stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

feat: Add comprehensive product advisories for improved scanner functionality
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
This commit is contained in:
master
2025-11-17 00:09:26 +02:00
parent 08b27b8a26
commit 7b01c7d6ac
73 changed files with 3993 additions and 697 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
Consolidates Normal file
View File

0
Derived Normal file
View File

11
docs/advisory-ai/console.md
View File

@@ -49,6 +49,14 @@ This guide documents the forthcoming Advisory AI console experience so that cons
```
The ribbon should hyperlink the `links.plan` and `links.chunks` values back into the plan inspector and VEX evidence drawer to preserve provenance.
### 2.3 SBOM / DSSE evidence hooks
- Every response panel links to the sealed SBOM/VEX bundle emitted by Advisory AI. Until the live endpoints land, use the published fixtures:
- VEX statement SSE stream: `docs/api/console/samples/vex-statement-sse.ndjson`
- Guardrail banner projection: `docs/api/console/samples/advisory-ai-guardrail-banner.json`
- Findings overview payload: `docs/api/console/samples/vuln-findings-sample.json`
- When capturing screenshots, point the console to a dev workspace seeded with the above fixtures and record the build hash displayed in the footer to keep captures reproducible.
- Store captures under `docs/assets/advisory-ai/console/` using the scheme `yyyyMMdd-HHmmss-<view>-<build>.png` (UTC clock) so regeneration is deterministic. Keep the original JSON alongside each screenshot by saving the response as `…-payload.json` in the same folder.
## 3. Accessibility & offline requirements
- Console screens must pass WCAG 2.2 AA contrast and provide focus order that matches the keyboard shortcuts planned for Advisory AI (see `docs/advisory-ai/overview.md`).
- All screenshots captured for this doc must come from sealed-mode bundles (no external fonts/CDNs). Store them under `docs/assets/advisory-ai/console/` with hashed filenames.
@@ -99,9 +107,10 @@ This guide documents the forthcoming Advisory AI console experience so that cons
## 5. Open items before publication
- [ ] Replace placeholder API responses with captures from the first merged build of CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001.
- [ ] Capture at least two screenshots (list view + evidence drawer) once UI polish is complete.
- [ ] Capture at least two screenshots (list view + evidence drawer) using the fixture-backed workspace; commit both `*-payload.json` and `*-screenshot.png` with deterministic filenames.
- [ ] Verify copy-as-ticket instructions with Support to ensure the payload fields align with existing SOC runbooks.
- [ ] Add latency tooltip + remote/local badge screenshots after Grafana wiring is stable.
- [ ] Attach SBOM/VEX bundle example (sealed DSSE) to the doc and link it from Section 2.3 for auditors.
> Tracking: DOCS-AIAI-31-004 (Docs Guild, Console Guild)

78
docs/implplan/SPRINT_0112_0001_0001_concelier_i.md Normal file
View File

@@ -0,0 +1,78 @@
# Sprint 0112-0001-0001 · Concelier I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
## Topic & Scope
- Deliver canonical advisory chunks with provenance anchors so Advisory AI consumes source-true data (no merge transforms) with deterministic ordering and cache keys.
- Keep Concelier aligned with competitor schemas (GHSA GraphQL, Red Hat CVE API, Cisco PSIRT openVuln) while remaining offline-capable and attestation-ready.
- Prepare mirror/offline provenance paths and transparency metadata so Attestor and Console surfaces can expose document-id + observation-path handles.
- Working directory: `src/Concelier` (WebService + Core libraries).
### Canonical model commitments (unchanged)
- `/advisories/{key}/chunks` render from the canonical `Advisory` aggregate (document id + latest observation set) only.
- Each structured field cites both the Mongo `_id` of the backing observation and the JSON Pointer into that observation (`observationPath`).
- Deterministic ordering: sort entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes.
- Continue mapping competitor field names to keep migrations predictable.
## Dependencies & Concurrency
- Link-Not-Merge schema review (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) scheduled 2025-11-14 gates Workstreams A and D.
- Mirror staffing for MIRROR-CRT-56-001 (kickoff 2025-11-15) blocks Workstream B chain (AIRGAP-56/57/58).
- Evidence Locker attestation contract alignment (with Excititor plan) needed for ATTEST-73 before Workstream C starts.
- Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013` + `AUTH-SIG-26-001`) required before Workstream E closes.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md and related module dossier
- docs/provenance/inline-dsse.md (for structured provenance schema)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-AIAI-31-002 | DOING | Await Link-Not-Merge sign-off; finish `ResolveAdvisoryAsync` + cache key update. | Concelier WebService Guild | Program.cs handler emits structured entries with `{chunkId,fingerprint,entries[],provenance.documentId,provenance.observationPath}`; deterministic ordering; Mongo2Go tests updated. |
| 2 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | None | Concelier WebService Guild · Observability Guild | OTEL counters: `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total` tagged with tenant/result/cache. |
| 3 | CONCELIER-AIRGAP-56-001 | TODO | Staff MIRROR-CRT-56-001; implement Offline Kit read path. | Concelier Core Guild | Mirror ingestion adapters persist `bundleId`, `merkleRoot`, append-only ledger comparisons. |
| 4 | CONCELIER-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Importer Guild | Store `{bundleId, merkleRoot, observationPath}` on observations/linksets for single-source provenance. |
| 5 | CONCELIER-AIRGAP-57-001 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Policy Guild | Sealed-mode feature flag rejects non-mirror connectors with actionable diagnostics. |
| 6 | CONCELIER-AIRGAP-57-002 | TODO | Depends on 56-002 | Concelier Core Guild · AirGap Time Guild | Compute `fetchedAt/publishedAt/clockSource` deltas and expose via observation APIs. |
| 7 | CONCELIER-AIRGAP-58-001 | TODO | Depends on 57-002 | Concelier Core Guild · Evidence Locker Guild | Portable advisory evidence bundles include provenance notes and verifier instructions. |
| 8 | CONCELIER-ATTEST-73-001 | TODO | Needs Workstream A output + attestation sequencing | Concelier Core Guild · Attestor Service Guild | Emit `{observationDigest, linksetDigest, documentId}` pairs for DSSE bundles. |
| 9 | CONCELIER-ATTEST-73-002 | TODO | Depends on 73-001 | Concelier Core Guild | Transparency metadata exposes `bundleId`, Rekor refs, observation paths for external explorers. |
| 10 | CONCELIER-CONSOLE-23-001 | TODO | Blocked by Link-Not-Merge schema | Concelier WebService Guild · BE-Base Platform Guild | `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`. |
| 11 | CONCELIER-CONSOLE-23-002 | TODO | Depends on 23-001 | Concelier WebService Guild | Deterministic dashboard deltas API returns new/modified/conflicting sets referencing linkset IDs and field paths. |
| 12 | CONCELIER-CONSOLE-23-003 | TODO | Depends on Workstream A taxonomy | Concelier WebService Guild | Search fan-out helpers for CVE/GHSA/PURL with observation excerpts, provenance anchors, cache hints. |
| 13 | CONCELIER-CORE-AOC-19-013 | TODO | Waits for structured endpoint readiness + AUTH-SIG-26-001 | Concelier Core Guild | Smoke/e2e suites enforce Authority tokens + tenant headers on ingest/read paths; provenance anchors round-trip. |
### Implementation checklist (applies to CONCELIER-AIAI-31-002)
1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard.
2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`.
3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors.
4. Refresh telemetry tests to assert `Response.Entries.Count`.
5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-12 | CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic (cache hit ratios + guardrail blocks per tenant). | Concelier WebService Guild |
| 2025-11-13 | Rebaseline: locked structured field scope to canonical model + provenance anchors aligned to competitor schemas. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_112_concelier_i.md` to `SPRINT_0112_0001_0001_concelier_i.md`; no semantic changes. | Planning |
## Decisions & Risks
- Link-Not-Merge schema slip past 2025-11-14 would stall Workstreams A and D; fallback adapter prep required.
- Mirror staffing unresolved blocks AIRGAP-56/57/58 and Offline Kit parity; escalate at 2025-11-15 kickoff.
- Evidence Locker contract delay would stall ATTEST-73, leaving Advisory AI without attested provenance.
- Authority smoke coverage gap risks AOC guardrails regressing when structured endpoint ships; pairing with Authority guild planned once Workstream A PR is ready.
- Status snapshot (as of 2025-11-13): A 🔶 DOING; B 🔴 BLOCKED; C 🔴 BLOCKED; D 🔶 WATCHING; E 🔶 WATCHING.
## Next Checkpoints
- 2025-11-14: Link-Not-Merge schema review (CARTO-GRAPH-21-002) — gate for Workstreams A/D.
- 2025-11-15: MIRROR-CRT-56-001 staffing kickoff; also Excititor/Evidence Locker sequencing for ATTEST-73.
- 2025-11-16: Target actions — finish structured endpoint changes, draft Advisory AI structured schema appendix, prep `/console/advisories` API spec, clone Authority smoke suites once ready.
- Standup prompts: (1) Did Link-Not-Merge review resolve blocking fields? (2) Who owns MIRROR-CRT-56-001 post-kickoff and staffing for AIRGAP follow-ons? (3) Did Evidence Locker accept attestation contract draft for ATTEST-73-001 start? (4) Are Authority/AOC smoke tests ready to clone once structured fields release, or is more scope needed from AUTH-SIG-26-001?
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. |
| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. |
| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. |
| Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. |

59
docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md Normal file
View File

@@ -0,0 +1,59 @@
# Sprint 0113-0001-0002 · Concelier II — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Advance Link-Not-Merge ingestion so advisories stay append-only with provenance-first observations and linksets.
- Enable graph overlays (Cartographer) with raw observations/linksets, change events, and batch evidence APIs—no merge-derived judgments.
- Lay storage/event foundations (Mongo, object store, NATS/Redis) for scalable, tenant-scoped advisory data.
- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
## Dependencies & Concurrency
- Depends on Sprint 0112-0001-0001 (Concelier I) for canonical advisory outputs.
- Link-Not-Merge schema chain (CONCELIER-LNM-21-001…005, 101…103, 201…203) must proceed in order; events and APIs depend on earlier ingestion plumbing.
- Graph change events require Scheduler/Platform Events alignment; coordinate with Cartographer guilds to keep telemetry deterministic.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (plus storage and ingestion notes)
- Any Link-Not-Merge schema/ADR docs referenced by CONCELIER-LNM-21-***
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-GRAPH-21-001 | BLOCKED (2025-10-27) | Waiting for Link-Not-Merge schema finalization | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
| 2 | CONCELIER-GRAPH-21-002 | BLOCKED (2025-10-27) | Depends on 21-001 | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
| 3 | CONCELIER-GRAPH-24-101 | TODO | Depends on 21-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
| 4 | CONCELIER-GRAPH-28-102 | TODO | Depends on 24-101 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
| 5 | CONCELIER-LNM-21-001 | TODO | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
| 6 | CONCELIER-LNM-21-002 | TODO | Depends on 21-001 | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
| 7 | CONCELIER-LNM-21-003 | TODO | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. |
| 8 | CONCELIER-LNM-21-004 | TODO | Depends on 21-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
| 9 | CONCELIER-LNM-21-005 | TODO | Depends on 21-004 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
| 10 | CONCELIER-LNM-21-101 | TODO | Depends on 21-005 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. |
| 11 | CONCELIER-LNM-21-102 | TODO | Depends on 21-101 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. |
| 12 | CONCELIER-LNM-21-103 | TODO | Depends on 21-102 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
| 13 | CONCELIER-LNM-21-201 | TODO | Depends on 21-103 | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. |
| 14 | CONCELIER-LNM-21-202 | TODO | Depends on 21-201 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. |
| 15 | CONCELIER-LNM-21-203 | TODO | Depends on 21-202 | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_113_concelier_ii.md` to `SPRINT_0113_0001_0002_concelier_ii.md`; no semantic changes. | Planning |
## Decisions & Risks
- Link-Not-Merge schema sequence is critical path; delays keep ingestion and graph events blocked (see tasks 515).
- Graph event pipeline depends on Scheduler/Platform Events alignment to avoid non-deterministic downstream joins.
- Storage backfill (21-102) and object-store move (21-103) must preserve provenance metadata to avoid regression in Offline Kit and replay.
## Next Checkpoints
- Next LNM schema review: align with CARTO-GRAPH/LNM owners (date TBD); unblock tasks 12 and 515.
- Schedule event schema walkthrough with Platform Events/Scheduler guilds once 21-005 draft ready.
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 115 | Concelier Core · Cartographer · Platform Events | Outstanding; blockers dated 2025-10-27 remain. |
| Scheduler / Platform Events contract for `sbom.observation.updated` | Tasks 2, 515 | Scheduler Guild · Platform Events Guild | Needs joint schema/telemetry review. |
| Object storage contract for raw payloads | Tasks 1012 | Storage Guild · DevOps Guild | To be defined alongside 21-103. |

58
docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md Normal file
View File

@@ -0,0 +1,58 @@
# Sprint 0114-0001-0003 · Concelier III — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Document and expose Link-Not-Merge ingestion surfaces (OpenAPI + SDK) with provenance, tenant scope, and AOC guarantees.
- Establish observability, attestation, and incident-mode hooks that keep advisory evidence replayable without merge-era heuristics.
- Align ingestion workers with orchestrator controls for deterministic scheduling, backfill, and ledger linkage.
- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
## Dependencies & Concurrency
- Depends on Sprint 0113-0001-0002 (Concelier II) Link-Not-Merge plumbing and graph/event groundwork.
- Observability chain (OBS-51…55) builds sequentially; attestation work relies on evidence snapshot generation first.
- Orchestrator integration tasks (ORCH-32…34) must coordinate with orchestrator worker SDK/controls; schedule alongside Policy Engine consumers.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-OAS-61-001 | TODO | Needs latest LNM schema from Sprint 0113 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
| 2 | CONCELIER-OAS-61-002 | TODO | Depends on 61-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
| 3 | CONCELIER-OAS-62-001 | TODO | Depends on 61-002 | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
| 4 | CONCELIER-OAS-63-001 | TODO | Depends on 62-001 | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
| 5 | CONCELIER-OBS-51-001 | TODO | Start of OBS chain | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
| 6 | CONCELIER-OBS-52-001 | TODO | Depends on 51-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
| 7 | CONCELIER-OBS-53-001 | TODO | Depends on 52-001 | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
| 8 | CONCELIER-OBS-54-001 | TODO | Depends on 53-001 | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
| 9 | CONCELIER-OBS-55-001 | TODO | Depends on 54-001 | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
| 10 | CONCELIER-ORCH-32-001 | TODO | Coordinate with orchestrator registry | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
| 11 | CONCELIER-ORCH-32-002 | TODO | Depends on 32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
| 12 | CONCELIER-ORCH-33-001 | TODO | Depends on 32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
| 13 | CONCELIER-ORCH-34-001 | TODO | Depends on 33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
| 14 | CONCELIER-POLICY-20-001 | TODO | Needs Link-Not-Merge APIs from Sprint 0113 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
## Decisions & Risks
- Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts.
- Observability/attestation chain (OBS-51…55) risks audit gaps if sequencing slips; each step depends on previous artifacts.
- Orchestrator control compliance is required to prevent evidence loss during throttles/pauses.
## Next Checkpoints
- Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs).
- Plan orchestrator contract review with Orchestrator guild before implementing ORCH-32-002.
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| Link-Not-Merge schema + APIs from Sprint 0113 | Tasks 14, 14 | Concelier Core/WebService · API Contracts | Pending upstream completion. |
| Observability metrics foundation (CONCELIER-OBS-51-001) | Tasks 69 | Concelier Core · DevOps | Not started; required for downstream timeline/attestation hooks. |
| Orchestrator registry/SDK contracts | Tasks 1013 | Concelier Core · Orchestrator Guild | Coordination needed; no contract recorded yet. |

58
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md Normal file
View File

@@ -0,0 +1,58 @@
# Sprint 0115-0001-0004 · Concelier IV — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Extend Link-Not-Merge outputs to serve policy, risk, and notification consumers with provenance-preserving linksets and signals.
- Backfill raw linksets and enforce tenant-aware linking so downstream services ingest fact-only advisory data.
- Bridge Concelier evidence to Policy Studio and VEX Lens without introducing merge-era inference.
- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
## Dependencies & Concurrency
- Depends on Sprint 0114-0001-0003 (Concelier III) OpenAPI/observability foundations.
- Policy enrichment chain (POLICY-20-002/003, POLICY-23-001/002) builds sequentially; events rely on prior indexes/cursors.
- Risk signals (RISK-66…69) and tenant-aware linking hinge on upstream Link-Not-Merge data and AUTH/AOC scoping.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (policy/risk/tenant scope sections)
- docs/dev/raw-linkset-backfill-plan.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-POLICY-20-002 | TODO | Depends on POLICY-20-001 (Sprint 0114) | Concelier Core Guild · Policy Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expand linkset builders with vendor equivalence, NEVRA/PURL normalization, version-range parsing so policy joins are accurate without prioritizing sources. |
| 2 | CONCELIER-POLICY-20-003 | TODO | Depends on 20-002 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Advisory selection cursors + change-stream checkpoints for deterministic policy deltas; include offline migration scripts. |
| 3 | CONCELIER-POLICY-23-001 | TODO | Depends on 20-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Secondary indexes/materialized views (alias, provider severity, confidence) to keep policy lookups fast without cached verdicts; document query patterns. |
| 4 | CONCELIER-POLICY-23-002 | TODO | Depends on 23-001 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Ensure `advisory.linkset.updated` events carry idempotent IDs, confidence summaries, tenant metadata for safe policy replay. |
| 5 | CONCELIER-RISK-66-001 | TODO | Start of risk chain | Concelier Core Guild · Risk Engine Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Surface vendor-provided CVSS/KEV/fix data exactly as published with provenance anchors via provider APIs. |
| 6 | CONCELIER-RISK-66-002 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. |
| 7 | CONCELIER-RISK-67-001 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. |
| 8 | CONCELIER-RISK-68-001 | TODO | Depends on POLICY-RISK-68-001 | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
| 9 | CONCELIER-RISK-69-001 | TODO | Depends on 66-002 | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
| 10 | CONCELIER-SIG-26-001 | TODO | Depends on SIGNALS-24-002 | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
| 11 | CONCELIER-STORE-AOC-19-005 | TODO (2025-11-04) | Depends on CONCELIER-CORE-AOC-19-004 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. |
| 12 | CONCELIER-TEN-48-001 | TODO | Depends on AUTH-TEN-47-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
| 13 | CONCELIER-VEXLENS-30-001 | TODO | Depends on CONCELIER-VULN-29-001, VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_115_concelier_iv.md` to `SPRINT_0115_0001_0004_concelier_iv.md`; no semantic changes. | Planning |
## Decisions & Risks
- Policy enrichment chain must remain fact-only; any weighting or prioritization belongs to Policy Engine, not Concelier.
