From 852c4d15feb1b816f9aff49edc98e9d5cc8ea127 Mon Sep 17 00:00:00 2001 From: master <> Date: Mon, 13 Apr 2026 22:14:53 +0300 Subject: [PATCH] docs(implplan): sync sprint statuses with real repo state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006, -008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays BLOCKED. Sprint cannot be archived until the verification windows pass. - SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003 and VXLM-004 from DONE → DOING. Adapters still back VEX decisions, fix verifications, and audit bundles with ConcurrentDictionary; the VulnExplorer.Api and VulnExplorer.WebService project directories were not deleted; migration 010 is present but unused. Execution log records the finding; commit 414049ef8 message was misleading. - SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged. AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too large for a single session. Sprint stays active. Co-Authored-By: Claude Opus 4.6 (1M context) --- ...260408_002_Findings_vulnexplorer_ledger_merge.md | 5 +++-- ...RINT_20260408_004_Timeline_unified_audit_sink.md | 1 + ...260408_005_Audit_endpoint_filters_deprecation.md | 13 +++++++------ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md b/docs/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md index 343f0e98b..a1fe5f5c7 100644 --- a/docs/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md +++ b/docs/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md @@ -373,7 +373,7 @@ Completion criteria: - [ ] Pagination (pageToken/pageSize) works ### VXLM-003 - Migrate VEX decision and fix verification endpoints to Ledger event persistence -Status: DONE +Status: DOING (adapters still ConcurrentDictionary; see 2026-04-13 execution log) Dependency: VXLM-001, VXLM-002 Owners: Backend engineer @@ -425,7 +425,7 @@ Completion criteria: - [ ] Data migration from `vulnexplorer.*` tables to Ledger events complete ### VXLM-004 - Remove VulnExplorer service and update compose/routing/consumers -Status: DONE +Status: DOING (compose/routing done; VulnExplorer.Api and VulnExplorer.WebService project dirs not deleted) Dependency: VXLM-003 Owners: Backend engineer, DevOps @@ -550,6 +550,7 @@ Completion criteria: | 2026-04-08 | Sprint restructured into two phases: Phase 1 (in-memory to Postgres migration) and Phase 2 (merge into Ledger). Comprehensive consumer/dependency audit added. | Planning | | 2026-04-08 | Phase 2 implemented (VXLM-001 through VXLM-004): DTOs moved to Ledger `Contracts/VulnExplorer/`, endpoints mounted via `VulnExplorerEndpoints.cs`, adapter services created, compose/routing/services-matrix updated, docs updated. Phase 1 skipped per user direction (wire to existing Ledger services instead of creating separate vulnexplorer schema). VXLM-005 (integration tests) remaining TODO. | Backend | | 2026-04-08 | VXLM-005 verification started. Created 12 integration tests in `VulnExplorerEndpointsIntegrationTests.cs` covering all 6 endpoint groups + full triage workflow + auth checks. Identified 4 gaps: (1) adapters still use ConcurrentDictionary not Ledger events, (2) evidence-subgraph route mismatch between UI and Ledger, (3) old VulnExplorer.Api.Tests reference stale Program.cs, (4) VulnApiTests expect hardcoded SampleData IDs. Documentation updates pending. | Backend/QA | +| 2026-04-13 | Status audit: VXLM-003 and VXLM-004 corrected from DONE → DOING to match reality. Re-verification confirmed the 2026-04-08 GAP: `VexDecisionAdapter`, `FixVerificationAdapter`, `AuditBundleAdapter` still use `ConcurrentDictionary` (source comment explicitly says "future iterations will wire to Ledger event types"). `StellaOps.VulnExplorer.Api/` and `StellaOps.VulnExplorer.WebService/` project directories were not deleted by VXLM-004. Migration `010_vex_fix_audit_tables.sql` exists but `VulnExplorerRepositories.cs` is a 33-line placeholder. No new Ledger event types (`finding.vex_decision_created`, etc.) were added. Commit `414049ef8` message "wire VulnExplorer adapters to Postgres" is misleading — only scaffolding landed. Real work remaining: implement Postgres repositories consuming migration 010, extend `LedgerEventConstants`, swap adapters to emit Ledger events, delete the stale VulnExplorer projects. Sprint cannot be archived. | QA | ## Decisions & Risks - **Decision**: Two-phase approach. Phase 1 migrates VulnExplorer to Postgres while it remains a standalone service. Phase 2 merges into Findings Ledger. Rationale: reduces risk by separating persistence migration from service boundary changes; allows independent validation of the data model. diff --git a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md index 6b5508aea..defebfe14 100644 --- a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md +++ b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md @@ -251,6 +251,7 @@ Completion criteria: | --- | --- | --- | | 2026-04-08 | Sprint created from deep audit landscape investigation. Catalogued 16+ independent audit implementations across the monorepo. | Planning | | 2026-04-08 | AUDIT-001 implemented: created 20260408_003_unified_audit_events.sql migration (table + sequences + chain functions), PostgresUnifiedAuditEventStore with SHA-256 hash chain, updated CompositeUnifiedAuditEventProvider to read from Postgres, wired AddStartupMigrations in Program.cs. Build passes with 0 errors. | Developer | +| 2026-04-13 | Scope confirmation: AUDIT-002 through AUDIT-007 remain TODO. Estimated 15-25 hr of breadth work: instrument 14+ services with `AddAuditEmission()` + `AuditActionAttribute` (AUDIT-002, L), backfill polling for Scanner/Scheduler/Integrations/Attestor/SBOM (AUDIT-003, S), GDPR data classification + retention engine + right-to-erasure endpoint (AUDIT-004, L), deprecate per-service audit tables (AUDIT-005, M), UI updates for unified module visibility (AUDIT-006, M), AuditPack export from Timeline store (AUDIT-007, M). Sprint stays active; too large for a single session. Note: Migration `20260408_003_unified_audit_events.sql` was renumbered to `003_unified_audit_events.sql` in commit `4a8e2758c`. | Planning | ## Decisions & Risks diff --git a/docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md b/docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md index 7ff3b7e63..318fc3b4c 100644 --- a/docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md +++ b/docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md @@ -451,7 +451,7 @@ Completion criteria: **Effort: 2 days** ### FILTER-004 - Batch 2: Annotate Platform -Status: TODO +Status: DONE (commit 54e7f871a) Dependency: FILTER-001 Owners: Developer (backend) Task description: @@ -470,7 +470,7 @@ Completion criteria: **Effort: 2.5 days** ### FILTER-005 - Batch 2 continued: Annotate Authority -Status: TODO +Status: DONE (commit d4d75200c) Dependency: FILTER-001 Owners: Developer (backend) Task description: @@ -491,7 +491,7 @@ Completion criteria: **Effort: 2 days** ### FILTER-006 - Batch 2 continued: Annotate Notify -Status: TODO +Status: DONE (commit 54e7f871a) Dependency: FILTER-001 Owners: Developer (backend) Task description: @@ -510,7 +510,7 @@ Completion criteria: **Effort: 2 days** ### FILTER-007 - Batch 2 continued: Annotate Policy Engine + Gateway -Status: TODO +Status: DONE (commit d4d75200c) Dependency: FILTER-001 Owners: Developer (backend) Task description: @@ -540,7 +540,7 @@ Completion criteria: **Effort: 4 days** ### FILTER-008 - Batch 2 continued: Annotate Release-Orchestrator + Scheduler -Status: TODO +Status: DONE (commit 54e7f871a) Dependency: FILTER-001 Owners: Developer (backend) Task description: @@ -556,7 +556,7 @@ Completion criteria: **Effort: 2 days** ### FILTER-010 - Annotate endpoints in newly-wired services (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine) -Status: TODO +Status: DONE (commit 665bd6db4) Dependency: FILTER-001 (convention helper) Owners: Developer (backend) Task description: @@ -709,6 +709,7 @@ Completion criteria: | 2026-04-08 | Sprint created. Full endpoint inventory completed across all 9 wired services (~532 state-changing endpoints). Per-service audit table analysis completed for 6 services with local tables. | Planning | | 2026-04-08 | Added FILTER-010 (6 newly-wired services: ~80 endpoints) and CAPSULE-001 (blocked on capsule pipeline). Added Config/Settings Audit Checklist confirming all mutation surfaces are covered. Total active effort updated to 28 days. | Planning | | 2026-04-08 | FILTER-001 DONE: Created `AuditedRouteGroupExtensions.cs` with `WithAuditFilter()` and `Audited()` convenience methods. FILTER-002 DONE: Annotated 7 EvidenceLocker + 6 Integrations endpoints. FILTER-003 DONE: Annotated ~50 Scanner endpoints across 20 files (skipped read-only POSTs per convention). All 3 services build clean with 0 errors/warnings. | Developer | +| 2026-04-13 | Status sync: FILTER-004 (Platform), FILTER-006 (Notify), FILTER-008 (ReleaseOrchestrator+Scheduler) confirmed DONE via commit `54e7f871a`. FILTER-005 (Authority), FILTER-007 (Policy+Gateway) confirmed DONE via commit `d4d75200c`. FILTER-010 (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine) confirmed DONE via commit `665bd6db4`. Additional audit-filter hardening shipped via commits `2a69ad112` (enhanced filter with body capture) and `7f40f8d67` (module catalog, Diff ingest, chain verify fixes). DEPRECATE-001/002/003 remain TODO — they have mandatory 30-day and 90-day verification windows built into the plan and cannot be accelerated. CAPSULE-001 remains BLOCKED on the capsule sealing pipeline. | QA | ## Decisions & Risks