stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

Browse Source
This commit is contained in:
master
2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/implplan/SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md
View File

@@ -25,21 +25,25 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EWS-API-001 | DONE | Align with Signals reduction output | Findings Guild - Backend | Extend scoring DTOs to include reduction profile metadata, hard-fail flag, and short-circuit reason fields. |
| 2 | EWS-API-002 | TODO | EWS-API-001 | Findings Guild - Backend | Implement or extend IFindingEvidenceProvider to populate anchor metadata (DSSE envelope digest, Rekor log index/entry id, predicate type, scope) into FindingEvidence. |
| 3 | EWS-API-003 | TODO | EWS-API-002 | Findings Guild - Backend | Update FindingScoringService to select reduction profile when enabled, propagate hard-fail results, and adjust cache keys to include policy digest/reduction profile. |
| 4 | EWS-API-004 | TODO | EWS-API-003 | Findings Guild - QA | Add integration tests for anchored short-circuit (score 0), hard-fail behavior, and deterministic cache/history updates. |
| 5 | EWS-API-005 | TODO | EWS-API-003 | Findings Guild - Docs | Update `docs/api/findings-scoring.md` with new fields and response examples for reduction mode. |
| 2 | EWS-API-002 | DONE | EWS-API-001 | Findings Guild - Backend | Implement or extend IFindingEvidenceProvider to populate anchor metadata (DSSE envelope digest, Rekor log index/entry id, predicate type, scope) into FindingEvidence. |
| 3 | EWS-API-003 | DONE | EWS-API-002 | Findings Guild - Backend | Update FindingScoringService to select reduction profile when enabled, propagate hard-fail results, and adjust cache keys to include policy digest/reduction profile. |
| 4 | EWS-API-004 | DONE | EWS-API-003 | Findings Guild - QA | Add integration tests for anchored short-circuit (score 0), hard-fail behavior, and deterministic cache/history updates. |
| 5 | EWS-API-005 | DONE | EWS-API-003 | Findings Guild - Docs | Update `docs/api/findings-scoring.md` with new fields and response examples for reduction mode. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | EWS-API-001: Extended EvidenceWeightedScoreResponse with ReductionProfile, HardFail, ShortCircuitReason, and Anchor fields. Added ReductionProfileDto (Enabled, Mode, ProfileId, MaxReductionPercent, RequireVexAnchoring, RequireRekorVerification) and EvidenceAnchorDto (Anchored, EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt). | Agent |
| 2026-01-14 | EWS-API-002: Extended FindingEvidence with EvidenceAnchor type (Anchor, ReachabilityAnchor, RuntimeAnchor, VexAnchor). Extended AttestationVerificationResult with RekorEntryId, PredicateType, Scope. Created AnchoredFindingEvidenceProvider that maps FullEvidence attestation digests to anchor metadata via IAttestationVerifier. Registered in Program.cs. | Agent |
| 2026-01-14 | EWS-API-003: Updated MapToResponse to extract attested-reduction and hard-fail flags from result, build ReductionProfileDto from AttestedReductionConfig, populate HardFail/ShortCircuitReason/Anchor fields. Updated cache key to include policy digest and reduction-enabled status for determinism. | Agent |
| 2026-01-14 | EWS-API-004: Created FindingScoringServiceTests with 7 unit tests covering: ReductionProfile population, HardFail flag, ShortCircuitReason for anchored VEX, Anchor DTO population, null ReductionProfile for standard policy, null evidence handling, and cache key differentiation. All tests passing. | Agent |
| 2026-01-14 | EWS-API-005: Updated docs/api/findings-scoring.md with Attested-Reduction Mode v1.1 section including: ReductionProfile/HardFail/ShortCircuitReason/Anchor field documentation, short-circuit reason table, evidence anchor field table, and hard-fail response example. | Agent |
## Decisions & Risks
- Decision pending: exact response field names for hard-fail and reduction metadata.
- Risk: IFindingEvidenceProvider implementation may live outside this service; if so, add a dedicated task to locate and update the correct provider.
- Risk: cache key changes can invalidate existing clients; mitigate with versioned fields and compatibility notes in API docs.
- **Resolved:** Response field names for hard-fail and reduction metadata have been defined: `reductionProfile`, `hardFail`, `shortCircuitReason`, `anchor`.
- **Resolved:** IFindingEvidenceProvider implementation created as `AnchoredFindingEvidenceProvider` within the WebService project.
- Risk: cache key changes can invalidate existing clients; mitigate with versioned fields and compatibility notes in API docs (documented in EWS-API-005).
## Next Checkpoints
- 2026-01-21: API schema review with Signals and Policy owners.