- Raw linkset backfill (STORE-AOC-19-005) must preserve rollback paths to protect Offline Kit deployments.
- Tenant-aware linking and notification hooks depend on Authority/Signals contracts; delays could stall AOC compliance and downstream alerts.
## Next Checkpoints
- Plan backfill rehearsal window for STORE-AOC-19-005 once AUTH/AOC prerequisites clear (date TBD).
- Schedule Policy Studio integration review after POLICY-20-003 cursors and indexes are available.
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| POLICY-20-001 outputs (Sprint 0114) | Tasks 14 | Concelier Core/WebService · Policy Guild | Upstream prerequisite. |
| AUTH-TEN-47-001 tenant scope contract | Task 12 | Authority Guild · Concelier Core | Pending; required for tenant enforcement. |
| SIGNALS-24-002 symbol data ingestion | Task 10 | Signals Guild · Concelier Core | Pending contract. |
| CONCELIER-CORE-AOC-19-004 backfill pre-req | Task 11 | Concelier Core/Storage · DevOps | Needs completion before backfill rehearsal. |

60
docs/implplan/SPRINT_0116_0001_0005_concelier_v.md Normal file
View File

@@ -0,0 +1,60 @@
# Sprint 0116-0001-0005 · Concelier V — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Harden Concelier ingestion for air-gapped and AOC scenarios with sealed-mode enforcement, timeline emission, and regression coverage.
- Finalize Link-Not-Merge API/SDK alignment (error envelopes, examples, deprecation headers) and observability surfaces for Console/Vuln Explorer.
- Address AOC guardrails and chunk evidence regressions to keep ingestion append-only and deterministic.
- Working directory: `src/Concelier` (WebService focus).
## Dependencies & Concurrency
- Depends on Sprint 0115-0001-0004 (Concelier IV) policy/risk and backfill readiness.
- AirGap chain (WEB-AIRGAP-56/57/58) builds sequentially; sealed-mode must precede staleness surfacing and timeline events.
- AOC regression tasks (WEB-AOC-19-003…007) rely on prior validators (WEB-AOC-19-002) and must land before large-batch ingest verification.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (airgap, AOC, observability sections)
- Link-Not-Merge API specs and error envelope guidelines
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-VULN-29-004 | TODO | Depends on CONCELIER-VULN-29-001 | Concelier WebService Guild · Observability Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, chunk latencies; stream to Vuln Explorer without altering payloads. |
| 2 | CONCELIER-WEB-AIRGAP-56-001 | TODO | Start of AirGap chain | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, enforce sealed-mode by blocking direct internet feeds. |
| 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets`; operators see freshness without Excititor-derived outcomes. |
| 4 | CONCELIER-WEB-AIRGAP-57-001 | TODO | Depends on 56-002 | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance; keep advisory content untouched. |
| 5 | CONCELIER-WEB-AIRGAP-58-001 | TODO | Depends on 57-001 | Concelier WebService Guild · AirGap Importer Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit timeline events for bundle imports (bundle ID, scope, actor) to capture every evidence change. |
| 6 | CONCELIER-WEB-AOC-19-003 | TODO | Depends on WEB-AOC-19-002 | QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), supersedes chains to keep ingestion append-only. |
| 7 | CONCELIER-WEB-AOC-19-004 | TODO | Depends on 19-003 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Integration tests ingesting large batches (cold/warm) verifying reproducible linksets; record metrics/fixtures for Offline Kit rehearsals. |
| 8 | CONCELIER-WEB-AOC-19-005 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve; stop "Unable to locate advisory_raw documents" during tests. |
| 9 | CONCELIER-WEB-AOC-19-006 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Align default auth/tenant configs with fixtures so allowlisted tenants ingest before forbidden ones are rejected; close gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. |
| 10 | CONCELIER-WEB-AOC-19-007 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Ensure AOC verify emits `ERR_AOC_001` (not `_004`); maintain mapper/guard parity with regression tests. |
| 11 | CONCELIER-WEB-OAS-61-002 | TODO | Prereq for examples/deprecation | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Migrate APIs to standardized error envelope; update controllers/tests accordingly. |
| 12 | CONCELIER-WEB-OAS-62-001 | TODO | Depends on 61-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish curated examples for observations/linksets/conflicts; wire into developer portal. |
| 13 | CONCELIER-WEB-OAS-63-001 | TODO | Depends on 62-001 | Concelier WebService Guild · API Governance Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. |
| 14 | CONCELIER-WEB-OBS-51-001 | TODO | Depends on CONCELIER-WEB-OBS-50-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/obs/concelier/health` surfaces for ingest health, queue depth, SLO status for Console widgets. |
| 15 | CONCELIER-WEB-OBS-52-001 | TODO | Depends on 51-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, audit logging for live evidence monitoring. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_116_concelier_v.md` to `SPRINT_0116_0001_0005_concelier_v.md`; no semantic changes. | Planning |
## Decisions & Risks
- AirGap sealed-mode enforcement must precede staleness surfaces/timeline events to avoid leaking non-mirror sources.
- AOC regression fixes are required before large-batch ingest verification; failing to align allowlist/auth configs risks false negatives in tests.
- Standardized error envelope is prerequisite for SDK/doc alignment; delays block developer portal updates.
## Next Checkpoints
- Plan sealed-mode remediation payload review once WEB-AIRGAP-56-002 is drafted (date TBD).
- Schedule regression test run after WEB-AOC-19-003 lands to validate batch ingest and chunk evidence fixes.
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| AirGap mirror import plumbing (WEB-AIRGAP-56-001) | Tasks 35 | Concelier WebService · AirGap Guilds | Not started; prerequisite for staleness and timeline work. |
| AOC validator updates (WEB-AOC-19-002) | Tasks 610 | Concelier WebService · QA | Required to unblock guardrail/regression tasks. |
| Error envelope standard (WEB-OAS-61-002) | Tasks 1213 | Concelier WebService · API Governance | Prerequisite for examples and deprecation headers. |
| Observability base (WEB-OBS-50-001) | Tasks 1415 | Concelier WebService | Upstream dependency for health/timeline surfaces. |

52
docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md Normal file
View File

@@ -0,0 +1,52 @@
# Sprint 0117-0001-0006 · Concelier VI — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Expose evidence locker and attestation data through Concelier APIs with provenance-preserving contracts and incident-mode controls.
- Finish connector-side Link-Not-Merge provenance for version ranges (CCCS, CERT-Bund, Cisco) to feed canonical observations.
- Keep migration docs aligned as connectors adopt new schemas.
- Working directory: `src/Concelier` (WebService + Connector libraries) and `docs` (migration).
## Dependencies & Concurrency
- Depends on Sprint 0116-0001-0005 for observability timeline stream and error envelope readiness.
- Evidence locker/attestation endpoints (WEB-OBS-53/54/55) rely on Link-Not-Merge observation schema and prior SSE timeline work.
- Connector tasks depend on CONCELIER-LNM-21-001 schema; must proceed per-connector while keeping migration docs in sync.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (connectors, evidence locker integration)
- docs/migration/no-merge.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-WEB-OBS-53-001 | TODO | Depends on WEB-OBS-52-001 (Sprint 0116) | Concelier WebService Guild · Evidence Locker Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add `/evidence/advisories/*` routes proxying evidence locker snapshots, verifying `evidence:read` scopes, returning signed manifest metadata—no raw storage shortcuts. |
| 2 | CONCELIER-WEB-OBS-54-001 | TODO | Depends on 53-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide `/attestations/advisories/*` endpoints with DSSE status, verification summary, provenance chain so CLI/Console audit trust without DB hits. |
| 3 | CONCELIER-WEB-OBS-55-001 | TODO | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs coordinating ingest, locker, orchestrator; capture activation events + cooldown semantics while leaving evidence untouched. |
| 4 | FEEDCONN-CCCS-02-009 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. |
| 5 | FEEDCONN-CERTBUND-02-010 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | Translate CERT-Bund `product.Versions` into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) retaining localisation notes; update mapper/tests for Link-Not-Merge. |
| 6 | FEEDCONN-CISCO-02-009 | DOING (2025-11-08) | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. |
| 7 | DOCS-LNM-22-008 | DONE (2025-11-03) | Keep synced with connector migrations | Docs Guild · DevOps Guild (`docs`) | `docs/migration/no-merge.md` documents Link-Not-Merge migration plan. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-03 | Documented Link-Not-Merge migration plan (`docs/migration/no-merge.md`). | Docs Guild |
| 2025-11-08 | Connector Cisco task marked DOING; others pending Link-Not-Merge schema. | Connector PM |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_117_concelier_vi.md` to `SPRINT_0117_0001_0006_concelier_vi.md`; no semantic changes. | Planning |
## Decisions & Risks
- Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; lacking these risks bypass paths.
- Connector version-range provenance must align with Link-Not-Merge schema; inconsistencies could break deterministic comparisons across feeds.
- Incident-mode toggles need orchestrator/locker coordination; absence of shared semantics risks divergent behavior across services.
## Next Checkpoints
- Schedule evidence locker API contract review once WEB-OBS-52-001 ships (date TBD).
- Connector sync to validate range normalization across CCCS, CERT-Bund, Cisco after initial implementations.
## Blockers & Dependencies (detailed)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| WEB-OBS-52-001 timeline stream (Sprint 0116) | Tasks 13 | Concelier WebService · DevOps | Upstream dependency not yet delivered. |
| Link-Not-Merge observation schema (CONCELIER-LNM-21-001) | Tasks 46 | Connector Guilds | Required for normalized range emission. |
| Orchestrator/locker incident-mode contract | Task 3 | DevOps · Concelier WebService | Needs definition; no shared semantics recorded. |

82
docs/implplan/SPRINT_0119_0001_0001_excititor_i.md Normal file
View File

@@ -0,0 +1,82 @@
# Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I)
## Topic & Scope
- Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus.
- Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments.
- Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts.
- **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted).
## Dependencies & Concurrency
- Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery.
- Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion.
- Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land.
## Documentation Prerequisites
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/README.md#latest-updates`
- `docs/modules/excititor/mirrors.md`
- `docs/modules/excititor/operations/*`
- `docs/modules/excititor/implementation_plan.md`
- Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors).
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
| 2 | EXCITITOR-AIAI-31-002 | TODO | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
| 3 | EXCITITOR-AIAI-31-003 | DOING (in review 2025-11-13) | Await Ops span sink; finalize metrics wiring. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
| 4 | EXCITITOR-AIAI-31-004 | TODO | Finalize OpenAPI/SDK/docs once 31-002/003 stabilize. | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
| 5 | EXCITITOR-AIRGAP-56-001 | TODO | Waiting on Export Center mirror bundle schema (Sprint 162). | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
| 6 | EXCITITOR-AIRGAP-57-001 | TODO | Blocked on 56-001; define sealed-mode errors. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
| 7 | EXCITITOR-AIRGAP-58-001 | TODO | Depends on 57-001 and EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
| 8 | EXCITITOR-ATTEST-01-003 | DOING (since 2025-11-06) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
| 9 | EXCITITOR-ATTEST-73-001 | TODO | Blocked on 01-003; prep payload spec. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
| 10 | EXCITITOR-ATTEST-73-002 | TODO | Blocked on 73-001; design linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
| 11 | EXCITITOR-CONN-TRUST-01-001 | TODO | Await connector signer metadata schema (review 2025-11-14). | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
### Task Clusters & Readiness
- **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
- **AirGap ingestion & portable bundles:** 56/57/58 gated on Export Center schema and EvidenceLocker format; need sealed-mode error catalog and timeline mapping.
- **Attestation & provenance chain:** 01-003 harness/diagnostics first, then 73-001 payload spec and 73-002 linkage docs.
- **Connector provenance parity:** Inventory signer metadata, define shared fingerprint/tier schema, update connector acceptance tests.
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + runbook ready; waiting on Ops span sink deploy) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) |
| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
| 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
| 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
| 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
| 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
| 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild |
| 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning |
## Decisions & Risks
- **Decisions**
- Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`.
- If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads.
- Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
- **Risks & Mitigations**
- Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
- Mirror bundle schema slips (Export Center/AirGap) → use placeholder schema; escalate; severity: High.
- Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High.
- Connector signer metadata incomplete → stage connector-specific TODOs and feature flag partial rollout; severity: Medium.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |

78
docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md Normal file
View File

@@ -0,0 +1,78 @@
# Sprint 0120-0000-0001 · Policy & Reasoning
## Topic & Scope
- Deliver ledger observability baselines (LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5M findings/tenant.
- Extend ledger provenance to orchestrator jobs, air-gapped bundle imports, and attestation evidence (LEDGER-34-101, LEDGER-AIRGAP-56/57/58, LEDGER-ATTEST-73-001).
- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) so downstream guilds can adopt without bespoke guidance.
- Working directory: `src/Findings/StellaOps.Findings.Ledger`.
## Dependencies & Concurrency
- Upstream obligations: Sprint 110.A AdvisoryAI must land; Observability Guild must sign off `ledger_*` metric schema; mirror bundle schema freeze required before LEDGER-AIRGAP-*; attestation pointer schema must align with NOTIFY-ATTEST-74-001.
- Concurrency guardrails: execute tasks in order DOING → TODO → BLOCKED; orchestrator export contract is tracked with Sprint 150.A to avoid cross-guild contention.
- Entry criteria: upstream AdvisoryAI deliverables complete; Observability-approved metric names/labels; published mirror bundle schemas for AirGap kits.
- Exit criteria: metrics/logs/dashboards live in ops telemetry packs with alerts; determinism/load harness produces signed 5M findings report; deployment manifests + offline kits reviewed by DevOps/AirGap guilds; ledger records pointers to orchestrator runs, bundle provenance, and attestation envelopes.
**External dependency tracker**
| Dependency | Current state (2025-11-13) | Impact |
| --- | --- | --- |
| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
**Cluster snapshot**
| Cluster | Linked tasks | Owners | Status snapshot | Notes |
| --- | --- | --- | --- | --- |
| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. |
| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. |
| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
## Documentation Prerequisites
- `docs/modules/findings-ledger/observability.md`
- `docs/modules/findings-ledger/replay-harness.md`
- `docs/modules/findings-ledger/deployment.md`
- `docs/modules/findings-ledger/implementation_plan.md`
- `docs/modules/findings-ledger/airgap-provenance.md`
- `docs/observability/policy.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | LEDGER-29-007 | TODO | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
| 2 | LEDGER-29-008 | TODO | Depends on LEDGER-29-007 instrumentation | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. |
| 3 | LEDGER-29-009 | TODO | Depends on LEDGER-29-008 harness results | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. |
| 4 | LEDGER-34-101 | TODO | Orchestrator ledger export contract (Sprint 150.A) | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
| 5 | LEDGER-AIRGAP-56-001 | TODO | Mirror bundle schema freeze | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
| 6 | LEDGER-AIRGAP-56-002 | TODO | Depends on LEDGER-AIRGAP-56-001 | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
| 7 | LEDGER-AIRGAP-57-001 | TODO | Depends on LEDGER-AIRGAP-56-002 | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
| 8 | LEDGER-AIRGAP-58-001 | TODO | Depends on LEDGER-AIRGAP-57-001 | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
| 9 | LEDGER-ATTEST-73-001 | TODO | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |
| 2025-11-16 | Normalised sprint to standard template and renamed to `SPRINT_0120_0000_0001_policy_reasoning.md`; no content changes beyond reformat. | Project Management |
| 2025-11-16 | Added `src/Findings/AGENTS.md` synthesising required reading, boundaries, determinism/observability rules for implementers. | Project Management |
## Decisions & Risks
- Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn.
- Replay workload risk: 5M findings load may exceed lab capacity; mitigation is to use the QA replay rig and capture CPU/memory budgets in runbooks.
- Air-gap drift risk: mirror bundle format still moving; mitigation is to version the provenance schema and gate LEDGER-AIRGAP-* merges until docs/manifests updated.
- Cross-guild lag risk: Orchestrator/Attestor dependencies may delay provenance pointers; mitigation is weekly sync notes and feature flags so ledger work can land behind toggles.
- Implementer contract now anchored in `src/Findings/AGENTS.md`; keep in sync with module docs and update sprint log when changed.
## Next Checkpoints
- 2025-11-15 · Metrics + dashboard schema sign-off — Observability Guild — unblocks LEDGER-29-007 instrumentation PR.
- 2025-11-18 · Determinism + replay harness dry-run at 5M findings — QA Guild — required before LEDGER-29-008 can close.
- 2025-11-20 · Helm/Compose manifests + backup doc review — DevOps Guild · AirGap Controller Guild — needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001.
- 2025-11-22 · Mirror bundle provenance schema freeze — AirGap Time Guild — enables LEDGER-AIRGAP-56/57/58 sequencing.
- 2025-11-25 · Orchestrator ledger export contract signed — Orchestrator Guild — prerequisite for LEDGER-34-101 linkage.

32
docs/implplan/SPRINT_110_ingestion_evidence.md
View File

@@ -23,32 +23,34 @@
| --- | --- | --- | --- | --- | --- |
| 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Remote inference packaging queued behind policy knob work. |
| 110.A Advisory AI | AIAI-31-008 | BLOCKED | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Blocked pending policy knob deliverables (AIAI-31-006/007). |
| 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
| 110.B Concelier | CONCELIER-AIAI-31-002 | DOING | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Structured field/caching implementation gated on schema approval. |
| 110.B Concelier | CONCELIER-AIAI-31-002 | BLOCKED | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Blocked: Link-Not-Merge schema still not approved; cannot finalize structured field/caching. |
| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | TODO | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Air-gap bundles waiting on stable schema + attestation payloads. |
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | TODO | Concelier Console Guild | Link-Not-Merge schema | Console overlays blocked until schema signed off. |
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | TODO | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Attestation metadata wiring follows structured caching. |
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Blocked until schema approval + attestation scope sign-off. |
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | Link-Not-Merge schema | Blocked pending Link-Not-Merge schema approval. |
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Blocked until structured caching lands and Evidence Locker contract finalises. |
| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | Feed owner remediation plan | Overdue provenance refreshes require schedule from feed owners. |
| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
| 110.C Excititor | EXCITITOR-AIAI-31-002 | TODO | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Chunk API waiting on schema + ingest agreements. |
| 110.C Excititor | EXCITITOR-AIAI-31-003 | TODO | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Telemetry/guardrail metrics follow chunk API. |
| 110.C Excititor | EXCITITOR-AIAI-31-004 | TODO | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Docs/OpenAPI alignment queued behind chunk API finalisation. |
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Attestation payload ordering awaiting sequencing session. |
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | TODO | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Air-gap + connector parity depend on schema + attestation readiness. |
| 110.D Mirror | MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. |
| 110.D Mirror | MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata follows assembler baseline. |
| 110.D Mirror | MIRROR-CRT-57-001/002 | TODO | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor workstreams blocked pending assembler + time contract. |
| 110.D Mirror | MIRROR-CRT-58-001/002 | TODO | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | CLI + Export automation depends on assembler and DSSE/TUF track. |
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Downstream automation awaiting assembler staffing outcome. |
| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Blocked until schema + ingest contract approved. |
| 110.C Excititor | EXCITITOR-AIAI-31-003 | BLOCKED | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Blocked behind EXCITITOR-AIAI-31-002. |
| 110.C Excititor | EXCITITOR-AIAI-31-004 | BLOCKED | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Blocked until chunk API finalized. |
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Blocked pending chunk API + Evidence Locker attestation scope. |
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Blocked until schema + attestation readiness. |
| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | Staffing decision | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Blocked pending MIRROR-CRT-56-001 ownership. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 1415 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
| 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
## Decisions & Risks
### Decisions in flight

9
docs/implplan/SPRINT_111_advisoryai.md
View File

@@ -12,16 +12,19 @@ DOCS-AIAI-31-006 | DONE (2025-11-13) | `/docs/policy/assistant-parameters.md` no
> 2025-11-13: Published `docs/policy/assistant-parameters.md`, added env-var mapping tables, and linked the page from Advisory AI architecture so guild owners can trace DOCS-AIAI-31-006 to Sprint 111.
DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs)
DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs)
SBOM-AIAI-31-003 | TODO (2025-11-03) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001. | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService)
AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI)
SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001 (not yet delivered). | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService)
AIAI-31-008 | BLOCKED (2025-11-16) | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007 (done) plus DEVOPS-AIAI-31-001 runbook. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI)
AIAI-31-009 | DONE (2025-11-12) | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) |
> 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (`/api/v1/advisory/plan`, `/api/v1/advisory/queue`), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator.
> 2025-11-16: SBOM-AIAI-31-003 marked BLOCKED pending SBOM-AIAI-31-001 projection kit + smoke plan.
> 2025-11-16: AIAI-31-008 marked BLOCKED pending DEVOPS-AIAI-31-001 runbook for on-prem/remote packaging.
> 2025-11-04: SBOM base address now flows via `SbomContextClientOptions.BaseAddress`, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs.
DOCS-AIAI-31-004 | DOING (2025-11-07) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001. | Docs Guild, Console Guild (docs)
DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001 (not yet delivered). | Docs Guild, Console Guild (docs)
> 2025-11-07: Draft doc committed (`docs/advisory-ai/console.md`) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship.
> 2025-11-16: DOCS-AIAI-31-004 marked BLOCKED; console widgets and Excititor feed endpoints still pending, cannot capture final screenshots/flows.
> 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests.
> 2025-11-09: Guardrail/inference sections and offline playbooks documented; screenshot placeholders remain open.
DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs)

99
docs/implplan/SPRINT_112_concelier_i.md
View File

@@ -1,99 +0,0 @@
# Sprint 112 · Concelier.I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
Phase 110.B keeps Concelier focused on ingestion fidelity and evidence APIs. All active work here assumes Advisory AI consumes *canonical* advisory documents (no merge transforms) and that every field we emit carries exact provenance anchors.
## Canonical Model Commitments
- **Single source of truth:** `/advisories/{key}/chunks` must render from the canonical `Advisory` aggregate (document id + latest observation set), never from derived cache copies.
- **Provenance anchors:** Each structured field cites both the Mongo `_id` of the backing observation document and the JSON Pointer into that observation (`observationPath`). This mirrors how GHSAs GraphQL `securityAdvisory.references` and Cisco PSIRTs `openVuln` feeds expose source handles, so downstream tooling can reconcile fields deterministically.
- **Deterministic ordering:** Sort structured entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes. We are keeping this policy “as-is” for now to avoid churn in Advisory AI prompts.
- **External parity:** Continue mapping fields named in competitor docs (GitHub Security Advisory GraphQL, Red Hat CVE data API, Cisco PSIRT openVuln) so migrations remain predictable.
## Workstream A — Advisory AI Structured Fields (AIAI-31)
Task ID | State | Exit criteria | Owners
--- | --- | --- | ---
CONCELIER-AIAI-31-002 `Structured fields` | DOING | 1) Program.cs endpoint fully rewritten to resolve the canonical advisory (via `IAdvisoryStore`/`IAliasStore`) and issue structured field entries. 2) Cache key = `tenant + AdvisoryFingerprint`. 3) Responses contain `{chunkId, fingerprint, entries[], provenance.documentId, provenance.observationPath}` with deterministic ordering. 4) Tests updated (`StatementProvenanceEndpointAttachesMetadata`, new structured chunk fixture) and Mongo2Go coverage passes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-AIAI-31-003 `Advisory AI telemetry` | DONE (2025-11-12) | OTEL counters (`advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total`) tagged with tenant/result/cache. Nothing further planned unless guardrail policy changes. | Concelier WebService Guild · Observability Guild
### Implementation checklist (kept inline until CONCELIER-AIAI-31-002 ships)
1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard.
2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`.
3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors.
4. Refresh telemetry tests to assert `Response.Entries.Count`.
5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references.
## Workstream B — Mirror & Offline Provenance (AIRGAP-56/57/58)
Task ID | State | Exit criteria / notes | Owners
--- | --- | --- | ---
CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Implement read paths for Offline Kit bundles, persist `bundleId`, `merkleRoot`, and maintain append-only ledger comparisons. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Every observation/linkset stores `{bundleId, merkleRoot, observationPath}` so exported evidence can cite provenance exactly once; depends on 56-001. | Concelier Core Guild · AirGap Importer Guild
CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Feature flag + policy that rejects non-mirror connectors with actionable diagnostics; depends on 56-001. | Concelier Core Guild · AirGap Policy Guild
CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute `fetchedAt/publishedAt/clockSource` deltas per bundle and expose via observation APIs without mutating evidence; depends on 56-002. | Concelier Core Guild · AirGap Time Guild
CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory observations/linksets + provenance notes (document id + observationPath) into timeline-bound portable bundles with verifier instructions; depends on 57-002. | Concelier Core Guild · Evidence Locker Guild
## Workstream C — Transparency & Attestor (ATTEST-73)
Task ID | State | Exit criteria / notes | Owners
--- | --- | --- | ---
CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Emit `{observationDigest, linksetDigest, documentId}` pairs required by Attestor so DSSE bundles include the same provenance anchors Advisory AI emits. | Concelier Core Guild · Attestor Service Guild
CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Read APIs expose `bundleId`, Rekor references, and observation paths for external transparency explorers; depends on 73-001. | Concelier Core Guild
## Workstream D — Console & Search Surfaces (CONSOLE-23)
Task ID | State | Exit criteria / notes | Owners
--- | --- | --- | ---
CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | `/console/advisories` returns grouped linksets with per-source severity/status chips plus `{documentId, observationPath}` provenance references (matching GHSA + Red Hat CVE browser expectations); depends on CONCELIER-LNM-21-201/202. | Concelier WebService Guild · BE-Base Platform Guild
CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Deterministic “new/modified/conflicting” sets referencing linkset IDs and field paths rather than computed verdicts; depends on 23-001. | Concelier WebService Guild
CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | CVE/GHSA/PURL lookups return observation excerpts, provenance anchors, and cache hints so tenants can preview evidence safely; reuse structured field taxonomy from Workstream A. | Concelier WebService Guild
## Workstream E — Tenant Scope & AOC Guardrails
Task ID | State | Exit criteria / notes | Owners
--- | --- | --- | ---
CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
## Recent Updates
- 2025-11-12: CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic; dashboards now display cache hit ratios and guardrail blocks per tenant.
- 2025-11-13: Sprint rebaseline complete; structured field scope locked to canonical model + provenance anchors, matching competitor schemas for short-term parity.
## Current status (2025-11-13)
| Workstream | State | Notes |
| --- | --- | --- |
| A Advisory AI structured fields | 🔶 DOING | CONCELIER-AIAI-31-002 code work in progress; schema locked, telemetry landed, release blocked on Link-Not-Merge + CARTO schemas. |
| B Mirror & offline provenance | 🔴 BLOCKED | No work can start until MIRROR-CRT-56-001 staffing and Offline Kit bundle contracts finalize. |
| C Transparency & Attestor | 🔴 BLOCKED | Waiting on Workstream A output plus attestation backlog sequencing (Sprint 110/Excititor). |
| D Console & search surfaces | 🔶 WATCHING | Scoped but dependencies on Link-Not-Merge + Console backlog; preparing schema docs in parallel. |
| E Tenant scope & AOC guardrails | 🔶 WATCHING | Requires Authority smoke coverage; no active engineering yet but tests ready to clone once structured endpoint stabilizes. |
## Blockers & dependencies
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. |
| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. |
| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. |
| Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. |
## Next actions (target: 2025-11-16)
| Workstream | Owner(s) | Action | Status |
| --- | --- | --- | --- |
| A | Concelier WebService Guild | Finish `ResolveAdvisoryAsync`, cache key update, and structured response builder; prep PR for review once schema approved. | In progress |
| A | Docs Guild | Draft structured field schema appendix referencing provenance anchors for Advisory AI docs. | Pending |
| B | Concelier Core + Mirror leadership | Join 2025-11-15 kickoff, capture MIRROR-CRT-56-001 owner, and align bundle metadata contract. | Pending |
| C | Concelier Core + Evidence Locker | Produce attestation payload outline so ATTEST-73-001 can start immediately after sequencing meeting. | Pending |
| D | Concelier WebService Guild | Prepare `/console/advisories` API spec (field list, provenance references) so implementation can begin once Link-Not-Merge clears. | Drafting |
| E | Concelier Core | Clone Authority smoke suites to cover new structured endpoint once Workstream A enters review. | Pending |
## Standup prompts
1. Has Link-Not-Merge schema review resolved all blocking comments? If not, what fields remain at risk?
2. Who will own MIRROR-CRT-56-001 after the 2025-11-15 kickoff, and do we have staffing for follow-on AIRGAP tasks?
3. Did Evidence Locker accept the attestation contract draft, enabling ATTEST-73-001 to move forward?
4. Are Authority/AOC smoke tests ready to clone once structured fields release, or do we need additional scope from AUTH-SIG-26-001?
## Risks (snapshot 2025-11-13)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| Link-Not-Merge schema slips past 2025-11-14 | Structured fields + console APIs stay unreleased, blocking Advisory AI and Console surfaces. | Push for schema sign-off during 2025-11-14 review; prep fallback adapter if necessary. |
| Mirror staffing unresolved | AirGap provenance work (AIRGAP-56/57/58) cannot start, delaying Offline Kit parity. | Escalate at 2025-11-15 kickoff; consider borrowing engineers from Evidence Locker or Export guilds. |
| Evidence Locker contract delay | ATTEST-73 work cannot begin, leaving Advisory AI without attested provenance. | Align with Excititor/Evidence Locker owners during 2025-11-15 sequencing session; draft interim spec. |
| Authority smoke coverage gap | AOC guardrails may regress when structured endpoint ships. | Schedule paired testing with Authority guild once Workstream A PR is ready. |

24
docs/implplan/SPRINT_113_concelier_ii.md
View File

@@ -1,24 +0,0 @@
# Sprint 113 - Ingestion & Evidence · 110.B) Concelier.II
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.B) Concelier.II
Depends on: Sprint 110.B - Concelier.I
Summary: Ingestion & Evidence focus on Concelier (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-LNM-21-004 `Merge code removal` | TODO | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into the new observation/linkset collections, seed tombstones for deprecated docs, and provide rollback tooling for Offline Kit operators. Depends on CONCELIER-LNM-21-101. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Move large raw payloads to object storage with deterministic pointers, update bootstrapper/offline kit seeds, and guarantee provenance metadata remains intact. Depends on CONCELIER-LNM-21-102. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add `/advisories/observations` with filters for alias/purl/source plus strict tenant scopes; responses must only echo upstream values + provenance fields. Depends on CONCELIER-LNM-21-103. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement `/advisories/linksets`/`export`/`evidence` endpoints surfacing correlation + conflict payloads and `ERR_AGG_*` error mapping, never exposing synthesis/merge results. Depends on CONCELIER-LNM-21-201. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish idempotent NATS/Redis events for new observations/linksets with schemas documented for downstream consumers; include tenant + provenance references only. Depends on CONCELIER-LNM-21-202. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService)

23
docs/implplan/SPRINT_114_concelier_iii.md
View File

@@ -1,23 +0,0 @@
# Sprint 114 - Ingestion & Evidence · 110.B) Concelier.III
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.B) Concelier.III
Depends on: Sprint 110.B - Concelier.II
Summary: Ingestion & Evidence focus on Concelier (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update the OpenAPI spec so every observation/linkset/timeline endpoint documents provenance fields, tenant scopes, and AOC guarantees (no consensus fields), giving downstream SDKs unambiguous contracts. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OAS-61-002 `Examples library` | TODO | Provide realistic examples (conflict linksets, multi-source severity, timeline snippets) showing how raw advisories are surfaced without merges; wire them into docs/SDKs. Depends on CONCELIER-OAS-61-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios covering advisory search, pagination, and conflict handling to ensure each language client preserves provenance fields and does not infer verdicts. Depends on CONCELIER-OAS-61-002. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired, keeping operators informed while discouraging use of merge-era APIs. Depends on CONCELIER-OAS-62-001. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts so we can prove the evidence pipeline remains healthy without resorting to heuristics. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OBS-52-001 `Timeline events` | TODO | Produce timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, and evidence hashes—pure facts for downstream replay. Depends on CONCELIER-OBS-51-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Generate evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests so audits can replay advisory history without touching live Mongo. Depends on CONCELIER-OBS-52-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to advisory batches, expose verification APIs, and link attestation IDs into timeline + ledger for transparency. Depends on CONCELIER-OBS-53-001. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Implement incident-mode levers (extra sampling, retention overrides, redaction guards) that collect more raw evidence without mutating advisory content. Depends on CONCELIER-OBS-54-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register every advisory connector with the orchestrator (metadata, auth scopes, rate policies) so ingest scheduling is transparent and reproducible. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Adopt the orchestrator worker SDK in ingestion loops, emitting heartbeats/progress/artifact hashes to guarantee deterministic replays. Depends on CONCELIER-ORCH-32-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator pause/throttle/retry controls with structured error outputs and persisted checkpoints so operators can intervene without losing evidence. Depends on CONCELIER-ORCH-32-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills that reuse artifact hashes/signatures, log provenance, and push run metadata to the ledger for audits. Depends on CONCELIER-ORCH-33-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy can join raw evidence without Concelier suggesting outcomes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)

22
docs/implplan/SPRINT_115_concelier_iv.md
View File

@@ -1,22 +0,0 @@
# Sprint 115 - Ingestion & Evidence · 110.B) Concelier.IV
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.B) Concelier.IV
Depends on: Sprint 110.B - Concelier.III
Summary: Ingestion & Evidence focus on Concelier (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Expand linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version-range parsing so policy joins become more accurate without Concelier prioritizing sources. Depends on CONCELIER-POLICY-20-001. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Introduce advisory selection cursors + change-stream checkpoints that let Policy Engine process deltas deterministically; include offline migration scripts. Depends on CONCELIER-POLICY-20-002. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views (alias, provider severity, correlation confidence) so policy lookups stay fast without caching derived verdicts; document the supported query patterns. Depends on CONCELIER-POLICY-20-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` events ship with idempotent IDs, confidence summaries, and tenant metadata so policy consumers can replay evidence feeds safely. Depends on CONCELIER-POLICY-23-001. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Surface vendor-provided CVSS/KEV/fix data exactly as published (with provenance anchors) through provider APIs so risk engines can reason about upstream intent. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers can cite which upstream statements exist; no weighting is applied inside Concelier. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Wire advisory signal pickers into Policy Studio so curators can select which raw advisory fields feed policy gating; validation must confirm fields are provenance-backed. Depends on POLICY-RISK-68-001. | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit notifications when upstream advisory fields change (e.g., fix available) with observation IDs + provenance so Notifications service can alert without inferring severity. Depends on CONCELIER-RISK-66-002. | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose upstream-provided affected symbol/function lists via APIs to help reachability scoring; maintain provenance and do not infer exploitability. Depends on SIGNALS-24-002. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Execute the raw-linkset backfill/rollback plan (`docs/dev/raw-linkset-backfill-plan.md`) so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. Depends on CONCELIER-CORE-AOC-19-004. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Enforce tenant scoping throughout normalization/linking, expose capability endpoint advertising `merge=false`, and ensure events include tenant IDs. Depends on AUTH-TEN-47-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations can cite Concelier evidence without requesting merges. Depends on CONCELIER-VULN-29-001, VEXLENS-30-005. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService)

24
docs/implplan/SPRINT_116_concelier_v.md
View File

@@ -1,24 +0,0 @@
# Sprint 116 - Ingestion & Evidence · 110.B) Concelier.V
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.B) Concelier.V
Depends on: Sprint 110.B - Concelier.IV
Summary: Ingestion & Evidence focus on Concelier (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, and chunk latencies; stream them to Vuln Explorer without altering evidence payloads. Depends on CONCELIER-VULN-29-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, and enforce sealed-mode by blocking direct internet feeds. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets` so operators can see freshness without Excitior deriving outcomes. Depends on CONCELIER-WEB-AIRGAP-56-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to consistent `AIRGAP_EGRESS_BLOCKED` payloads that explain how to remediate, leaving advisory content untouched. Depends on CONCELIER-WEB-AIRGAP-56-002. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle imports (bundle ID, scope, actor) so audit trails capture every evidence change. Depends on CONCELIER-WEB-AIRGAP-57-001. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), and supersedes chains to keep ingestion append-only. Depends on CONCELIER-WEB-AOC-19-002. | QA Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests that ingest large advisory batches (cold/warm), verify reproducible linksets, and record metrics/fixtures for Offline Kit rehearsals. Depends on CONCELIER-WEB-AOC-19-003. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-005 `Chunk evidence regression` | TODO (2025-11-08) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve correctly; ensure Mongo migrations stop logging “Unable to locate advisory_raw documents” during tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-006 `Allowlist ingest auth parity` | TODO (2025-11-08) | Align default auth/tenant configs with the test fixtures so allowlisted tenants can ingest before forbidden tenants are rejected, closing the gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-007 `AOC verify violation codes` | TODO (2025-11-08) | Update AOC verify logic so guard failures emit `ERR_AOC_001` (not `_004`) and keep mapper/guard parity covered by regression tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure every API returns the standardized error envelope and update controllers/tests accordingly (prereq for SDK/doc alignment). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Publish curated examples for observations/linksets/conflicts and wire them into the developer portal. Depends on CONCELIER-WEB-OAS-61-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. Depends on CONCELIER-WEB-OAS-62-001. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Add `/obs/concelier/health` surfaces for ingest health, queue depth, and SLO status so Console widgets can display real-time evidence pipeline stats. Depends on CONCELIER-WEB-OBS-50-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, and audit logging so operators can monitor evidence changes live. Depends on CONCELIER-WEB-OBS-51-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)

16
docs/implplan/SPRINT_117_concelier_vi.md
View File

@@ -1,16 +0,0 @@
# Sprint 117 - Ingestion & Evidence · 110.B) Concelier.VI
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.B) Concelier.VI
Depends on: Sprint 110.B - Concelier.V
Summary: Ingestion & Evidence focus on Concelier (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes that proxy evidence locker snapshots, verify `evidence:read` scopes, and return signed manifest metadata—no shortcut paths into raw storage. Depends on CONCELIER-WEB-OBS-52-001. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` endpoints surfacing DSSE status, verification summary, and provenance chain so CLI/Console can audit trust without hitting databases. Depends on CONCELIER-WEB-OBS-53-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident-mode APIs that coordinate ingest, locker, and orchestrator, capturing activation events + cooldown semantics but leaving evidence untouched. Depends on CONCELIER-WEB-OBS-54-001. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService)
FEEDCONN-CCCS-02-009 `Version range provenance (Oct 2025)` | TODO | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys per the Link-Not-Merge schema/doc recipes. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild CCCS (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs)
FEEDCONN-CERTBUND-02-010 `Version range provenance` | TODO | Translate CERT-Bund `product.Versions` phrases into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) while retaining localisation notes; update mapper/tests for Link-Not-Merge. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild CertBund (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund)
FEEDCONN-CISCO-02-009 `SemVer range provenance` | DOING (2025-11-08) | Emit Cisco SemVer ranges into the new observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild Cisco (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco)
DOCS-LNM-22-008 `No-merge migration doc` | DONE (2025-11-03) | Documented Link-Not-Merge migration plan in `docs/migration/no-merge.md`; keep synced with ongoing tasks. | Docs Guild, DevOps Guild (docs)

102
docs/implplan/SPRINT_119_excititor_i.md
View File

@@ -1,102 +0,0 @@
# Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ingestion & Evidence] 110.C) Excititor.I
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Excititor (phase I).
