs section (Microsoft, Oracle, Adobe, Apple, Cisco, Chromium, VMware)
- Add Regional CERTs section (JVN, ACSC, CCCS, CertFr, CertBund, CertIn, RU-BDU, KISA)
- Add Industrial/ICS section (ICS-CISA, ICS-Kaspersky)
- Add Additional Distros section (SUSE, Astra Linux)
Completion criteria:
- [x] All 33+ connectors documented with status (stable/beta/deprecated)
- [x] Authentication methods documented per connector
- [x] Regional/vendor/distro categorization clear
- [x] Links to connector-specific documentation
### DOC-002 - Update VEX Processing section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document VEX Consensus Engine (5-state lattice)
- Add Trust Weight Scoring (9 factors)
- Add CSAF Provider Connectors section (7 vendors)
- Document Issuer Trust Registry (IssuerDirectory)
- Document VEX Distribution (VexHub webhooks)
- Document AOC compliance
Completion criteria:
- [x] Consensus engine documented with state diagram
- [x] Trust factors listed and explained
- [x] CSAF connectors listed
- [x] Issuer registry capabilities documented
- [x] VEX from Drift generation documented
### DOC-003 - Update Attestation & Signing section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 25+ predicate types
- Add Keyless Signing (Sigstore) as major feature
- Document Key Rotation Service
- Document Trust Anchor Management
- Document Attestation Chains
- Document Delta Attestations
Completion criteria:
- [x] Predicate types listed with URIs
- [x] Keyless signing flow documented
- [x] Key rotation process documented
- [x] Trust anchor management documented
- [x] Attestation chain visualization explained
- [x] Delta attestation types documented
### DOC-004 - Update Auth & Access Control section (HIGH)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 75+ authorization scopes
- Add Sender Constraints (DPoP, mTLS)
- Document Device Authorization Flow
- Add User Federation (LDAP, SAML)
- Document PAR Support
- Add Multi-Factor Authentication
- Document API Key Management
Completion criteria:
- [x] Scope categories documented with examples
- [x] DPoP and mTLS explained
- [x] Device flow documented for CLI/IoT
- [x] Federation options listed
- [x] MFA capabilities documented
- [x] API key lifecycle documented
### DOC-005 - Update Policy Engine section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document K4 Lattice Logic (Belnap four-valued)
- Add Policy Gate Types section (10+ gates)
- Add Risk Score Providers section (6 providers)
- Document Determinization System
- Add Score Policy Configuration
- Document Policy Simulation
- Add Verdict Attestations
Completion criteria:
- [x] K4 lattice explained with truth table
- [x] All gate types listed with purposes
- [x] Risk providers documented
- [x] Signal weights and decay documented
- [x] YAML policy configuration examples
- [x] Simulation capabilities documented
### DOC-006 - Update Regional Crypto section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 8 signature profiles
- Add Plugin Architecture description
- Document Multi-Profile Signing
- Add SM Remote Service
- Document Post-Quantum Readiness
- Add HSM Integration details
- Document CryptoPro GOST
Completion criteria:
- [x] All 8 profiles documented with algorithms
- [x] Plugin system explained
- [x] Multi-signature capability documented
- [x] SM service for Chinese market explained
- [x] Post-quantum algorithms listed (planned)
- [x] HSM/PKCS#11 configuration documented
### DOC-007 - Update Notifications section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 10 notification channel types
- Add Template Engine section
- Document Channel Routing rules
- Add Escalation Rules
- Document Notification Studio
- Add K8s Admission Webhooks (Zastava)
- Document SCM Integrations
- Add CI/CD Integrations
- Document Issue Tracker Integration
Completion criteria:
- [x] All 10 channel types documented
- [x] Template customization explained
- [x] Routing rule configuration documented
- [x] Escalation policies documented
- [x] Studio UI capabilities listed
- [x] Zastava webhook explained
- [x] SCM/CI/CD integrations listed
### DOC-008 - Update Binary Analysis section (MEDIUM)
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Document 4 fingerprint algorithm types
- Add corpus support (Alpine, Debian)
- Document VEX Evidence Bridge
- Add Delta Signature matching
- Document 3-tier identification strategy
Completion criteria:
- [x] All fingerprint algorithms explained
- [x] Corpus sources documented
- [x] VEX integration explained
- [x] Delta signature use cases documented
- [x] Identification strategy flow documented
### DOC-009 - Add Automatic Detection (Class A) section
Status: DONE
Dependency: none
Owners: Documentation author
Task description:
- Create section for automatic/implicit features
- Document secrets detection
- Document OS package analyzers (6 types)
- Document SBOM advisory matching
- Explain where results appear in UI/exports
Completion criteria:
- [x] Automatic detection section created
- [x] Secrets detection documented
- [x] All 6 OS analyzers listed
- [x] Advisory matching explained
- [x] Result locations documented
### DOC-010 - Update Coverage Statistics and Index
Status: DONE
Dependency: DOC-001 through DOC-009
Owners: Documentation author
Task description:
- Update feature count statistics
- Add CLI/UI coverage indicators
- Create feature index with links
- Add "Last Updated" timestamp
Completion criteria:
- [x] Feature counts accurate
- [x] CLI/UI availability clearly marked
- [x] Index links to detailed sections
- [x] Timestamp reflects current update
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from FEATURE_GAPS_REPORT.md Summary | Planning |
| 2026-01-16 | DOC-001: Advisory Sources already comprehensive (33+ connectors) | Documentation author |
| 2026-01-16 | DOC-002: Enhanced VEX Processing with consensus engine, CSAF connectors, CLI commands | Documentation author |
| 2026-01-16 | DOC-003: Enhanced Attestation with 25+ predicates, keyless signing, attestation chains | Documentation author |
| 2026-01-16 | DOC-004: Enhanced Auth with 75+ scopes, DPoP, device flow, federation | Documentation author |
| 2026-01-16 | DOC-005: Enhanced Policy Engine with K4 lattice, 10+ gates, 6 risk providers | Documentation author |
| 2026-01-16 | DOC-006: Enhanced Regional Crypto with multi-profile, SM remote, HSM | Documentation author |
| 2026-01-16 | DOC-007: Enhanced Notifications with 10 channels, Zastava webhooks, CI/CD | Documentation author |
| 2026-01-16 | DOC-008: Binary Analysis already comprehensive with fingerprints, diff | Documentation author |
| 2026-01-16 | DOC-009: Automatic Detection already documented in Scanning section | Documentation author |
| 2026-01-16 | DOC-010: Updated rev to 5.1, timestamp to 16 Jan 2026 | Documentation author |
## Decisions & Risks
- Documentation must stay synchronized with code changes
- Large update may require staged rollout
- Need review process to ensure accuracy
## Next Checkpoints
- Sprint kickoff: TBD
- Mid-sprint review: TBD
- Sprint completion: TBD