19
docs/implplan/SPRINT_20260112_004_BE_policy_determinization_attested_rules.md
View File

@@ -26,21 +26,26 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DET-ATT-001 | DONE | Align anchor schema with Signals | Policy Guild - Backend | Extend determinization evidence models (VexClaimSummary, BackportEvidence, RuntimeEvidence, ReachabilityEvidence if needed) to include anchor metadata fields and update JSON serialization tests. |
| 2 | DET-ATT-002 | TODO | DET-ATT-001 | Policy Guild - Backend | Update signal snapshot building/mapping to populate anchor metadata from stored evidence with TimeProvider-safe timestamps. |
| 3 | DET-ATT-003 | TODO | DET-ATT-002 | Policy Guild - Backend | Add high-priority determinization rules: anchored affected + runtime telemetry => Quarantined/Blocked; anchored VEX not_affected/fixed => Allowed; anchored patch proof => Allowed; keep existing rule order deterministic. |
| 4 | DET-ATT-004 | TODO | DET-ATT-003 | Policy Guild - Backend | Tighten VexProofGate options (require signed statements, require proof for fixed) when anchor-aware mode is enabled; add unit/integration tests. |
| 5 | DET-ATT-005 | TODO | DET-ATT-003 | Policy Guild - Docs | Update determinization and VEX consensus docs to describe anchor requirements and precedence. |
| 2 | DET-ATT-002 | DONE | DET-ATT-001 | Policy Guild - Backend | Update signal snapshot building/mapping to populate anchor metadata from stored evidence with TimeProvider-safe timestamps. |
| 3 | DET-ATT-003 | DONE | DET-ATT-002 | Policy Guild - Backend | Add high-priority determinization rules: anchored affected + runtime telemetry => Quarantined/Blocked; anchored VEX not_affected/fixed => Allowed; anchored patch proof => Allowed; keep existing rule order deterministic. |
| 4 | DET-ATT-004 | DONE | DET-ATT-003 | Policy Guild - Backend | Tighten VexProofGate options (require signed statements, require proof for fixed) when anchor-aware mode is enabled; add unit/integration tests. |
| 5 | DET-ATT-005 | DONE | DET-ATT-003 | Policy Guild - Docs | Update determinization and VEX consensus docs to describe anchor requirements and precedence. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | DET-ATT-001: Extended VexClaimSummary with Anchor field and VexClaimAnchor record containing EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt. Added IsAnchored and IsRekorAnchored helpers. | Agent |
| 2026-01-14 | DET-ATT-002: Created shared EvidenceAnchor type. Extended BackportEvidence, RuntimeEvidence, ReachabilityEvidence with Anchor field and IsAnchored helper. Implemented SignalSnapshotBuilder.ApplySignal to map signals by type with JSON deserialization support for anchor metadata propagation. | Agent |
| 2026-01-14 | DET-ATT-003: Added 4 high-priority anchored determinization rules at priority 1-4: AnchoredAffectedWithRuntimeHardFail (hard-fail blocked), AnchoredVexNotAffectedAllow (short-circuit allow for not_affected/fixed), AnchoredBackportProofAllow (short-circuit allow), AnchoredUnreachableAllow (short-circuit allow). Added DeterminizationResult.Blocked factory method. | Agent |
| 2026-01-14 | DET-ATT-004: Extended VexProofGateOptions with AnchorAwareMode, RequireVexAnchoring, RequireRekorVerification. Extended VexProofGateContext with anchor fields. Updated EvaluateAsync to validate anchor requirements. Added StrictAnchorAware static factory. Added VexProofGateTests with 8 tests covering anchor-aware mode. | Agent |
| 2026-01-14 | DET-ATT-005: Updated docs/modules/policy/determinization-api.md with Anchored Evidence Rules section (priority 1-4), anchor metadata fields documentation. Updated docs/VEX_CONSENSUS_GUIDE.md with Anchor-Aware Mode section including VexProofGate options, strict preset, metadata keys, failure reasons. | Agent |
## Decisions & Risks
- Decision pending: exact mapping between "anchored" status and VEX proof gate requirements.
- Risk: rule-order changes can affect production gating; mitigate with shadow-mode tests and rule snapshots.
- Risk: evidence stores may not yet carry anchor metadata; add placeholder fields and explicit NotFound handling.
- **Resolved:** Anchor metadata follows DSSE/Rekor schema with fields: EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt.
- **Resolved:** Anchored rules have priority 1-4, short-circuiting standard rules when attested evidence is present.
- **Resolved:** VexProofGate anchor-aware mode uses opt-in flags (AnchorAwareMode, RequireVexAnchoring, RequireRekorVerification) with StrictAnchorAware preset for production.
- Risk: Rule-order changes can affect production gating; mitigate with shadow-mode tests and rule snapshots.
## Next Checkpoints
- 2026-01-21: Determinization rule review with Policy + Signals.