> **Prep:** Read `docs/modules/excititor/architecture.md` and the relevant Excititor `AGENTS.md` files (per component directory) before working any tasks below; this preserves the guidance that previously lived in the component boards.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-AIAI-31-001 `Justification enrichment` | DONE (2025-11-12) | Expose normalized VEX justifications, product scope trees, and paragraph/JSON-pointer anchors via `VexObservation` projections so Advisory AI can cite raw evidence without invoking any consensus logic. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Ship `/vex/evidence/chunks` with tenant/policy filters that streams raw statements, signature metadata, and scope scores for Retrieval-Augmented Generation clients; response must stay aggregation-only and reference observation/linkset IDs. Depends on EXCITITOR-AIAI-31-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIAI-31-003 `Telemetry & guardrails` | IN REVIEW (2025-11-13) | Instrument the new evidence APIs with request counters, chunk sizes, signature verification failure meters, and AOC guard violations so Lens/Advisory AI teams can detect misuse quickly. Depends on EXCITITOR-AIAI-31-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIAI-31-004 `Schema & docs alignment` | TODO | Update OpenAPI/SDK/docs to codify the Advisory-AI evidence contract (fields, determinism guarantees, pagination) and describe how consumers map observation IDs back to raw storage. | Excititor WebService Guild, Docs Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIRGAP-56-001 `Mirror-first ingestion` | TODO | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-58-001 `Portable evidence bundles` | TODO | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-ATTEST-01-003 `Verification suite & observability` | TODO (2025-11-06) | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove we can verify DSSE bundles for every evidence batch without touching consensus results (see `EXCITITOR-ATTEST-01-003-plan.md`). | Excititor Attestation Guild (src/Excititor/__Libraries/StellaOps.Excititor.Attestation)
EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-CONN-TRUST-01-001 `Connector provenance parity` | TODO | Update MSRC, Oracle, Ubuntu, and Stella mirror connectors to emit signer fingerprints, issuer tiers, and bundle references while remaining aggregation-only; document how Lens consumers should interpret these hints. | Excititor Connectors Guild (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*)
## Task clusters & readiness
### Advisory-AI evidence APIs
- **Delivered:** `EXCITITOR-AIAI-31-001` (`/v1/vex/observations/{vulnerabilityId}/{productKey}` projection API) landed 2025-11-12 with normalized justifications and anchors.
- **In flight:** `EXCITITOR-AIAI-31-003` (instrumentation + guardrails) and `EXCITITOR-AIAI-31-004` (OpenAPI/SDK/docs alignment).
- **Dependencies:** Needs `EXCITITOR-AIAI-31-002` (projection service plumbing) — confirmed completed via architecture doc; observability pipeline requires Ops dashboards.
- **Ready-to-start checklist:** finalize request/response examples in OpenAPI, add replayable telemetry fixtures, and attach Advisory-AI contract summary to this sprint doc.
### AirGap ingestion & portable bundles
- **Scope:** `EXCITITOR-AIRGAP-56/57/58` (mirror-first ingestion, sealed-mode enforcement, portable evidence bundles).
- **Dependencies:** relies on Attestor DSSE verification (Sprint 100.A) and AirGap policy toggles; Evidence Locker partnership needed for portable bundle format.
- **Ready-to-start checklist:**
1. Secure mirror bundle schema from Export Center (Sprint 162) and attach sample manifests.
2. Document sealed-mode error catalog + diagnostics surfaced to Advisory AI/Lens during offline enforcement.
3. Define bundle manifest → timeline ID mapping for Advisory AI, referencing Export Center + TimelineIndexer contracts.
### Attestation & provenance chain
- **Tasks:** `EXCITITOR-ATTEST-01-003`, `EXCITITOR-ATTEST-73-001`, `EXCITITOR-ATTEST-73-002`.
- **Dependencies:** Attestor service readiness (Sprint 100.A) plus DSSE payload contract; requires `IVexAttestationVerifier` plan doc referenced in repo.
- **Ready-to-start checklist:**
1. Finish verifier test harness & deterministic diagnostics.
2. Capture sample attestation payload spec (supplier identity, justification summary, scope metadata) and attach here.
3. Describe provenance linkage for `/v1/vex/attestations/{id}` + observation/linkset/product tuples in docs.
### Connector provenance parity
- **Task:** `EXCITITOR-CONN-TRUST-01-001` (MSRC/Oracle/Ubuntu/Stella connectors).
- **Dependencies:** Source feeds must already emit signer metadata; align with AOC aggregator guardrails; ensure docs outline how Lens consumes trust hints.
- **Ready-to-start checklist:**
1. Inventory current connector coverage + signer metadata availability.
2. Define signer fingerprint + issuer tier schema shared across connectors (document in module README).
3. Update acceptance tests under `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*` to assert provenance payload.
## Dependencies & blockers
- Attestor DSSE verification (`EXCITITOR-ATTEST-01-003`, Sprint 100.A) gates `EXCITITOR-ATTEST-73-001/002` and portable bundles.
- Export Center mirror bundle schema (Sprint 162) and EvidenceLocker portable bundle format (Sprint 160/161) must land before `EXCITITOR-AIRGAP-56/58` can proceed; target sync 2025-11-15.
- Observability stack (Ops/Signals wave) must expose span/metric sinks before `EXCITITOR-AIAI-31-003` instrumentation merges; waiting on Ops telemetry MR.
- Security review pending for connector provenance fingerprints to ensure no secrets leak in aggregation-only mode; Docs/Security review scheduled 2025-11-18.
## Documentation references
- `docs/modules/excititor/architecture.md` — authoritative data model, APIs, and guardrails for Excititor.
- `docs/modules/excititor/README.md#latest-updates` — consensus beta + Advisory-AI integration context.
- `docs/modules/excititor/mirrors.md` — AirGap/mirror ingestion checklist referenced by `EXCITITOR-AIRGAP-56/57`.
- `docs/modules/excititor/operations/*` — observability + sealed-mode runbooks feeding `EXCITITOR-AIAI-31-003` instrumentation requirements.
- `docs/modules/excititor/implementation_plan.md` — per-module workstream alignment table (mirrors Sprint 200 documentation process).
## Action tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (`EXCITITOR-AIAI-31-004`). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` and document dashboards (`EXCITITOR-AIAI-31-003`). | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + ops runbook ready; waiting on Ops span sink deploy) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for `EXCITITOR-AIRGAP-56/57`. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for `EXCITITOR-AIRGAP-58-001`. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
| Attestation | Complete verifier suite + diagnostics for `EXCITITOR-ATTEST-01-003`. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness 80% complete) |
| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (`EXCITITOR-CONN-TRUST-01-001`). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
## Upcoming checkpoints (UTC)
| Date | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for `EXCITITOR-CONN-TRUST-01-001`. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock `EXCITITOR-AIRGAP-56/57` (schema still pending). | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock `EXCITITOR-ATTEST-73-*`. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for `EXCITITOR-AIAI-31-003`. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
## Risks & mitigations
| Risk | Severity | Impact | Mitigation |
| --- | --- | --- | --- |
| Observability sinks not ready for `EXCITITOR-AIAI-31-003` | Medium | Advisory-AI misuse would go undetected | Coordinate with Ops to reuse Signals dashboards; ship log-only fallback. |
| Mirror bundle schema slips (Export Center/AirGap) | High | Blocks sealed-mode + portable bundles | Use placeholder schema from `docs/modules/export-center/architecture.md` and note deltas; escalate to Export Center leads. |
| Attestation verifier misses 2025-11-16 target | High | Attestation payload tasks cannot start | Daily stand-ups with Attestation Guild; parallelize diagnostics while verifier finalizes. |
| Connector signer metadata incomplete | Medium | Trust parity story delayed | Stage connector-specific TODOs; allow partial rollout with feature flags. |
## Status log
- 2025-11-12 — Snapshot refreshed; EXCITITOR-AIAI-31-001 marked DONE, remaining tasks pending on observability, AirGap bundle schemas, and attestation verifier completion.
- 2025-11-13 — Added readiness checklists per task cluster plus action tracker; awaiting outcomes from Export Center mirror schema delivery and Attestor verifier rehearsals before flipping AirGap/Attestation tasks to DOING.
- 2025-11-13 (EOD) — OpenAPI draft for `EXCITITOR-AIAI-31-004` shared for review; Observability wiring blocked until Ops deploys span sink, noted above.
- 2025-11-14 — Connector provenance schema review scheduled; awaiting schema draft delivery before meeting. Export Center mirror schema still pending, keeping `EXCITITOR-AIRGAP-56/57` blocked.
- 2025-11-14 — `EXCITITOR-AIAI-31-003` instrumentation (request counters, chunk histogram, signature failure + guard-violation meters) merged into Excititor WebService; telemetry export remains blocked on Ops span sink rollout.
- 2025-11-14 (PM) — Published `docs/modules/excititor/operations/observability.md` documenting the new evidence metrics so Ops/Lens can hook dashboards while waiting for the span sink deployment.
> 2025-11-12: EXCITITOR-AIAI-31-001 delivered `/v1/vex/observations/{vulnerabilityId}/{productKey}` backed by the new `IVexObservationProjectionService`, returning normalized statements (scope tree, anchors, document metadata) so Advisory AI and Console can cite raw VEX evidence without touching consensus logic.

84
docs/implplan/SPRINT_120_policy_reasoning.md
View File

@@ -1,84 +0,0 @@
# Sprint 120 - Policy & Reasoning
_Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
## Findings.I
Dependency: Sprint 110.A - AdvisoryAI (must land before this track).
Focus: Policy & Reasoning focus on Findings (phase I).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | LEDGER-29-007 | TODO | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards (Deps: LEDGER-29-006) | Findings Ledger Guild, Observability Guild / src/Findings/StellaOps.Findings.Ledger |
| 2 | LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant (Deps: LEDGER-29-007) | Findings Ledger Guild, QA Guild / src/Findings/StellaOps.Findings.Ledger |
| 3 | LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions (Deps: LEDGER-29-008) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger |
| 4 | LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries (Deps: LEDGER-29-009) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
| 5 | LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
| 6 | LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging (Deps: LEDGER-AIRGAP-56-001) | Findings Ledger Guild, AirGap Time Guild / src/Findings/StellaOps.Findings.Ledger |
| 7 | LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works (Deps: LEDGER-AIRGAP-56-002) | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger |
| 8 | LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context (Deps: LEDGER-AIRGAP-57-001) | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger |
| 9 | LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger |
## Findings.I scope & goals
- Deliver ledger observability baselines (`LEDGER-29-007/008/009`) so Policy teams can trust ingestion, anchoring, and replay at >5M findings/tenant.
- Extend ledger provenance to cover orchestrator jobs, air-gapped bundle imports, and attestation evidence (`LEDGER-34-101`, `LEDGER-AIRGAP-*`, `LEDGER-ATTEST-73-001`).
- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) and documentation so downstream guilds can adopt without bespoke guidance.
### Entry criteria
- Sprint 110.A AdvisoryAI deliverables must be complete (raw findings parity, provenance contracts).
- Observability Guild approves metric names/labels for `ledger_*` series.
- Mirror bundle schemas (AirGap kits) published so `LEDGER-AIRGAP-*` tasks can reference stable fields.
### Exit criteria
- Metrics/logs/dashboards live in ops telemetry packs with alert wiring.
- Determinism/load harness produces signed report for 5M findings/tenant scenario.
- Deployment manifests + offline kit instructions reviewed by DevOps/AirGap guilds.
- Ledger records referential pointers to orchestrator runs, bundle provenance, and attestation envelopes.
## Task clusters & owners
| Cluster | Linked tasks | Owners | Status snapshot | Notes |
| --- | --- | --- | --- | --- |
| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec added in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. |
| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. |
| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
## Milestones & dependencies
| Target date | Milestone | Dependency / owner | Notes |
| --- | --- | --- | --- |
| 2025-11-15 | Metrics + dashboard schema sign-off | Observability Guild | Unblocks LEDGER-29-007 instrumentation PR. |
| 2025-11-18 | Determinism + replay harness dry-run at 5M findings | QA Guild | Required before LEDGER-29-008 can close. |
| 2025-11-20 | Helm/Compose manifests + backup doc review | DevOps Guild · AirGap Controller Guild | Needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001. |
| 2025-11-22 | Mirror bundle provenance schema freeze | AirGap Time Guild | Enables LEDGER-AIRGAP-56/57/58 sequencing. |
| 2025-11-25 | Orchestrator ledger export contract signed | Orchestrator Guild | Prereq for LEDGER-34-101 linkage. |
## Risks & mitigations
- **Metric churn** — Observability schema changes could slip schedule. Mitigation: lock metric names by Nov15 and document in `docs/observability/policy.md`.
- **Replay workload** — 5M findings load tests may exceed lab capacity. Mitigation: leverage existing QA replay rig, capture CPU/memory budgets for runbooks.
- **Air-gap drift** — Mirror bundle format still moving. Mitigation: version provenance schema, gate LEDGER-AIRGAP-* merge until doc + manifest updates reviewed.
- **Cross-guild lag** — Orchestrator/Attestor dependencies may delay provenance pointers. Mitigation: weekly sync notes in sprint log; add feature flags so ledger work can merge behind toggles.
## External dependency tracker
| Dependency | Current state (2025-11-13) | Impact |
| --- | --- | --- |
| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
## Coordination log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |

3
docs/implplan/SPRINT_186_record_deterministic_execution.md
View File

@@ -18,6 +18,9 @@ SCAN-DETER-186-009 | TODO | Build a determinism harness that replays N scans per
SCAN-DETER-186-010 | TODO | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`)
SCAN-ENTROPY-186-011 | TODO | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`)
SCAN-ENTROPY-186-012 | TODO | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`)
SCAN-CACHE-186-013 | TODO | Implement layer-level SBOM/VEX cache keyed by (layer digest + manifest hash + tool/feed/policy IDs); re-verify DSSE attestations on cache hits and persist indexes for reuse/diagnostics; document in `docs/modules/scanner/architecture.md` referencing the 16-Nov-2026 layer cache advisory. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`)
SCAN-DIFF-CLI-186-014 | TODO | Add deterministic diff-aware rescan workflow (writes `scan.lock.json`, emits JSON Patch diffs, CLI verbs `stella scan --emit-diff` and `stella diff`) with replayable tests and docs aligned to the 15/16-Nov diff-aware advisories. | Scanner Guild · CLI Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Cli/StellaOps.Cli`, `tests/Scanner`, `docs/modules/scanner/operations/release.md`)
SBOM-BRIDGE-186-015 | TODO | Establish SPDX 3.0.1 as canonical SBOM persistence and build a deterministic CycloneDX 1.6 exporter (mapping table + library); update scanner/SBOM docs and wire snapshot hashes into replay manifests. | Sbomer Guild · Scanner Guild (`src/Sbomer`, `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
DOCS-REPLAY-186-004 | TODO | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Docs Guild (`docs`)
> 2025-11-03: `docs/replay/TEST_STRATEGY.md` drafted — Scanner/Signer guilds should shift replay tasks to **DOING** when engineering picks up implementation.

1
docs/implplan/SPRINT_187_evidence_locker_cli_integration.md
View File

@@ -10,6 +10,7 @@ EVID-REPLAY-187-001 | TODO | Implement replay bundle ingestion/retention APIs in
CLI-REPLAY-187-002 | TODO | Add `scan --record`, `verify`, `replay`, `diff` commands to the CLI with offline bundle resolution; update `docs/modules/cli/architecture.md` and add a replay commands appendix citing `docs/replay/DEVS_GUIDE_REPLAY.md`. | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`)
ATTEST-REPLAY-187-003 | TODO | Wire Attestor/Rekor anchoring for replay manifests and capture verification APIs; extend `docs/modules/attestor/architecture.md` with a replay ledger flow referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9. | Attestor Guild (`src/Attestor/StellaOps.Attestor`, `docs/modules/attestor/architecture.md`)
RUNBOOK-REPLAY-187-004 | TODO | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, and verification drills; cross-link from replay specification summary. | Docs Guild, Ops Guild (`docs`)
VALIDATE-BUNDLE-187-005 | TODO | Deliver `VALIDATION_PLAN.md`, harness scripts (A/B quiet vs baseline, provenance bundle export), and a `stella bundle verify` CLI subcommand that checks DSSE/Rekor/SBOM/policy/replay claims end-to-end for offline audits. | QA Guild · CLI Guild · Docs Guild (`docs/validation`, `scripts/validation`, `src/Cli/StellaOps.Cli`)
EVID-CRYPTO-90-001 | TODO | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through `ICryptoProviderRegistry`/`ICryptoHash` so sovereign profiles (e.g., `ru-offline`) can swap providers per `docs/security/crypto-routing-audit-2025-11-07.md`. | Evidence Locker Guild, Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`)
> 2025-11-03: `/docs/runbooks/replay_ops.md` created — Evidence Locker, CLI, Attestor teams can transition replay delivery tasks to **DOING** alongside Ops runbook rehearsals.

3
docs/implplan/SPRINT_401_reachability_evidence_chain.md
View File

@@ -55,5 +55,8 @@ _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSS
| PROV-INLINE-401-028 | DONE | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using `StellaOps.Provenance.Mongo`. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) |
| PROV-BACKFILL-401-029 | DOING | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) |
| PROV-INDEX-401-030 | TODO | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) |
| QA-CORPUS-401-031 | TODO | Build and publish the multi-runtime reachability corpus (Go/.NET/Python/Rust) with EXPECT.yaml ground truths and captured traces; wire fixtures into CI so reachability scoring and VEX proofs are continuously validated. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) |
| UI-VEX-401-032 | TODO | Add UI/CLI Explain/Verify surfaces on VEX decisions (show call paths, runtime hits, attestation verify button) and align with reachability evidence output. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) |
| POLICY-GATE-401-033 | TODO | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable` VEX outcomes; fall back to under review when symbol confidence is low; update policy docs and tests. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) |
> Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests.

1595
docs/implplan/archived/all-tasks.md Normal file
View File

File diff suppressed because it is too large Load Diff

28
docs/updates/2025-10-18-docs-guild.md → docs/implplan/archived/updates/2025-10-18-docs-guild.md
View File

@@ -1,14 +1,14 @@
# Docs Guild Update — 2025-10-18
**Subject:** ADR process + events schema validation shipped
**Audience:** Docs Guild, DevEx, Platform Events
- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
Next steps:
- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.
# Docs Guild Update — 2025-10-18
**Subject:** ADR process + events schema validation shipped
**Audience:** Docs Guild, DevEx, Platform Events
- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
Next steps:
- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.

24
docs/updates/2025-10-19-docs-guild.md → docs/implplan/archived/updates/2025-10-19-docs-guild.md
View File

@@ -1,12 +1,12 @@
# Docs Guild Update — 2025-10-19
**Subject:** Event envelope reference & canonical samples
**Audience:** Docs Guild, Platform Events, Runtime Guild
- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
Next steps:
- Platform Events to embed the canonical samples into their contract tests.
- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.
# Docs Guild Update — 2025-10-19
**Subject:** Event envelope reference & canonical samples
**Audience:** Docs Guild, Platform Events, Runtime Guild
- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
Next steps:
- Platform Events to embed the canonical samples into their contract tests.
- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.

20
docs/updates/2025-10-19-platform-events.md → docs/implplan/archived/updates/2025-10-19-platform-events.md
View File

@@ -1,10 +1,10 @@
# Platform Events Update — 2025-10-19
**Subject:** Canonical event samples enforced across tests & CI
**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.
# Platform Events Update — 2025-10-19
**Subject:** Canonical event samples enforced across tests & CI
**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.

10
docs/updates/2025-10-19-scanner-policy.md → docs/implplan/archived/updates/2025-10-19-scanner-policy.md
View File

@@ -1,5 +1,5 @@
# 2025-10-19 Scanner ↔ Policy Sync
- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.
# 2025-10-19 Scanner ↔ Policy Sync
- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.

16
docs/updates/2025-10-19-scheduler-storage.md → docs/implplan/archived/updates/2025-10-19-scheduler-storage.md
View File

@@ -1,8 +1,8 @@
# Scheduler Storage Update — 2025-10-19
**Subject:** Mongo bootstrap + canonical fixtures
**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.
# Scheduler Storage Update — 2025-10-19
**Subject:** Mongo bootstrap + canonical fixtures
**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.

28
docs/updates/2025-10-20-authority-identity-registry.md → docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md
View File

@@ -1,14 +1,14 @@
# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
## Summary
- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
## Operator impact
- No configuration changes are required; existing YAML and environment-based settings continue to function.
- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
## Developer notes
- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.
# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
## Summary
- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
## Operator impact
- No configuration changes are required; existing YAML and environment-based settings continue to function.
- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
## Developer notes
- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.

0
docs/updates/2025-10-20-scanner-events.md → docs/implplan/archived/updates/2025-10-20-scanner-events.md
View File

26
docs/updates/2025-10-22-docs-guild.md → docs/implplan/archived/updates/2025-10-22-docs-guild.md
View File

@@ -1,13 +1,13 @@
# Docs Guild Update — 2025-10-22
**Subject:** Concelier Authority toggle rollout polish
**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 20251022 bundle before promoting it to mirrors.
Next steps:
- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.
# Docs Guild Update — 2025-10-22
**Subject:** Concelier Authority toggle rollout polish
**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 20251022 bundle before promoting it to mirrors.
Next steps:
- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.

30
docs/updates/2025-10-26-authority-graph-scopes.md → docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md
View File

@@ -1,15 +1,15 @@
# 2025-10-26 — Authority graph scopes documentation refresh
## Summary
- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |
# 2025-10-26 — Authority graph scopes documentation refresh
## Summary
- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |

0
docs/updates/2025-10-26-scheduler-graph-jobs.md → docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md
View File

96
docs/updates/2025-10-27-console-security-signoff.md → docs/implplan/archived/updates/2025-10-27-console-security-signoff.md
View File

@@ -1,48 +1,48 @@
# Console Security Checklist Sign-off — 2025-10-27
## Summary
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** console may progress with Sprint23 release gating.
## Authority client validation
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
## CSP enforcement
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
## Fresh-auth timer
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
## DPoP binding test
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
## Offline mode exercise
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
## Evidence parity
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
## Monitoring & alerts
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
## Sign-off
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
- Sign-off recorded in Sprint23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
# Console Security Checklist Sign-off — 2025-10-27
## Summary
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** console may progress with Sprint23 release gating.
## Authority client validation
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
## CSP enforcement
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
## Fresh-auth timer
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
## DPoP binding test
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
## Offline mode exercise
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
## Evidence parity
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
## Monitoring & alerts
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
## Sign-off
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
- Sign-off recorded in Sprint23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).

30
docs/updates/2025-10-27-orch-operator-scope.md → docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md
View File

@@ -1,15 +1,15 @@
# 2025-10-27 — Orchestrator operator scope & audit metadata
## Summary
- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |
# 2025-10-27 — Orchestrator operator scope & audit metadata
## Summary
- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |

30
docs/updates/2025-10-27-policy-scope-migration.md → docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md
View File

@@ -1,15 +1,15 @@
# 2025-10-27 — Policy scope migration guidance
## Summary
- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |
# 2025-10-27 — Policy scope migration guidance
## Summary
- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |

26
docs/updates/2025-10-27-task-packs-docs.md → docs/implplan/archived/updates/2025-10-27-task-packs-docs.md
View File

@@ -1,15 +1,15 @@
# Docs Guild Update — Task Pack Docs (2025-10-27)
- Added Task Pack core documentation set:
- `/docs/task-packs/spec.md`
- `/docs/task-packs/authoring-guide.md`
- `/docs/task-packs/registry.md`
- `/docs/task-packs/runbook.md`
- `/docs/security/pack-signing-and-rbac.md`
# Docs Guild Update — Task Pack Docs (2025-10-27)
- Added Task Pack core documentation set:
- `/docs/task-packs/spec.md`
- `/docs/task-packs/authoring-guide.md`
- `/docs/task-packs/registry.md`
- `/docs/task-packs/runbook.md`
- `/docs/security/pack-signing-and-rbac.md`
- `/docs/modules/cli/operations/release-and-packaging.md`
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../modules/cli/operations/release-and-packaging.md).

52
docs/updates/2025-10-28-docs-guild.md → docs/implplan/archived/updates/2025-10-28-docs-guild.md
View File

@@ -1,26 +1,26 @@
# Docs Guild Update — 2025-10-28
## Console security posture draft
- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120s OpTok, 300s fresh-auth window) and confirm scope bundles before closing the sprint task.
- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
## Console CLI parity matrix
- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
## Accessibility refresh
- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
Artifacts:
- Doc: `/docs/security/console-security.md`
- Doc: `/docs/cli-vs-ui-parity.md`
- Doc: `/docs/accessibility.md`
- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
cc: `@authority-core`, `@security-guild`, `@docs-guild`
# Docs Guild Update — 2025-10-28
## Console security posture draft
- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120s OpTok, 300s fresh-auth window) and confirm scope bundles before closing the sprint task.
- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
## Console CLI parity matrix
- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
## Accessibility refresh
- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
Artifacts:
- Doc: `/docs/security/console-security.md`
- Doc: `/docs/cli-vs-ui-parity.md`
- Doc: `/docs/accessibility.md`
- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
cc: `@authority-core`, `@security-guild`, `@docs-guild`

18
docs/updates/2025-10-29-export-center-provenance.md → docs/implplan/archived/updates/2025-10-29-export-center-provenance.md
View File

@@ -1,9 +1,9 @@
# 2025-10-29 Export Center provenance/signing doc
## Summary
- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
## Follow-ups
- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.
# 2025-10-29 Export Center provenance/signing doc
## Summary
- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
## Follow-ups
- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.

20
docs/updates/2025-10-29-notify-docs.md → docs/implplan/archived/updates/2025-10-29-notify-docs.md
View File

@@ -1,10 +1,10 @@
# 2025-10-29 Notifications Studio docs sync prep
## Summary
- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint39.
- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
## Follow-ups
- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.
# 2025-10-29 Notifications Studio docs sync prep
## Summary
- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint39.
- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
## Follow-ups
- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.

0
docs/updates/2025-10-29-scheduler-policy-doc-refresh.md → docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md
View File

0
docs/updates/2025-10-30-devops-governance.md → docs/implplan/archived/updates/2025-10-30-devops-governance.md
View File

22
docs/updates/2025-10-31-console-security-refresh.md → docs/implplan/archived/updates/2025-10-31-console-security-refresh.md
View File

@@ -1,12 +1,12 @@
# 2025-10-31 — Console Security Docs Refresh
## Summary
- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
## Impact
- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
- Security Guild can rely on the updated compliance checklist when executing Sprint23 sign-off.
# 2025-10-31 — Console Security Docs Refresh
## Summary
- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
## Impact
- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
- Security Guild can rely on the updated compliance checklist when executing Sprint23 sign-off.
- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.

0
docs/backlog/2025-10-cleanup.md → docs/implplan/archived/updates/2025-10-cleanup.md
View File

0
docs/updates/2025-11-01-orch-admin-scope.md → docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md
View File

0
docs/updates/2025-11-02-pack-scope-profiles.md → docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md
View File

0
docs/notes/2025-11-03-authority-plugin-ldap-review.md → docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md
View File

0
docs/updates/2025-11-03-vuln-explorer-access-controls.md → docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md
View File

0
docs/updates/2025-11-05-excitor-consensus-beta.md → docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md
View File

0
docs/updates/2025-11-07-concelier-advisory-chunks.md → docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md
View File

0
docs/updates/2025-11-09-authority-ldap-plugin.md → docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md
View File

0
docs/updates/2025-11-12-notify-attestation-templates.md → docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md
View File

0
docs/implplan/archived/SPRINT_100_identity_signing.md → docs/implplan/archived/updates/SPRINT_100_identity_signing.md
View File

0
docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md → docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md
View File

4
docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md → docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md
View File

@@ -15,8 +15,8 @@ MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create|verify` commands wi
MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator)
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md
If all tasks are done - read next sprint section - SPRINT_0120_0000_0001_policy_reasoning.md
> 2025-11-04: AIAI-31-004A DONE WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`.
> 2025-11-04: AIAI-31-006 DONE REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.
> 2025-11-04: AIAI-31-006 DONE REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.

0
docs/implplan/archived/SPRINT_130_scanner_surface.md → docs/implplan/archived/updates/SPRINT_130_scanner_surface.md
View File

0
docs/implplan/archived/SPRINT_137_scanner_gap_design.md → docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md
View File

0
docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md → docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md
View File

0
docs/implplan/archived/SPRINT_301_docs_tasks_md_i_2025-11-13.md → docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md
View File

0
docs/implplan/archived/tasks.md → docs/implplan/archived/updates/tasks.md
View File

88
docs/implplan/tasks-all.md
View File

@@ -9,7 +9,7 @@
| AIRGAP-TIME-CONTRACT-1501 | TODO | | SPRINT_150_mirror_time | AirGap Time Guild | | — | — | ATMI0102 |
| EXPORT-MIRROR-ORCH-1501 | TODO | | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild | | — | — | ATMI0102 |
| AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
| LEDGER-29-006 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 |
| LEDGER-29-006 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 |
| CARTO-GRAPH-21-002 | TODO | | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 |
| SURFACE-FS-01 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
| SURFACE-FS-02 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
@@ -32,9 +32,9 @@
| 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
| 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
| 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
| 29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
| 29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
| 29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
| 29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
| 29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
| 29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
| 30-001 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 |
| 30-002 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 |
| 30-003 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 |
@@ -48,7 +48,7 @@
| 30-011 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 |
| 31-008 | TODO | | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 |
| 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
| 34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
| 34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
| 401-004 | TODO | | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 |
| 41-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 |
| 44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
@@ -61,7 +61,7 @@
| 51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 |
| 54-001 | TODO | | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 |
| 56-001 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 |
| 58 series | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 |
| 58 series | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 |
| 61-001 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 |
| 61-002 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 |
| 62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 |
@@ -940,14 +940,14 @@
| EXCITITOR-AIAI-31-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Observability Guild | | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 |
| EXCITITOR-AIAI-31-004 | TODO | | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild | | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 |
| EXCITITOR-AIRGAP-56 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
| EXCITITOR-AIRGAP-57 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
| EXCITITOR-AIRGAP-58 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
| EXCITITOR-ATTEST-01-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild | | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 |
| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
| EXCITITOR-CONN-SUSE-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 |
| EXCITITOR-CONN-TRUST-01-001 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 |
| EXCITITOR-CONN-UBUNTU-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 |
@@ -1143,17 +1143,17 @@
| KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
| KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
| LATTICE-401-023 | TODO | | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
| LEDGER-29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
| LEDGER-29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
| LEDGER-29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
| LEDGER-34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
| LEDGER-AIRGAP-56 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 |
| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
| LEDGER-AIRGAP-57 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 |
| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
| LEDGER-ATTEST-73-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
| LEDGER-29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
| LEDGER-29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
| LEDGER-29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
| LEDGER-34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
| LEDGER-AIRGAP-56 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 |
| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
| LEDGER-AIRGAP-57 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 |
| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
| LEDGER-ATTEST-73-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
| LEDGER-ATTEST-73-002 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 |
| LEDGER-EXPORT-35-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 |
| LEDGER-OAS-61-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 |
@@ -2228,7 +2228,7 @@
| AIRGAP-TIME-CONTRACT-1501 | TODO | | SPRINT_150_mirror_time | AirGap Time Guild | | — | — | ATMI0102 |
| EXPORT-MIRROR-ORCH-1501 | TODO | | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild | | — | — | ATMI0102 |
| AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
| LEDGER-29-006 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 |
| LEDGER-29-006 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 |
| CARTO-GRAPH-21-002 | TODO | | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 |
| SURFACE-FS-01 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
| SURFACE-FS-02 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
@@ -2251,9 +2251,9 @@
| 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
| 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
| 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
| 29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
| 29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
| 29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
| 29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
| 29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
| 29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
| 30-001 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 |
| 30-002 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 |
| 30-003 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 |
@@ -2267,7 +2267,7 @@
| 30-011 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 |
| 31-008 | TODO | | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 |
| 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
| 34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
| 34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
| 401-004 | TODO | | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 |
| 41-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 |
| 44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
@@ -2280,7 +2280,7 @@
| 51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 |
| 54-001 | TODO | | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 |
| 56-001 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 |
| 58 series | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 |
| 58 series | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 |
| 61-001 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 |
| 61-002 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 |
| 62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 |
@@ -3161,14 +3161,14 @@
| EXCITITOR-AIAI-31-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Observability Guild | | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 |
| EXCITITOR-AIAI-31-004 | TODO | | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild | | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 |
| EXCITITOR-AIRGAP-56 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
| EXCITITOR-AIRGAP-57 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
| EXCITITOR-AIRGAP-58 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
| EXCITITOR-ATTEST-01-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild | | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 |
| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
| EXCITITOR-CONN-SUSE-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 |
| EXCITITOR-CONN-TRUST-01-001 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 |
| EXCITITOR-CONN-UBUNTU-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 |
@@ -3364,17 +3364,17 @@
| KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
| KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
| LATTICE-401-023 | TODO | | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
| LEDGER-29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
| LEDGER-29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
| LEDGER-29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
| LEDGER-34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
| LEDGER-AIRGAP-56 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 |
| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
| LEDGER-AIRGAP-57 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 |
| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
| LEDGER-ATTEST-73-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
| LEDGER-29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
| LEDGER-29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
| LEDGER-29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
| LEDGER-34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
| LEDGER-AIRGAP-56 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 |
| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
| LEDGER-AIRGAP-57 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 |
| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
| LEDGER-ATTEST-73-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
| LEDGER-ATTEST-73-002 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 |
| LEDGER-EXPORT-35-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 |
| LEDGER-OAS-61-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 |

133
docs/product-advisories/15-Nov-2026 - embedded in-toto provenance events.md Normal file
View File

@@ -0,0 +1,133 @@
Heres a compact, practical way to think about **embedding intoto provenance attestations directly inside your event payloads** (instead of sidecar files), so your vuln/build graph stays temporally consistent.
---
### Why embed?
* **Atomicity:** build → publish → scan → VEX decisions share one event ID and clock; no dangling sidecars.
* **Replayability:** the event stream alone reproduces state (great for offline kits/audits).
* **Causal joins:** vulnerability findings can cite the exact provenance that led to an image/digest.