5
docs/implplan/SPRINT_20260112_004_FE_attested_score_ui.md
View File

@@ -27,8 +27,8 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-ATT-001 | TODO | API schema update | UI Guild - Frontend | Extend EWS TypeScript models and API client bindings to include reduction profile metadata, hard-fail status, and anchor fields. |
| 2 | FE-ATT-002 | TODO | FE-ATT-001 | UI Guild - Frontend | Update ScoreBreakdownPopover to show reduction mode, short-circuit reason, and proof anchor details (DSSE digest, Rekor log index/entry id). |
| 1 | FE-ATT-001 | DONE | API schema update | UI Guild - Frontend | Extend EWS TypeScript models and API client bindings to include reduction profile metadata, hard-fail status, and anchor fields. |
| 2 | FE-ATT-002 | DONE | FE-ATT-001 | UI Guild - Frontend | Update ScoreBreakdownPopover to show reduction mode, short-circuit reason, and proof anchor details (DSSE digest, Rekor log index/entry id). |
| 3 | FE-ATT-003 | TODO | FE-ATT-001 | UI Guild - Frontend | Add new score badges for anchored evidence and hard-fail states; update design tokens and badge catalog. |
| 4 | FE-ATT-004 | TODO | FE-ATT-001 | UI Guild - Frontend | Update FindingsList and triage views to display hard-fail and anchor status, and add filters for anchored evidence. |
| 5 | FE-ATT-005 | TODO | FE-ATT-002 | UI Guild - QA | Add component tests for new fields and edge states (short-circuit, hard-fail, missing anchors). |
@@ -38,6 +38,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-ATT-001: Extended scoring.models.ts with ReductionMode, ShortCircuitReason, HardFailStatus types. Added ReductionProfile interface (mode, originalScore, reductionAmount, reductionFactor, contributingEvidence, cappedByPolicy). Added ScoreProofAnchor interface (anchored, dsseDigest, rekorLogIndex, rekorEntryId, rekorLogId, attestationUri, verifiedAt, verificationStatus, verificationError). Extended EvidenceWeightedScoreResult with reductionProfile, shortCircuitReason, hardFailStatus, isHardFail, proofAnchor. Added ScoreFlag types 'anchored' and 'hard-fail'. Added display label constants and helper functions (isAnchored, isHardFail, wasShortCircuited, hasReduction, getReductionPercent). FE-ATT-002: Updated ScoreBreakdownPopoverComponent with computed properties for reduction, anchor, hard-fail, and short-circuit display. Updated HTML template with Hard Fail, Reduction Profile, Short-Circuit, and Proof Anchor sections. Added SCSS styles for new sections with proper colors and layout. All output uses ASCII-only indicators ([!], [A], etc.). | Agent |
## Decisions & Risks
- Decision pending: final UI field names for reduction mode and anchor metadata.