---
### Event shape (single, selfcontained envelope)
```json
{
"eventId": "01JDN2Q0YB8M…",
"eventType": "build.provenance.v1",
"occurredAt": "2025-11-13T10:22:31Z",
"subject": {
"artifactPurl": "pkg:docker/acme/api@sha256:…",
"digest": {"sha256": "…"}
},
"provenance": {
"kind": "in-toto-provenance",
"dsse": {
"payloadType": "application/vnd.in-toto+json",
"payload": "<base64(in-toto Statement)>",
"signatures": [{"keyid":"…","sig":"…"}]
},
"transparency": {
"rekor": {"logIndex": 123456, "logID": "…", "entryUUID": "…"}
}
},
"sig": {
"envelope": "dsse",
"alg": "Ed25519",
"bundle": { "certChain": ["…"], "timestamp": "…" }
},
"meta": {
"builderId": "https://builder.stella-ops.local/gha",
"buildInvocationId": "gha-run-457812",
"slsa": {"level": 3}
}
}
```
**Notes**
* `provenance.dsse.payload` holds the raw intoto Statement (Statement + Subject + Predicate).
* Keep both **artifact digest** (subject) and **statement subject** (inside payload) and verify they match on ingest.
---
### DB model (Mongo-esque)
* `events` collection: one doc per event (above schema).
* **Compound index:** `{ "subject.digest.sha256": 1, "occurredAt": 1 }`
* **Causal index:** `{ "meta.buildInvocationId": 1 }`
* **Uniq guard:** `{ "eventId": 1 } unique`
---
### Ingest pipeline (deterministic)
1. **Verify DSSE:** check signature, cert roots (or offline trust bundle).
2. **Validate Statement:** subject digests, builder ID, predicateType.
3. **Upsert artifact node:** keyed by digest; attach `lastProvenanceEventId`.
4. **Append event:** write once; never mutate (eventsourced).
5. **Emit derived edges:** `(builderId) --built--> (artifact@digest)` with `occurredAt`.
---
### Joining scans to provenance (temporal consistency)
* When a scan event arrives, resolve the **latest provenance event with `occurredAt ≤ scan.occurredAt`** for the same digest.
* Store an edge `(artifact@digest) --scannedWith--> (scanner@version)` with a **pointer to the provenance eventId** used for policy.
---
### Minimal .NET 10 contracts
```csharp
public sealed record DsseEnvelope(string PayloadType, string Payload, IReadOnlyList<DsseSig> Signatures);
public sealed record Provenance(string Kind, DsseEnvelope Dsse, Transparency? Transparency);
public sealed record EventSubject(string ArtifactPurl, Digest Digest);
public sealed record EventEnvelope(
string EventId, string EventType, DateTime OccurredAt,
EventSubject Subject, Provenance Provenance, SigMeta Sig, Meta Meta);
public interface IEventVerifier {
ValueTask VerifyAsync(EventEnvelope ev, CancellationToken ct);
}
public interface IEventIngestor {
ValueTask IngestAsync(EventEnvelope ev, CancellationToken ct); // verify->validate->append->derive
}
```
---
### Policy hooks (VEX/Trust Algebra)
* **Rule:** “Only trust findings if the scans referenced provenance has `builderId ∈ AllowedBuilders` and `SLSA ≥ 3` and `time(scan) time(prov) ≤ 24h`.”
* **Effect:** drops stale/forged results and aligns all scoring to one timeline.
---
### Migration from sidecars
1. **Dualwrite** for one sprint: keep emitting sidecars, but also embed DSSE in events.
2. Add **backfill job**: wraps historical sidecars into `build.provenance.v1` events (preserve original timestamps).
3. Flip **consumers** (scoring/VEX) to **require `provenance` in the event**; keep sidecar reader only for legacy imports.
---
### Failure & edge cases
* **Oversized payloads:** gzip the DSSE payload; cap event body (e.g., 512 KB) and store overflow in `provenance.ref` (contentaddressed blob) while **hashlinking** it in the event.
* **Multiple subjects:** keep the Statement intact; still key the event by the **primary digest** you care about, but validate all subjects.
---
### Quick checklist to ship
* [ ] Event schema & JSON schema with strict types (no additionalProperties).
* [ ] DSSE + intoto validators (offline trust bundles supported).
* [ ] Mongo indexes + appendonly writer.
* [ ] Temporal join in scanner consumer (≤ O(log n) via index).
* [ ] VEX rules referencing `event.meta` & `provenance.dsse`.
* [ ] Backfill task for legacy sidecars.
* [ ] Replay test: rebuild graph from events only → identical results.
If you want, I can turn this into readytodrop **.proto + C# models**, plus a Mongo migration script and a tiny verifier service.

103
docs/product-advisories/15-Nov-2026 - function-level vex explainability.md Normal file
View File

@@ -0,0 +1,103 @@
Heres a tight idea I think youll like: **make every VEX “nonaffected” verdict explain itself with provable, symbollevel evidence**—not just “package X isnt reachable,” but “function `Foo::bar()` (the vulnerable sink) is never called in any admissible execution of image Y,” backed by cryptographic provenance.
---
# Why this matters (quickly)
* **Trust**: Auditors and customers can verify why you suppressed a CVE.
* **Quiet scanner**: Fewer false alarms because decisions cite concrete callpaths (or their absence).
* **Moat**: Competitors stop at file/package reachability; you show **functionlevel** proof tied to intoto attestations.
---
# Core concept (plain)
Blend two things:
1. **Deterministic symbol reachability** (per language): build minimal call graphs and mark whether the vulnerable symbol is callable from your apps entrypoints.
2. **intotoanchored provenance**: sign the *inputs and reasoning* (rules, SBOM slice, callgraph hash, evidence artifacts), so the verdict can be independently reverified.
Result: each VEX decision is a **verifiable miniproof**.
---
# What the evidence looks like (per CVE/component)
* **Symbol set**: canonical IDs of vulnerable functions (e.g., `pkg@ver#Type::Method(sig)`).
* **Callgraph digest**: hash of pruned call graph from app entrypoints to those symbols.
* **Evidence**:
* Static: “No path from any entrypoint → {vuln symbols} (k=0).”
* Optional runtime: sampled traces (EventPipe/JFR/eBPF) show **0 hits** to symbols/guards.
* **Context**: build inputs (SBOM, lockfiles, compile units), framework models used, versions.
* **Attestation**: intoto/DSSE signed bundle with reproducible scan manifest.
---
# Minimal prototype this week (Scanner reachability scorer)
1. **Symbol mappers (MVP)**
* .NET: read PDB + IL to enumerate `MethodDef` symbols; map NuGet pkg → assembly → methods.
* JVM: JAR index + method table (from ASM); map Maven coords → classes → methods.
2. **Entrypoint discovery**
* Docker CMD/ENTRYPOINT → process launch → managed main(s) (ASP.NET Program.Main, Spring Boot main).
3. **Shallow callgraph** (no fancy pointsto yet):
* Direct calls + common framework handoffs (ASP.NET routing → controller; Spring @RequestMapping → handler).
4. **Vuln ↔ symbol alignment**
* Heuristics: match GHSA/OSV “affected functions” or patch diff to infer symbol names; fallback to packagescope verdict with a flag “symbolinferred: false”.
5. **Decision object**
* `ReachabilityDecision.json` with: entrypoints, symbol set, path_count, notes, hashes.
6. **Attest**
* Emit `reachability.intoto.jsonl` (subject = image digest + SBOM component + symbol digest). Cosign with your test key.
7. **VEX output**
* OpenVEX statement reason: `component_not_present` or `vulnerable_code_not_in_execute_path` with `justification_url` → small HTML report (signed).
---
# Data & schemas to add
* `Scanner.Reachability/`
* `SymbolIndex` (pkg → assemblies/classes/methods)
* `EntryPoints` (per image, normalized)
* `CallGraphPruned` (edges + hash)
* `Decision` (path_count, evidence, versions)
* `Authority`
* Key management for DSSE; policy to **require** reachability evidence for “nonaffected”.
---
# Language roadmap (fast win → harder)
* **Week 12:** .NET + JVM shallow graphs + ASP.NET/Spring models.
* **Week 34:** Node/TS (TS compiler API), Go (SSA), Python (import graph + common web frameworks).
* **Stretch:** Rust/Swift (MIR/SIL summaries), native (symbols + coarse edges), Shell (exec chain).
---
# Where to surface it (UX)
* VEX details panel: “Nonaffected (0 call paths)” → expand → show entrypoints, collapsed edge list, trace hitcounts, and “Verify attestation” button.
* CLI: `stella scan --explain CVE-XYZ --verify-attestation`.
---
# Guardrails
* If symbol mapping is uncertain, **do not** claim “nonaffected”; downgrade to “under review” with rationale.
* Cache symbol indexes per package version; keep the callgraph pruned to entrypoint cones for speed.
* Everything reproducible: the **scan manifest** (feeds, rule versions, hashes) must recreate the same decision bitforbit.
---
If you want, I can draft the exact C# namespaces, interfaces, and the OpenVEX + intoto payloads you can drop into `Scanner.Reachability` and `Authority.Attest`.

488
docs/product-advisories/15-Nov-2026 - ipal serdica census excel import blueprint.md Normal file
View File

@@ -0,0 +1,488 @@
Here is a complete, implementation-ready sketch you can drop into your solution and tune.
I assume:
* ASP.NET Core Web API (.NET 10).
* EF `DbContext` with `DbSet<PolCensusList>`.
* Excel via **ClosedXML** (clean API, MIT license, built on OpenXML).
---
## 1. NuGet packages
Add to the Web/API project:
```bash
dotnet add package ClosedXML
dotnet add package DocumentFormat.OpenXml
```
---
## 2. File repository abstraction
This matches your requirement: upload/download by `bucketId` + `fileId`, plus stream variants.
```csharp
public interface IFileRepository
{
// Uploads a file identified by bucketId + fileId from a Stream
Task UploadAsync(
string bucketId,
string fileId,
Stream content,
string contentType,
CancellationToken cancellationToken = default);
// Uploads a file from an in-memory buffer
Task UploadAsync(
string bucketId,
string fileId,
byte[] content,
string contentType,
CancellationToken cancellationToken = default);
// Downloads a file as a Stream (caller is responsible for disposing)
Task<Stream> DownloadAsStreamAsync(
string bucketId,
string fileId,
CancellationToken cancellationToken = default);
// Downloads a file as a byte[] buffer
Task<byte[]> DownloadAsBytesAsync(
string bucketId,
string fileId,
CancellationToken cancellationToken = default);
}
```
Example of a simple implementation over some `IFileStoreClient` (adjust to your FileStore API):
```csharp
public sealed class FileStoreRepository : IFileRepository
{
private readonly IFileStoreClient _client;
public FileStoreRepository(IFileStoreClient client)
{
_client = client;
}
public async Task UploadAsync(
string bucketId,
string fileId,
Stream content,
string contentType,
CancellationToken cancellationToken = default)
{
// Example adapt to your real client
await _client.PutObjectAsync(
bucketId: bucketId,
objectId: fileId,
content: content,
contentType: contentType,
cancellationToken: cancellationToken);
}
public async Task UploadAsync(
string bucketId,
string fileId,
byte[] content,
string contentType,
CancellationToken cancellationToken = default)
{
await using var ms = new MemoryStream(content, writable: false);
await UploadAsync(bucketId, fileId, ms, contentType, cancellationToken);
}
public async Task<Stream> DownloadAsStreamAsync(
string bucketId,
string fileId,
CancellationToken cancellationToken = default)
{
// Must return a readable Stream ready for ClosedXML
return await _client.GetObjectStreamAsync(
bucketId: bucketId,
objectId: fileId,
cancellationToken: cancellationToken);
}
public async Task<byte[]> DownloadAsBytesAsync(
string bucketId,
string fileId,
CancellationToken cancellationToken = default)
{
await using var stream = await DownloadAsStreamAsync(bucketId, fileId, cancellationToken);
using var ms = new MemoryStream();
await stream.CopyToAsync(ms, cancellationToken);
return ms.ToArray();
}
}
```
Register in DI:
```csharp
builder.Services.AddScoped<IFileRepository, FileStoreRepository>();
```
---
## 3. Import service for `PolCensusList` from Excel
To keep the controller thin, put Excel parsing + EF into a service.
Assumptions (adjust as needed):
* The file is an `.xlsx` with a header row.
* Data starts at row 2.
* Columns are:
| Column | Excel | Property |
| ------ | ----- | -------------- |
| A | 1 | CustPid |
| B | 2 | Gname |
| C | 3 | Sname |
| D | 4 | Fname |
| E | 5 | BirthDate |
| F | 6 | Gender |
| G | 7 | Bmi |
| H | 8 | Dependant |
| I | 9 | DependantOn |
| J | 10 | MemberAction |
| K | 11 | GrpCode |
| L | 12 | BeginDate |
| M | 13 | SrCustId |
| N | 14 | MemberPolicyId |
| O | 15 | MemberAnnexId |
| P | 16 | ErrMsg |
Other fields (`SrPolicyId`, `SrAnnexId`, `FileId`, `Tstamp`) are taken from parameters/system.
```csharp
using System.Globalization;
using ClosedXML.Excel;
using Microsoft.EntityFrameworkCore;
public interface IPolCensusImportService
{
Task<int> ImportFromExcelAsync(
string bucketId,
string fileId,
decimal srPolicyId,
decimal srAnnexId,
CancellationToken cancellationToken = default);
}
public sealed class PolCensusImportService : IPolCensusImportService
{
private readonly SerdicaHealthContext _dbContext;
private readonly IFileRepository _fileRepository;
public PolCensusImportService(
SerdicaHealthContext dbContext,
IFileRepository fileRepository)
{
_dbContext = dbContext;
_fileRepository = fileRepository;
}
public async Task<int> ImportFromExcelAsync(
string bucketId,
string fileId,
decimal srPolicyId,
decimal srAnnexId,
CancellationToken cancellationToken = default)
{
await using var stream = await _fileRepository.DownloadAsStreamAsync(bucketId, fileId, cancellationToken);
using var workbook = new XLWorkbook(stream);
var worksheet = workbook.Worksheets.First();
var now = DateTime.UtcNow;
var entities = new List<PolCensusList>();
const int headerRow = 1;
var firstDataRow = headerRow + 1;
for (var row = firstDataRow; ; row++)
{
var rowRange = worksheet.Row(row);
if (rowRange.IsEmpty()) break; // Stop on first fully empty row
// Minimal “empty row” check no CustPid and no Name => stop
var custPidCell = rowRange.Cell(1);
var gnameCell = rowRange.Cell(2);
var snameCell = rowRange.Cell(3);
if (custPidCell.IsEmpty() && gnameCell.IsEmpty() && snameCell.IsEmpty())
{
break;
}
var entity = new PolCensusList
{
// Non-null FK fields from parameters
SrPolicyId = srPolicyId,
SrAnnexId = srAnnexId,
CustPid = custPidCell.GetString().Trim(),
Gname = gnameCell.GetString().Trim(),
Sname = snameCell.GetString().Trim(),
Fname = rowRange.Cell(4).GetString().Trim(),
BirthDate = GetDate(rowRange.Cell(5)),
Gender = rowRange.Cell(6).GetString().Trim(),
Bmi = GetDecimal(rowRange.Cell(7)),
Dependant = rowRange.Cell(8).GetString().Trim(),
DependantOn = rowRange.Cell(9).GetString().Trim(),
MemberAction = rowRange.Cell(10).GetString().Trim(),
GrpCode = rowRange.Cell(11).GetString().Trim(),
BeginDate = GetNullableDate(rowRange.Cell(12)),
SrCustId = GetNullableDecimal(rowRange.Cell(13)),
MemberPolicyId= GetNullableDecimal(rowRange.Cell(14)),
MemberAnnexId = GetNullableDecimal(rowRange.Cell(15)),
ErrMsg = rowRange.Cell(16).GetString().Trim(),
// Audit / technical fields
Tstamp = now,
FileId = fileId,
// Attr* left null for now can be mapped later if needed
};
entities.Add(entity);
}
await using var transaction = await _dbContext.Database.BeginTransactionAsync(cancellationToken);
try
{
await _dbContext.PolCensusLists.AddRangeAsync(entities, cancellationToken);
var affected = await _dbContext.SaveChangesAsync(cancellationToken);
await transaction.CommitAsync(cancellationToken);
return affected;
}
catch
{
await transaction.RollbackAsync(cancellationToken);
throw;
}
}
private static DateTime GetDate(IXLCell cell)
{
if (cell.DataType == XLDataType.DateTime &&
cell.GetDateTime() != default)
{
return cell.GetDateTime().Date;
}
var raw = cell.GetString().Trim();
if (string.IsNullOrEmpty(raw))
throw new InvalidOperationException("BirthDate is required but empty.");
// Try a few reasonable formats extend if needed
var formats = new[]
{
"dd.MM.yyyy",
"dd/MM/yyyy",
"yyyy-MM-dd",
"M/d/yyyy",
};
if (DateTime.TryParseExact(raw, formats,
CultureInfo.InvariantCulture,
DateTimeStyles.AssumeLocal,
out var dt))
{
return dt.Date;
}
if (DateTime.TryParse(raw, CultureInfo.CurrentCulture,
DateTimeStyles.AssumeLocal, out var dt2))
{
return dt2.Date;
}
throw new FormatException($"Cannot parse date value '{raw}'.");
}
private static DateTime? GetNullableDate(IXLCell cell)
{
if (cell.IsEmpty()) return null;
if (cell.DataType == XLDataType.DateTime &&
cell.GetDateTime() != default)
{
return cell.GetDateTime().Date;
}
var raw = cell.GetString().Trim();
if (string.IsNullOrEmpty(raw)) return null;
var formats = new[]
{
"dd.MM.yyyy",
"dd/MM/yyyy",
"yyyy-MM-dd",
"M/d/yyyy",
};
if (DateTime.TryParseExact(raw, formats,
CultureInfo.InvariantCulture,
DateTimeStyles.AssumeLocal,
out var dt))
{
return dt.Date;
}
if (DateTime.TryParse(raw, CultureInfo.CurrentCulture,
DateTimeStyles.AssumeLocal, out var dt2))
{
return dt2.Date;
}
return null;
}
private static decimal GetDecimal(IXLCell cell)
{
if (cell.IsEmpty()) return 0m;
if (cell.DataType == XLDataType.Number)
{
return (decimal)cell.GetDouble();
}
var raw = cell.GetString().Trim();
if (string.IsNullOrEmpty(raw)) return 0m;
// Try invariant and current culture
if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result))
return result;
if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result))
return result;
throw new FormatException($"Cannot parse decimal value '{raw}'.");
}
private static decimal? GetNullableDecimal(IXLCell cell)
{
if (cell.IsEmpty()) return null;
if (cell.DataType == XLDataType.Number)
{
return (decimal)cell.GetDouble();
}
var raw = cell.GetString().Trim();
if (string.IsNullOrEmpty(raw)) return null;
if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result))
return result;
if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result))
return result;
return null;
}
}
```
Register the service:
```csharp
builder.Services.AddScoped<IPolCensusImportService, PolCensusImportService>();
```
---
## 4. API endpoint: import census data by `fileId`
Controller for IPAL / Serdica health module:
```csharp
using Microsoft.AspNetCore.Mvc;
[ApiController]
[Route("api/health/census")]
public sealed class PolCensusController : ControllerBase
{
private readonly IPolCensusImportService _importService;
public PolCensusController(IPolCensusImportService importService)
{
_importService = importService;
}
/// <summary>
/// Imports census members from an Excel file stored in FileStore.