12
docs/implplan/SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md
View File

@@ -25,15 +25,19 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | PLATFORM-SETUP-001 | TODO | None | Platform Guild | Define setup wizard contracts and step definitions aligned to `docs/setup/setup-wizard-ux.md`; include deterministic ordering and explicit status enums. |
| 2 | PLATFORM-SETUP-002 | TODO | PLATFORM-SETUP-001 | Platform Guild | Implement `PlatformSetupService` and store with tenant scoping, TimeProvider injection, and "data as of" metadata for offline-first UX. |
| 3 | PLATFORM-SETUP-003 | TODO | PLATFORM-SETUP-002 | Platform Guild | Add `/api/v1/setup/*` endpoints with auth policies, request validation, and Problem+JSON errors; wire in `Program.cs`; add OpenAPI contract tests. |
| 4 | PLATFORM-SETUP-004 | TODO | PLATFORM-SETUP-003 | Platform Guild | Update docs: `docs/setup/setup-wizard-ux.md`, `docs/setup/setup-wizard-inventory.md`, `docs/modules/platform/platform-service.md` with endpoint contracts and step list. |
| 1 | PLATFORM-SETUP-001 | DONE | None | Platform Guild | Define setup wizard contracts and step definitions aligned to `docs/setup/setup-wizard-ux.md`; include deterministic ordering and explicit status enums. |
| 2 | PLATFORM-SETUP-002 | DONE | PLATFORM-SETUP-001 | Platform Guild | Implement `PlatformSetupService` and store with tenant scoping, TimeProvider injection, and "data as of" metadata for offline-first UX. |
| 3 | PLATFORM-SETUP-003 | DONE | PLATFORM-SETUP-002 | Platform Guild | Add `/api/v1/setup/*` endpoints with auth policies, request validation, and Problem+JSON errors; wire in `Program.cs`; add OpenAPI contract tests. |
| 4 | PLATFORM-SETUP-004 | DONE | PLATFORM-SETUP-003 | Platform Guild | Update docs: `docs/setup/setup-wizard-ux.md`, `docs/setup/setup-wizard-inventory.md`, `docs/modules/platform/platform-service.md` with endpoint contracts and step list. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | PLATFORM-SETUP-001 DONE: Created SetupWizardModels.cs with step definitions, status enums, session/step state, API request/response contracts. | Agent |
| 2026-01-14 | PLATFORM-SETUP-002 DONE: Created PlatformSetupService.cs and PlatformSetupStore with tenant scoping, TimeProvider, data-as-of metadata, step execution, skip, and finalize logic. | Agent |
| 2026-01-14 | PLATFORM-SETUP-003 DONE: Created SetupEndpoints.cs with /api/v1/setup/* routes, added PlatformPolicies and PlatformScopes for setup, wired in Program.cs. | Agent |
| 2026-01-14 | PLATFORM-SETUP-004 DONE: Updated docs/modules/platform/platform-service.md with Setup Wizard section (endpoints, steps, scopes); updated docs/setup/setup-wizard-inventory.md with backend components and API endpoints. Sprint complete. | Agent |
## Decisions & Risks
- Decision needed: persist setup sessions in-memory with TTL vs Postgres; document chosen approach and its offline/HA implications.

19
docs/implplan/SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md
View File

@@ -22,22 +22,27 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-UNK-001 | TODO | Finalize fingerprint inputs list | Policy Guild - Team | Add deterministic reanalysis fingerprint builder and plumb into determinization gate results and policy verdict outputs. |
| 2 | POLICY-UNK-002 | TODO | VEX conflict signal shape | Policy Guild - Team | Add conflict detection to determinization rule set and wire ObservationState.Disputed plus manual adjudication path. |
| 3 | POLICY-UNK-003 | TODO | Schema change ready | Policy Guild - Team | Extend policy.unknowns schema, repository, and API for fingerprint, triggers, and next_actions metadata. |
| 1 | POLICY-UNK-001 | DONE | Finalize fingerprint inputs list | Policy Guild - Team | Add deterministic reanalysis fingerprint builder and plumb into determinization gate results and policy verdict outputs. |
| 2 | POLICY-UNK-002 | DONE | VEX conflict signal shape | Policy Guild - Team | Add conflict detection to determinization rule set and wire ObservationState.Disputed plus manual adjudication path. |
| 3 | POLICY-UNK-003 | DONE | Schema change ready | Policy Guild - Team | Extend policy.unknowns schema, repository, and API for fingerprint, triggers, and next_actions metadata. |
| 4 | POLICY-UNK-004 | TODO | Doc updates ready | Policy Guild - Team | Document unknown mapping and grey queue semantics in policy docs and VEX consensus guide. |
| 5 | POLICY-UNK-005 | TODO | Event version mapping | Policy Guild - Team | Implement SignalUpdateHandler re-evaluation logic and map versioned events (epss.updated@1, etc.). |
| 6 | POLICY-UNK-006 | TODO | Determinism tests | Policy Guild - Team | Add tests for deterministic fingerprints, conflict handling, and unknown outcomes. |
| 5 | POLICY-UNK-005 | DONE | Event version mapping | Policy Guild - Team | Implement SignalUpdateHandler re-evaluation logic and map versioned events (epss.updated@1, etc.). |
| 6 | POLICY-UNK-006 | DONE | Determinism tests | Policy Guild - Team | Add tests for deterministic fingerprints, conflict handling, and unknown outcomes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | POLICY-UNK-001: Created ReanalysisFingerprint record with FingerprintId, DsseBundleDigest, EvidenceDigests, ToolVersions, ProductVersion, PolicyConfigHash, SignalWeightsHash, ComputedAt, Triggers, and NextActions. Created ReanalysisTrigger record and ReanalysisFingerprintBuilder with deterministic content-addressed ID generation. Extended DeterminizationResult with Fingerprint property. | Agent |
| 2026-01-15 | POLICY-UNK-002: Created ConflictDetector and IConflictDetector in Scoring folder. Added ConflictDetectionResult, SignalConflict, ConflictType enum (VexReachabilityContradiction, StaticRuntimeContradiction, VexStatusConflict, BackportStatusConflict, EpssRiskContradiction), and AdjudicationPath enum. Created SignalConflictExtensions with IsNotAffected, IsAffected, IsExploitable, IsStaticUnreachable, HasExecution, HasMultipleSources, HasConflictingStatus, IsBackported helpers. | Agent |
| 2026-01-15 | POLICY-UNK-006: Created ReanalysisFingerprintTests with tests for deterministic fingerprint generation, sorted evidence digests, sorted tool versions, sorted triggers, deduplication, and timestamp from TimeProvider. Created ConflictDetectorTests with tests for no conflicts, VEX/reachability contradiction, static/runtime contradiction, multiple VEX conflict, backport/status conflict, severity-based adjudication path, and sorted conflicts. | Agent |
| 2026-01-15 | POLICY-UNK-003: Extended Unknown model with FingerprintId, Triggers (List of UnknownTrigger), NextActions, ConflictInfo (UnknownConflictInfo), and ObservationState. Created UnknownTrigger, UnknownConflictInfo, and UnknownConflictDetail records. Extended UnknownsEndpoints DTOs with UnknownTriggerDto, UnknownConflictInfoDto, UnknownConflictDetailDto. Updated ToDto mapping to include new fields with null handling for empty collections. | Agent |
| 2026-01-15 | POLICY-UNK-005: Extended DeterminizationEventTypes with SbomUpdated, DsseValidationChanged, RekorEntryAdded, PatchProofAdded, ToolVersionChanged. Extended SignalUpdatedEvent with EventVersion (default: 1), CorrelationId, Metadata. Enhanced SignalUpdateHandler with config-based trigger filtering (ShouldTriggerReanalysis), EPSS delta threshold check, and versioned event registry (GetCurrentEventVersion, IsVersionSupported). | Agent |
## Decisions & Risks
- Decide fingerprint input set (DSSE bundle digest, evidence digests, tool versions, product version) and canonical ordering for hashing.
- Decide fingerprint input set (DSSE bundle digest, evidence digests, tool versions, product version) and canonical ordering for hashing. **RESOLVED**: Implemented in ReanalysisFingerprintBuilder with sorted, deduplicated inputs.
- Decide how Disputed maps to PolicyVerdictStatus in prod vs non-prod.
- Event naming mismatch (epss.updated@1 vs epss.updated) must be resolved or mapped.
- Event naming mismatch (epss.updated@1 vs epss.updated) must be resolved or mapped. **RESOLVED**: SignalUpdatedEvent now has EventVersion property (default: 1) and SignalUpdateHandler validates version compatibility.
## Next Checkpoints
- 2026-01-16: Policy + Signals alignment review (Policy Guild, Signals Guild).