/// </summary>
/// <param name="bucketId">Logical bucket / container in FileStore (e.g. "ipal-serdica-census").</param>
/// <param name="fileId">Unique file identifier in FileStore.</param>
/// <param name="srPolicyId">Serdica policy id (FK for PolCensusList).</param>
/// <param name="srAnnexId">Serdica annex id (FK for PolCensusList).</param>
[HttpPost("import/{bucketId}/{fileId}")]
public async Task<IActionResult> ImportFromFile(
string bucketId,
string fileId,
[FromQuery] decimal srPolicyId,
[FromQuery] decimal srAnnexId,
CancellationToken cancellationToken)
{
var importedCount = await _importService.ImportFromExcelAsync(
bucketId,
fileId,
srPolicyId,
srAnnexId,
cancellationToken);
return Ok(new
{
imported = importedCount,
fileId,
bucketId,
srPolicyId,
srAnnexId
});
}
}
```
---
## 5. Optional: upload endpoint using `IFileRepository`
If you want a simple upload entry point compatible with the repository:
```csharp
[HttpPost("upload")]
public async Task<IActionResult> UploadCensusFile(
[FromForm] IFormFile file,
[FromQuery] string bucketId,
CancellationToken cancellationToken)
{
if (file == null || file.Length == 0)
return BadRequest("File is required.");
var fileId = Guid.NewGuid().ToString("N");
await using var stream = file.OpenReadStream();
await _fileRepository.UploadAsync(
bucketId,
fileId,
stream,
file.ContentType ?? "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
cancellationToken);
return Ok(new { fileId, bucketId });
}
```
---
If you tell me:
* the exact Excel column layout you will get from IPAL / Serdica
* whether `CensusId` is sequence-generated in Oracle or must be populated in code,
I can tighten the mapping + EF configuration so that it matches your schema 1:1 and is ready for production.

131
docs/product-advisories/15-Nov-2026 - proof spine for explainable quiet alerts.md Normal file
View File

@@ -0,0 +1,131 @@
Heres a compact, implementationready blueprint to make your scanners results quiet, explainable, and auditable endtoend.
# Phase the “proof spine”
1. **SBOMonly → VEXready → Attested**
* **SBOM (now):** Generate SPDX 3.0.1 + CycloneDX 1.6 for every image/module. Include purls, CPE (if available), license IDs, source URIs, and build metadata.
* **VEXready (next):** Normalize vuln inputs (OSV, GHSA, vendor feeds) to a single internal model; keep fields needed for VEX (status, justification, impact, action, timestamp, issuer).
* **Attest (then):** Emit **intoto/DSSE** attestations that bind: (a) SBOM digest, (b) ruleset version, (c) data sources & hashes, (d) VEX decisions. Log statement references in **Rekor** (or your mirror) for transparency.
# Explainability path (per alert)
For every surfaced finding, materialize:
* **Origin SBOM node** → component@version (with purl/CPE)
* **Match rule** → which matcher hit (name+version, range, CPE heuristics, source trust)
* **VEX gate** → decision with justification (e.g., affected/not_affected, component_not_present, configuration_needed)
* **Reachability trace** → static (call graph path) and/or runtime (probe hits) to the vulnerable symbol(s)
* **Deterministic score** → numeric risk built from stable inputs (below)
Expose this as a single JSON object and a short, humanreadable proof block in the UI/CLI.
# SmartDiff (incremental analysis)
* **Change detector:** hash symbols/packages and dependency graphs; on new scans, diff against prior state.
* **Selective reanalysis:** only reparse/resolve changed modules, lockfiles, or callgraph regions.
* **Memoized match & reachability:** cache vuln matches and reachability slices per (component, version, frameworkmodel) key.
# Scoring (quiet by design)
Use stable, auditable inputs:
* **Base:** CVSS v4.0 metrics (as provided by source), fall back to v3.1 if v4 missing.
* **Exploit maturity:** explicit flags when present (known exploited, PoC available, none).
* **Reachability boost/penalty:** functionlevel confirmation > packagelevel guess; runtime evidence > staticonly.
* **Compensating controls:** WAF/feature flags/sandboxing recorded as gates that reduce surfaced priority (but never erase provenance).
# Minimal data contracts (copypaste into your code)
**SBOM node (core):**
```json
{
"purl": "pkg:npm/lodash@4.17.21",
"hashes": [{"alg":"sha256","value":"..."}],
"licenses": ["MIT"],
"build": {"sourceUri":"git+https://...","commit":"..."},
"attestations": [{"type":"intoto","subjectDigest":"sha256:..."}]
}
```
**Finding proof (per alert):**
```json
{
"id": "FND-abc123",
"component": {"purl":"pkg:maven/org.example/foo@1.2.3"},
"vuln": {"id":"CVE-2024-XXXX","source":"OSV"},
"matchRule": {"name":"purl-eq","details":{"range":"[1.2.0,1.2.5)"}},
"vexGate": {"status":"affected","justification":"reachable_code_path"},
"reachability": {
"staticPath": ["Controller.handle","Service.parse","lib/vulnFunc"],
"runtimeHits": [{"symbol":"lib/vulnFunc","count":37}]
},
"score": {"base":7.1,"exploit":"poc","reach":"function","final":8.4},
"provenance": {
"sbomDigest":"sha256:...",
"ruleset":"signals-1.4.2",
"feeds":[{"name":"OSV","etag":"..."}],
"attRef":"rekor:sha256:..."
}
}
```
# Services & where they live in StellaOps
* **Sbomer**: Syftbacked generators (SPDX/CycloneDX) + DSSE signing.
* **Feedser/Concelier**: fetch & normalize vuln feeds (OSV/GHSA/vendor), maintain trust scores; “preserveprune source” rule stays.
* **Scanner.WebService**: orchestrates analyzers; run lattice algorithms here (per your standing rule).
* **Vexer/Excititor**: VEX issuance + policy evaluation (lattice gates).
* **Authority**: key management, DSSE signing, Rekor client (and mirror) endpoints.
* **Signals**: eventsourced store for proofs, reachability artifacts, and scoring outputs.
# Policies (tiny DSL sketch)
```yaml
version: 1
sources:
- id: osv
trust: 0.9
gates:
- id: not-present
when: component.present == false
action: vex(status: not_affected, reason: component_not_present)
- id: unreachable
when: reachability.static == false and reachability.runtime == false
action: vex(status: not_affected, reason: vulnerable_code_not_in_execute_path)
scoring:
base: cvss.v4 or cvss.v3
adjust:
- if: exploit.maturity in ["known_exploited","poc"]
add: 0.8
- if: reachability.function_confirmed
add: 1.1
- if: gate == "not-present"
subtract: 3.0
```
# Attestations & transparency (pragmatic path)
* **Produce** DSSEwrapped intoto statements for SBOM, ScanResult, and VEXBundle.
* **Record** statement digests in Rekor (or your **ProofMarket** mirror) with pointers back to your artifact store.
* **Bundle** offline kits with SBOM+VEX+attestations and a miniRekor log segment for airgapped audits.
# UX: onescreen truth
* Table of findings with **Final Score**, a **“Why?”** button expanding the 5part proof chain, and **Fix** suggestions.
* Global toggles: *Show only reachable*, *Mute notaffected*, *Show deltas* (SmartDiff), *Export VEX*.
# “Done next” checklist
* Wire Syft→SPDX/CycloneDX→DSSE emit → Rekor client.
* Normalize feeds to a single vuln model with trust weights.
* Implement **FindingProof** schema and persist it in Signals.
* Add **Symbolizer + perlang reachability** stubs (even minimal) to populate `reachability` fields.
* Ship VEX export (OpenVEX/CSAF) based on current gates.
* Add SmartDiff over SBOM + symbol graph hashes.
* Surface the full proof chain in UI/CLI.
If you want, I can drop in concrete .NET 10 interfaces/classes for each component and a first pass of the Rekor/DSSE helpers next.

102
docs/product-advisories/15-Nov-2026 - scanner roadmap with deterministic diff-aware rescans.md Normal file
View File

@@ -0,0 +1,102 @@
Heres a compact, plainEnglish plan to make your scanner **faster, quieter, and auditorfriendly** by (1) diffaware rescans and (2) unified binary+source reachability—both dropin for StellaOps.
# Deterministic, diffaware rescans (clean SBOM/VEX diffs)
**Goal:** Only recompute what changed; emit stable, minimal diffs reviewers can trust.
**Core ideas**
- **Perlayer SBOM artifacts (cacheable):** For each image layer `L#`, persist:
- `sbom-L#.cdx.json` (CycloneDX), `hash(L#)`, `toolchain-hash`, `feeds-hash`.
- **Symbolfingerprints** for each discovered file: `algo|path|size|mtime|xxh3|funcIDs[]`.
- **Slice recomputation:** On new image `I'`, match layers via hashes; for changed layers or files, recompute *only* their callgraph slices and vuln joins.
- **Deterministic manifests:** Every scan writes a `scan.lock.json` (inputs, feed versions, rules, lattice policy hash, tool versions, clocks) so results are **replayable**.
**Minimal data model (Mongo)**
- `scan_runs(_id, imageDigest, inputsHash, policyHash, feedsHash, startedAt, finishedAt, parentRunId?)`
- `layer_sboms(scanRunId, layerDigest, sbomCid, symbolIndexCid, layerHash)`
- `file_symbols(scanRunId, path, fileHash, funcIDs[], lang, size, mtime)`
- `diffs(fromRunId, toRunId, kind: 'sbom'|'vex'|'reachability', stats, patch)` (store JSON Patch)
**Algorithm sketch**
1. Resolve base image ancestry → map `old layer digest ↔ new layer digest`.
2. For unchanged layers: reuse `layer_sboms` + `file_symbols`.
3. For changed/added files: resymbolize + reanalyze; restrict callgraph build to **impacted SCCs**.
4. Rejoin OSV/GHSA/vendor vulns → compute reachability deltas → emit **stable JSON Patch**.
**CLI impact**
- `stella scan --deterministic --cache-dir ~/.stella/cache --emit-diff previousRunId`
- `stella diff --from <runA> --to <runB> --format jsonpatch|md`
---
# Unified binary + source reachability (functionlevel)
**Goal:** Decide “is the vulnerable function reachable/used here?” across native and managed code.
**Extraction**
- **Binary symbolizers:**
- ELF: parse `.symtab`/`.dynsym`, DWARF (if present).
- MachO/PE: export tables + DWARF/PDB (if present).
- Build **Canonical Symbol ID (CSID)**: `lang:pkg@ver!binary#file:function(signature)`; normalize C++/Rust mangling.
- **Source symbolizers:**
- .NET (Roslyn+IL), JVM (bytecode), Go (SSA), Node/TS (TS AST), Python (AST), Rust (HIR/MIR if available).
- **Bindings join:** Map FFI edges (P/Invoke, cgo, JNI/JNA, N-API) → **crossecosystem call edges**:
- `.NET P/Invoke` → DLL export CSID.
- Java JNI → `Java_com_pkg_Class_Method` ↔ native export.
- Node N-API → addon exports ↔ JS require() site.
**Reachability pipeline**
1. Build perlanguage call graphs (CG) with framework models (ASP.NET, Spring, Express, etc.).
2. Add FFI edges; merge into a **polyglot call graph**.
3. Mark **entrypoints** (container `CMD/ENTRYPOINT`, web handlers, cron, CLI verbs).
4. For each CVE → {pkg, version, affected symbols[]} map → **is any affected CSID on a path from an entrypoint?**
5. Output evidence:
- `reachable: true|false|unknown`
- shortest path (symbols list)
- probes (optional): runtime samples (EventPipe/JFR/uprobes) hitting CSIDs
**Artifacts emitted**
- `symbols.csi.jsonl` (all CSIDs)
- `polyglot.cg.slices.json` (only impacted SCCs for diffs)
- `reach.vex.json` (OpenVEX/CSAF with functionlevel notes + confidence)
---
# What to build next (lowrisk, highimpact)
- **[Week 12]** Perlayer caches + `scan.lock.json`; file symbolfingerprints (xxh3 + topK funcIDs).
- **[Week 34]** ELF/PE/MachO symbolizer lib with CSIDs; .NET IL + P/Invoke mapper.
- **[Week 56]** Polyglot CG merge + entrypoint discovery from Docker metadata; JSON Patch diffs.
- **[Week 7+]** Runtime probes (optin) to boost confidence and suppress false positives.
---
# Tiny code seeds (C# hints)
**Symbol fingerprint (per file)**
```csharp
record SymbolFingerprint(
string Algo, string Path, long Size, long MTimeUnix,
string ContentHash, string[] FuncIds);
```
**Deterministic scan lock**
```csharp
record ScanLock(
string FeedsHash, string RulesHash, string PolicyHash, string Toolchain,
string ImageDigest, string[] LayerDigests, DateTimeOffset Clock,
IDictionary<string,string> EnvPins);
```
**JSON Patch diff emit**
```csharp
var patch = JsonDiffPatch.Diff(oldVexJson, newVexJson); // stable sort keys beforehand
File.WriteAllText("vex.diff.json", patch);
```
---
If you want, I can turn this into:
- a **.proto** for the cache/index objects,
- a **Mongo schema + indexes** (including compound keys for fast layer reuse),
- and a **.NET 10** service skeleton (`StellaOps.Scanner.WebService`) with endpoints:
`/scan`, `/diff/{from}/{to}`, `/reach/{runId}`.

146
docs/product-advisories/16-Nov-2026 - layer-sbom cache hash reuse.md Normal file
View File

@@ -0,0 +1,146 @@
Heres a fast, practical idea to speed up container scans: add a **hashbased SBOM layer cache** keyed by **(Docker layer digest + dependencymanifest checksum)** so identical inputs skip recomputation and only verify attestations.
---
### What this is (in plain words)
* **Layers are immutable.** Each image layer already has a content digest (e.g., `sha256:...`).
* **Dependency state is declarative.** Lockfiles/manifest files (NuGet `packages.lock.json`, `package-lock.json`, `poetry.lock`, `go.sum`, etc.) summarize deps.
* If both the **layer bytes** and the **manifest content** are identical to something weve scanned before, recomputing the SBOM/VEX is wasted work. We can **reuse** the previous result (plus a quick signature/attestation check).
---
### Cache key
```
CacheKey = SHA256(
concat(
LayerDigestCanonical, // e.g., "sha256:abcd..."
'\n',
ManifestAlgo, // e.g., "sha256"
':',
ManifestChecksum // hash of lockfile(s) inside the layer FS view
)
)
```
* Optionally include toolchain IDs to prevent crossversion skew:
* `SbomerVersion`, `ScannerRulesetVersion`, `FeedsSnapshotId` (OSV/NVD feed epoch), `PolicyBundleHash`.
---
### When it hits
* **Exact same layer + same manifests** → return cached **SBOM component graph + vuln findings + VEX** and **reverify** the **DSSE/intoto attestation** and timestamps (freshness SLA).
* **Same layer, manifests absent** → fall back to bytelevel heuristics (package index cache); lower confidence.
---
### Minimal .NET 10 sketch (StellaOps)
```csharp
public sealed record LayerInput(
string LayerDigest, // "sha256:..."
string? ManifestAlgo, // "sha256"
string? ManifestChecksum, // hex
string SbomerVersion,
string RulesetVersion,
string FeedsSnapshotId,
string PolicyBundleHash);
public static string ComputeCacheKey(LayerInput x)
{
var s = string.Join("\n", new[]{
x.LayerDigest,
x.ManifestAlgo ?? "",
x.ManifestChecksum ?? "",
x.SbomerVersion,
x.RulesetVersion,
x.FeedsSnapshotId,
x.PolicyBundleHash
});
using var sha = System.Security.Cryptography.SHA256.Create();
return Convert.ToHexString(sha.ComputeHash(System.Text.Encoding.UTF8.GetBytes(s)));
}
public sealed class SbomCacheEntry
{
public required string CacheKey { get; init; }
public required byte[] CycloneDxJson { get; init; } // gz if large
public required byte[] VexJson { get; init; }
public required byte[] AttestationDsse { get; init; } // for re-verify
public required DateTimeOffset ProducedAt { get; init; }
public required string FeedsSnapshotId { get; init; } // provenance
}
```
---
### Cache flow (Scanner)
1. **Before scan**
* Extract manifest files from the union FS of the current layer.
* Hash them (stable newline normalization).
* Build `LayerInput`; compute `CacheKey`.
* **Lookup** in `ISbomCache.Get(CacheKey)`.
2. **Hit**
* **Verify attestation** (keys/policy), **check feed epoch** still within tolerance, **resign freshness** if policy allows.
* Emit cached SBOM/VEX downstream; mark provenance as “replayed”.
3. **Miss**
* Run normal analyzers → SBOM → vuln match → VEX lattice.
* Create **intoto/DSSE attestation**.
* Store `SbomCacheEntry` and **index by**:
* `CacheKey` (primary),
* `LayerDigest` (secondary),
* `(ecosystem, manifestChecksum)` for diagnostics.
4. **Invalidation**
* Roll cache on **FeedsSnapshotId** bumps or **RulesetVersion** change.
* TTL optional for emergency revocations; keep **attestation+provenance** for audit.
---
### Storage options
* **Local**: contentaddressed dir (`/var/lib/stellaops/sbom-cache/aa/bb/<cacheKey>.cjson.gz`).
* **Remote**: Redis or Mongo (GridFS) keyed by `cacheKey`; attach indexes on `LayerDigest`, `FeedsSnapshotId`.
* **OCI artifact**: push SBOM/VEX as OCI refs tied to layer digest (helps multinode CI).
---
### Attestation verification (quick)
* On hit: `Verify(AttestationDsse, Policy)`; ensure `subject.digest == LayerDigest` and metadata (`FeedsSnapshotId`, tool versions) matches required policy.
* Optional **freshness stamp**: a tiny, fast “verification attestation” you produce at replay time.
---
### Edge cases
* **Multimanifest layers** (polyglot): combine checksums in a stable order (e.g., `SHA256(man1 + '\n' + man2 + ...)`).
* **Runtimeonly diffs** (no manifest change): include **package index snapshot hash** if you maintain one.
* **Reproducibility drift**: include analyzer version & configuration knobs in the key so the cache never masks rule changes.
---
### Why this helps
* Cold scans compute once; subsequent builds (same base image + same lockfiles) **skip minutes of work**.
* Reproducibility becomes **measurable**: cache hit ratio per repo, per base image, per feed epoch.
---
### Quick tasks to add to StellaOps
* [ ] Implement `LayerInput` + keying in `Scanner.WebService`.