9
docs/implplan/SPRINT_20260112_004_SCANNER_path_witness_nodehash.md
View File

@@ -26,9 +26,9 @@
| --- | --- | --- | --- | --- | --- |
| 1 | PW-SCN-001 | DONE | None | Guild - Scanner | Add canonical `NodeHashRecipe` and `PathHashRecipe` helpers in `src/__Libraries/StellaOps.Reachability.Core` with normalization rules and unit tests. |
| 2 | PW-SCN-002 | DONE | PW-SCN-001 | Guild - Scanner | Extend `RichGraph` and `ReachabilitySubgraph` models to include node hash fields; compute and normalize in `RichGraphBuilder`; update determinism tests. |
| 3 | PW-SCN-003 | TODO | PW-SCN-001 | Guild - Scanner | Extend `PathWitness` payload with `path_hash`, `node_hashes` (top-K), and evidence URIs; compute in `PathWitnessBuilder`; emit canonical predicate type `https://stella.ops/predicates/path-witness/v1` while honoring aliases `stella.ops/pathWitness@v1` and `https://stella.ops/pathWitness/v1`; update tests. |
| 4 | PW-SCN-004 | TODO | PW-SCN-001 | Guild - Scanner | Extend SARIF export to emit node hash metadata and function signature fields; update `FindingInput` and SARIF tests. |
| 5 | PW-SCN-005 | TODO | PW-SCN-002, PW-SCN-003 | Guild - Scanner | Update integration fixtures for witness outputs and verify DSSE payload determinism for reachability evidence. |
| 3 | PW-SCN-003 | DONE | PW-SCN-001 | Guild - Scanner | Extend `PathWitness` payload with `path_hash`, `node_hashes` (top-K), and evidence URIs; compute in `PathWitnessBuilder`; emit canonical predicate type `https://stella.ops/predicates/path-witness/v1` while honoring aliases `stella.ops/pathWitness@v1` and `https://stella.ops/pathWitness/v1`; update tests. |
| 4 | PW-SCN-004 | DONE | PW-SCN-001 | Guild - Scanner | Extend SARIF export to emit node hash metadata and function signature fields; update `FindingInput` and SARIF tests. |
| 5 | PW-SCN-005 | DONE | PW-SCN-002, PW-SCN-003 | Guild - Scanner | Update integration fixtures for witness outputs and verify DSSE payload determinism for reachability evidence. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -38,6 +38,9 @@
| 2026-01-14 | Locked path-witness predicate type to `https://stella.ops/predicates/path-witness/v1` with alias support (`stella.ops/pathWitness@v1`, `https://stella.ops/pathWitness/v1`). | Planning |
| 2026-01-14 | PW-SCN-001: Created NodeHashRecipe.cs (PURL/symbol normalization, SHA-256 hashing) and PathHashRecipe.cs (path/combined hashing, top-K selection, PathFingerprint). Added 43 unit tests. | Agent |
| 2026-01-14 | PW-SCN-002: Extended RichGraphNode with NodeHash field and updated Trimmed() method. Extended ReachabilitySubgraphNode with NodeHash field. | Agent |
| 2026-01-15 | PW-SCN-003: Extended PathWitness record with PathHash, NodeHashes (top-K), EvidenceUris, and PredicateType fields. Added WitnessPredicateTypes static class with PathWitnessCanonical, PathWitnessAlias1, PathWitnessAlias2 constants and IsPathWitnessType helper. Updated PathWitnessBuilder.BuildAsync to compute node hashes using SHA-256, combined path hash, and evidence URIs. Added ComputePathHashes, ComputeNodeHash, ComputeCombinedPathHash, and BuildEvidenceUris helper methods. | Agent |
| 2026-01-15 | PW-SCN-004: Extended FindingInput with NodeHash, PathHash, PathNodeHashes, FunctionSignature, FunctionName, and FunctionNamespace fields. Updated SarifExportService.CreateProperties to emit stellaops/node/hash, stellaops/path/hash, stellaops/path/nodeHashes, stellaops/function/signature, stellaops/function/name, and stellaops/function/namespace when present. Added tests for node hash and function signature SARIF output. | Agent |
| 2026-01-15 | PW-SCN-005: Added integration tests to PathWitnessBuilderTests for NodeHashes, PathHash, EvidenceUris, PredicateType (canonical), deterministic path hash, and sorted node hashes. All tests verify DSSE payload determinism for reachability evidence. | Agent |
## Decisions & Risks
- Node-hash recipe must be stable across languages; changes can invalidate existing graph digests.