* [ ] Add **Manifest Harvester** step per ecosystem (NuGet, npm, pip/poetry, go, Cargo).
* [ ] Add `ISbomCache` (local + Mongo/OCI backends) with metrics.
* [ ] Wire **attestation reverify** path on hits.
* [ ] Ship a **cache report**: hit/miss, time saved, reasons for miss (ruleset/feeds changed, manifest changed, new analyzer).
If you want, I can draft the actual C# interfaces (cache backend + verifier) and a tiny integration for your existing `Sbomer`/`Vexer` services next.

224
docs/product-advisories/16-Nov-2026 - multi-runtime reachability corpus.md Normal file
View File

@@ -0,0 +1,224 @@
Heres a compact, implementationready plan to validate functionlevel reachability with a public, minimal CVE corpus—one runnable example per runtime (Go, .NET, Python, Rust). It gives you known vulnerable symbols, a tiny app that (optionally) calls them, and captured runtime traces to prove reachability.
---
# Corpus layout
```
stellaops-reach-corpus/
README.md
tooling/
capture-dotnet-eventpipe.ps1
capture-go-trace.sh
capture-python-coverage.sh
capture-rust-probe.sh
go/
CVE-YYYY-XXXX-min/
go.mod
vulner/pkg/vuln.go // vulnerable symbol(s): func DoVuln()
app/main.go // calls or avoids DoVuln() via flag
traces/ // .out/.json from runtime
EXPECT.yaml // ground truth: reachable? call path?
dotnet/
CVE-YYYY-XXXX-min/
src/VulnLib/VulnLib.cs // [MethodImpl] public static void DoVuln()
src/App/App.csproj
src/App/Program.cs // --reach / --no-reach
traces/ // .nettrace, EventPipe JSON, stack dumps
EXPECT.yaml
python/
CVE-YYYY-XXXX-min/
vuln/__init__.py // def do_vuln()
app.py // toggle call via env
requirements.txt
traces/coverage/ // coverage.xml + callgraph.json
EXPECT.yaml
rust/
CVE-YYYY-XXXX-min/
Cargo.toml
src/lib.rs // pub fn do_vuln()
src/main.rs // feature flags: reach/no_reach
traces/ // eBPF/usdt or log-markers
EXPECT.yaml
```
---
# EXPECT.yaml (shared contract)
```yaml
id: CVE-YYYY-XXXX
ecosystem: (go|dotnet|python|rust)
packages:
- name: example.org/vulner
version: 1.0.0
symbols:
- fqname: example.org/vulner.DoVuln # or Namespace.Class.Method, module.func
kind: function
scenarios:
- name: reach
args: ["--reach"]
expected:
reachable: true
call_paths:
- ["app.main", "vulner.DoVuln"]
runtime_hits: >=1
- name: no_reach
args: ["--no-reach"]
expected:
reachable: false
call_paths: []
runtime_hits: 0
artifacts:
- sbom: sbom.cdx.json
- trace: traces/reach.trace
notes: Minimal repro; avoid network/filesystem side effects.
```
---
# Minimal vulnerable symbol patterns
**Go**
`vulner/pkg/vuln.go`
```go
package vulner
func DoVuln(input string) string { return "vuln:" + input } // marker
```
`app/main.go`
```go
package main
import (
"flag"
"example.org/vulner"
"fmt"
)
func main() {
reach := flag.Bool("reach", false, "call vuln")
flag.Parse()
if *reach { fmt.Println(vulner.DoVuln("hit")) } else { fmt.Println("skip") }
}
```
**.NET (C# / .NET 10)**
`VulnLib/VulnLib.cs`
```csharp
namespace VulnLib;
public static class V {
public static string DoVuln(string s) => "vuln:" + s; // marker
}
```
`App/Program.cs`
```csharp
using System;
using VulnLib;
var reach = args.Contains("--reach");
Console.WriteLine(reach ? V.DoVuln("hit") : "skip");
```
**Python**
`vuln/__init__.py`
```python
def do_vuln(s: str) -> str:
return "vuln:" + s # marker
```
`app.py`
```python
import os
from vuln import do_vuln
print(do_vuln("hit") if os.getenv("REACH")=="1" else "skip")
```
**Rust**
`src/lib.rs`
```rust
pub fn do_vuln(s: &str) -> String { format!("vuln:{s}") } // marker
```
`src/main.rs`
```rust
use std::env; use vuln::do_vuln;
fn main() {
let reach = env::args().any(|a| a=="--reach");
println!("{}", if reach { do_vuln("hit") } else { "skip".into() });
}
```
---
# Runtime trace capture (tiny, deterministic)
* **Go**: `-toolexec` or `GODEBUG=efence=1` not required; use `go test -run TestReach -vet=off` (optional) + `pprof` or `runtime/trace`.
* `tooling/capture-go-trace.sh`: `go test ./... -run TestNoop && go test -run TestReach -trace=traces/reach.out`
* **.NET**: EventPipe
* `dotnet-trace collect -p $PID --providers Microsoft-DotNETCore-SampleProfiler:0:5`
* Or `dotnet-monitor collect --duration 5s --process-id ... --artifact-type traces`
* **Python**: `coverage run -m app` + `coverage xml -o traces/coverage/coverage.xml`
* **Rust**: simplest is log markers + `RUST_LOG` capture; optional: `perf record -g` or USDT via `tokio-tracing` if you want call sites.
Each trace folder includes a short `trace.json` (normalized stack hits for the vulnerable symbol) produced by a tiny normalizer script you ship in `tooling/`.
---
# SBOM & groundtruth
For each example:
* Generate CycloneDX SBOM (use the languages simplest generator or a tiny script) and include component + symbol annotations (e.g., `properties` with `symbol:fqname`).
* Keep versions pinned to avoid drift.
---
# Validation runner (one command)
`tooling/validate-all.sh`:
1. Build each example twice (reach / no_reach).
2. Capture SBOM + runtime traces.
3. Emit a unified `results.json` with:
* detected symbols from your Symbolizer
* static callgraph reachability
* runtime hit count per symbol
* pass/fail vs `EXPECT.yaml`.
Exit nonzero on any mismatch → perfect for CI gates.
---
# Why this works as a public differentiator
* **Minimal & real**: one tiny, idiomatic app per runtime; clear vulnerable symbol; two scenarios.
* **Auditable**: EXPECT.yaml + traces make results falsifiable.
* **Portable**: no network, no DB; runs in Docker or GitHub Actions.
* **Extensible**: add more CVEs by copying the template and swapping the “vulnerable symbol” (e.g., pathtraversal helper, unsafe deserializer stub, weak RNG wrapper).
---
# Next steps I can deliver immediately
* Bootstrap repo with the above structure.
* Add the four first examples + scripts.
* Wire a single `validate-all` CLI to produce a JUnitstyle report for your CI.
If you want, Ill generate the skeleton with readytorun code, EXPECTs, and the capture scripts tailored to your .NET 10 + Docker workflow.

34
docs/product-advisories/16-Nov-2026 - spdx canonical persistence cyclonedx interchange.md Normal file
View File

@@ -0,0 +1,34 @@
Heres a quick, concrete proposal to **lock in a stable SBOM model for StellaOps**: use **SPDX3.0.1** as your canonical persistence schema and **CycloneDX1.6** as the interchange “view,” bridged by a deterministic transform.
**Why this pairing**
* **SPDX3.0.1** gives you a rigorous, profilebased data model (Core/Security/AI/Build, etc.) with explicit **Relationship** semantics—ideal for longlived storage and graph queries. ([SPDX][1])
* **CycloneDX1.6** excels at exchange: widely adopted, supports **services/SaaSBOM**, **attestations (CDXA)**, **CBOM (crypto inventory)**, MLBOM, and more—perfect for producing portable BOMs for customers and regulators. ([CycloneDX][2])
**Target architecture (minimal)**
* **Persistence:** Store SBOMs as SPDX3.0.1 (JSONLD/RDF), normalized into your Mongo eventsourced graph; keep Relationship edges firstclass. ([SPDX][1])
* **Interchange:** On export, render CycloneDX1.6 (JSON/XML) including `components`, `services`, `dependencies`, `vulnerabilities`, and optional CBOM/CDXA blocks. ([SBOM Observer][3])
* **Deterministic transform:** Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byteforbyte reproducibility across offline sites.
**Quick win mapping examples**
* SPDX `Element` + `RelationshipType` → CycloneDX `dependencies` graph. ([SPDX][4])
* SPDX Security profile findings → CycloneDX `vulnerabilities` entries. ([SPDX][1])
* SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). ([SPDX][5])
* Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX **CBOM** on export for policy checks (CNSA/NIST). ([CycloneDX][2])
**Governance & standards signal**
* SPDX3.0.x is actively aligned with **OMG/ISO** submissions (good longterm bet for storage). ([SPDX Lists][6])
* CycloneDX1.6 is the current, actively enhanced interchange standard used across vendors and tooling. ([GitHub][7])
If you want, Ill draft the exact fieldbyfield mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.
[1]: https://spdx.github.io/spdx-spec/v3.0.1/?utm_source=chatgpt.com "SPDX Specification 3.0.1"
[2]: https://cyclonedx.org/news/cyclonedx-v1.6-released/?utm_source=chatgpt.com "CycloneDX v1.6 Released, Advances Software Supply ..."
[3]: https://sbom.observer/academy/learn/topics/cyclonedx?utm_source=chatgpt.com "What is CycloneDX?"
[4]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/RelationshipType/?utm_source=chatgpt.com "RelationshipType - SPDX Specification 3.0.1"
[5]: https://spdx.dev/wp-content/uploads/sites/31/2024/12/SPDX-3.0.1-1.pdf?utm_source=chatgpt.com "SPDX© Specification v3.0.1"
[6]: https://lists.spdx.org/g/Spdx-tech/topic/release_3_0_1_of_the_spdx/110308825?utm_source=chatgpt.com "Release 3.0.1 of the SPDX Specification"
[7]: https://github.com/CycloneDX/specification?utm_source=chatgpt.com "CycloneDX/specification"

132
docs/product-advisories/16-Nov-2026 - validation plan for quiet scans provenance diff-ci.md Normal file
View File

@@ -0,0 +1,132 @@
Heres a practical, plainEnglish game plan to validate three big StellaOps claims—quiet scans, provenance, and diffnative CI—so you (and auditors/customers) can reproduce the results endtoend.
---
# 1) “Explainably quiet by design”
**Goal:** Fewer falsealarms, with every suppression justified (reachability/VEX), and every alert deduplicated and actionable.
**What to measure**
* **Noise rate:** total findings vs. actionable (has fix/KB/CWE + reachable or policyrelevant).
* **Dedup:** identical CVE across layers/repos counted once.
* **Explainability:** % of findings with a clear path (package → symbol/function → evidence).
* **Suppression justifications:** % of suppressed items with VEX reason (not affected, configuration, environment, reachability).
**A/B test setup**
* **Repos (representative mix):** .NET (aspnet app & library), JVM (Spring), Node/TS (Nest), Python (FastAPI), Go (CLI), container base images (Alpine, Debian, Ubuntu), and a knownnoisy monorepo.
* **Modes:** `baseline=no VEX/reach`, `quiet=reach+VEX+dedup`.
* **Metrics capture:** emit JSONL per repo with counts and examples.
**Minimal harness (pseudo)**
```bash
# baseline
stella scan repo --out baseline.jsonl --no-reach --no-vex --no-dedup
# quiet
stella scan repo --out quiet.jsonl --reach --vex openvex.json --dedup
stella explain --in quiet.jsonl --evidence callgraph,eventpipe --why > explain.md
stella metrics compare baseline.jsonl quiet.jsonl > ab_summary.md
```
**Pass criteria (suggested)**
* ≥50% reduction in nonactionable alerts.
* 100% of suppressions carry VEX+reason.
* ≥90% of actionable findings link to evidence (reachable symbol or policy gate).
---
# 2) “Provenancefirst DevSecOps”
**Goal:** Ship a verifiable bundle anyone can check offline: SBOM + attestations + transparencylog proof.
**What to export**
* **SBOM:** CycloneDX 1.6 or SPDX 3.0.1.
* **Provenance attestation:** intoto/DSSE (builder, materials, recipe, digest).
* **Signatures:** Sigstore (cosign) or regional crypto (pluggable).
* **Transparency log receipt:** Rekor (or mirror) inclusion proof.
* **Policy snapshot:** the exact policy/lattice and feed hashes used.
* **Repro manifest:** declarative inputs so scans are replayable.
**Oneshot exporter**
```bash
stella bundle export \
--sbom cyclonedx.json \
--attest provenance.intoto.jsonl \
--sig cosign.sig \
--rekor-inclusion rekor.json \
--policy policy.yml \
--replay manifest.lock.json \
--out stella-proof-bundle.tgz
```
**Independent verification (clean machine)**
```bash
stella bundle verify stella-proof-bundle.tgz \
--check-sig --check-rekor --check-sbom --check-policy --replay
# Output should show digest matches, valid DSSE, Rekor inclusion, and replay parity.
```
**Pass criteria**
* All cryptographic checks pass offline.
* Replay produces byteidentical findings set (or a diff limited to timevarying feeds pinned by hash).
---
# 3) “Diffnative CI for containers”
**Goal:** Rescan only what changed (layers/deps/policies) with equal detection parity and lower walltime.
**Test matrix**
* **Images:** multistage app (runtime+deps), language runtimes (dotnet, jre, node, python), and a “fat” base (ubuntu:XX).
* **Changes:** Dockerfile ENV only, add/remove package, patch app DLL/JAR/JS, policy toggle.
**Runs**
```bash
# Full scan
time stella image scan myimg:old > full_old.json
time stella image scan myimg:new > full_new.json
# Diff-aware
time stella image scan myimg:new --diff-from myimg:old --cache .stella-cache > diff_new.json
stella parity check full_new.json diff_new.json > parity.md
```
**Metrics**
* **Parity:** same actionable findings IDs (allowing dedup).
* **Speedup:** (full time) / (diff time).
* **Cache hit ratio:** reused layers/components.
**Pass criteria**
* 100% actionable parity on modified images.
* ≥3× faster on typical “small change” commits; no worse than full scan when cache misses.
---
## What youll publish (deliverables)
* `VALIDATION_PLAN.md` — steps above with fixed seeds (image digests, repo SHAs).
* `harness/` — scripts to run A/B and diff tests, export bundles, and verify.
* `results/YYYYMM/` — raw JSONL, parity reports, timing tables, and a 1page summary.
* `policy/` — locked policy + feed hashes used in the runs.
---
## Nicetohave extras
* **Reachability/VEX gallery:** a few “before/after” call graphs and suppression cards.
* **Auditor mode:** `stella audit open stella-proof-bundle.tgz` → readonly UI that renders SBOM, VEX, signatures, Rekor proof, and replay log.
* **CI examples:** GitLab/GitHub YAML snippets for full vs. diff jobs with caching.
If you want, I can spit out the repoready scaffold (folders, stub scripts, sample policies) tailored to your .NET10 + Docker setup so you can run this tonight.

56
src/Findings/AGENTS.md Normal file
View File

@@ -0,0 +1,56 @@
# Findings Ledger · AGENTS.md
## Working directory
- Primary path: `src/Findings/StellaOps.Findings.Ledger` (and sibling test project under `src/Findings/__Tests` when exercising tests).
- Do not touch other modules unless the sprint explicitly permits cross-module edits; Orchestrator/AirGap/Attestor integration work must land behind feature flags and be coordinated via their sprints.
## Roles covered
- Backend engineer: .NET 10/C# for ledger services, projections, provenance links, Merkle anchoring.
- QA / determinism: replay harness, property/integration tests, load testing at ≥5M findings/tenant.
- Observability / DevOps: metrics, logs, dashboards, alert wiring, deployment/backup/offline kits.
## Required reading before DOING
- Global: `docs/README.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/modules/platform/architecture-overview.md`.
- Ledger module:
- `docs/modules/findings-ledger/observability.md`
- `docs/modules/findings-ledger/replay-harness.md`
- `docs/modules/findings-ledger/deployment.md`
- `docs/modules/findings-ledger/implementation_plan.md`
- `docs/modules/findings-ledger/airgap-provenance.md`
- `docs/modules/findings-ledger/schema.md` (sealed-mode and Merkle root structure)
- `docs/modules/findings-ledger/workflow-inference.md` (projection rules)
- Observability policy: `docs/observability/policy.md`.
## Execution rules
- Update sprint `Delivery Tracker` status when you start/stop/finish: TODO → DOING → DONE/BLOCKED.
- If a contract/design decision is missing, mark the task BLOCKED in the sprint, add the decision needed under **Decisions & Risks**, then continue with other unblocked tasks.
- Keep outputs deterministic: UTC ISO-8601 timestamps, stable ordering, seeded property tests, repeatable replay runs.
## Coding & data guidelines
- Target .NET 10; prefer latest C# preview features allowed by repo tooling.
- Logging: structured `Ledger.*` logs; no PII; include `tenant`, `chain`, `policy`, `status`, `anchor` labels where applicable.
- Metrics: emit only metric names/labels listed in `observability.md`; new series require Observability Guild approval.
- Storage: follow schema in `schema.md`; preserve Merkle invariants and provenance pointers (orchestrator job IDs, bundle IDs, DSSE/attestation IDs).
- Feature flags: gate Orchestrator/AirGap/Attestor integrations; defaults must be safe for air-gapped/offline mode.
## Testing
- Mandatory: unit + property tests for ledger state/merkle roots; integration tests for projections and provenance pointers.
- Replay/determinism: use the harness in `replay-harness.md` (5M findings/tenant scenario); produce signed harness report (DSSE) for LEDGER-29-008.
- Load tests should record CPU/memory budgets as part of run artifacts; keep seeds and fixtures under version control.
## Observability & operations
- Metrics/logs/traces via OpenTelemetry → OTLP → Prometheus/Tempo/Loki; respect `observability.enabled` flag.
- Dashboards: include Grafana JSON exports under `offline/telemetry/dashboards/ledger`.
- Alerts: wire as documented in `observability.md`; for air-gap emit to syslog + CLI incident scripts.
- Deployments: follow `deployment.md` for Helm/Compose overlays, migrations, backup/restore, and offline kits.
## Offline/air-gap
- Never assume external network; rely on mirrored feeds and bundled assets.
- Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) when importing advisories/VEX/policies as per `airgap-provenance.md`.
- Exports that become stale beyond documented thresholds must be blocked with remediation messaging.
## Acceptance checklist for changes
- Tests updated/added and passing locally (`dotnet test` within module scope).
- Metrics/logs follow approved names and labels; dashboards/alerts updated if schemas change.
- Replay harness run (or planned) for determinism-impacting changes; attach/report results.
- Docs updated when contracts or workflows change (module docs, observability policy, sprint Decisions & Risks).