3
docs/implplan/SPRINT_20260112_004_VULN_vex_override_workflow.md
View File

@@ -22,7 +22,7 @@
| --- | --- | --- | --- | --- | --- |
| 1 | VEX-OVR-001 | DONE | Model changes | Vuln Explorer Guild | Extend VEX decision request/response models to include attestation request parameters and attestation refs (envelope digest, rekor info, storage). |
| 2 | VEX-OVR-002 | DONE | Attestor client | Vuln Explorer Guild | Call Attestor to mint DSSE override attestations on create/update; store returned digests and metadata; add tests. |
| 3 | VEX-OVR-003 | TODO | Cross-module docs | Vuln Explorer Guild | Update `docs/modules/vuln-explorer/` API docs and samples to show signed override flows. |
| 3 | VEX-OVR-003 | DONE | Cross-module docs | Vuln Explorer Guild | Update `docs/modules/vuln-explorer/` API docs and samples to show signed override flows. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -30,6 +30,7 @@
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | VEX-OVR-001: Added VexOverrideAttestationDto, AttestationVerificationStatusDto, AttestationRequestOptions to VexDecisionModels.cs. Extended VexDecisionDto with SignedOverride field, Create/Update requests with AttestationOptions. Updated VexDecisionStore. | Agent |
| 2026-01-14 | VEX-OVR-002: Created IVexOverrideAttestorClient interface with CreateAttestationAsync and VerifyAttestationAsync. Added HttpVexOverrideAttestorClient for HTTP calls to Attestor and StubVexOverrideAttestorClient for offline mode. Updated VexDecisionStore with CreateWithAttestationAsync and UpdateWithAttestationAsync methods. | Agent |
| 2026-01-15 | VEX-OVR-003: Created docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md with API examples, CLI usage, policy integration, and attestation predicate schema. | Agent |
## Decisions & Risks
- Attestation creation failures must be explicit and block unsigned overrides by default.

9
docs/implplan/SPRINT_20260112_005_BE_evidence_card_api.md
View File

@@ -20,15 +20,18 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EVPCARD-BE-001 | DONE | EVPCARD-LB-002 | Advisory AI Guild | Add evidence-card format parsing and export path to EvidencePackEndpoints. |
| 2 | EVPCARD-BE-002 | TODO | EVPCARD-BE-001 | Docs Guild | Update `docs/api/evidence-decision-api.openapi.yaml` with evidence-card export format and response headers. |
| 3 | EVPCARD-BE-003 | TODO | EVPCARD-BE-001 | Advisory AI Guild | Add integration tests for evidence-card export content type and signed payload. |
| 4 | EVPCARD-BE-004 | TODO | EVPCARD-BE-002 | Docs Guild | Update any API references that list evidence pack formats. |
| 2 | EVPCARD-BE-002 | DONE | EVPCARD-BE-001 | Docs Guild | Update `docs/api/evidence-decision-api.openapi.yaml` with evidence-card export format and response headers. |
| 3 | EVPCARD-BE-003 | DONE | EVPCARD-BE-001 | Advisory AI Guild | Add integration tests for evidence-card export content type and signed payload. |
| 4 | EVPCARD-BE-004 | DONE | EVPCARD-BE-002 | Docs Guild | Update any API references that list evidence pack formats. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | EVPCARD-BE-001: Added EvidenceCard and EvidenceCardCompact enum values. Added format aliases in EvidencePackEndpoints. Implemented ExportAsEvidenceCard in EvidencePackService with DSSE envelope support, SBOM excerpt, and content digest. | Agent |
| 2026-01-14 | EVPCARD-BE-002: Updated evidence-decision-api.openapi.yaml v1.0.0->v1.1.0. Added /evidence-packs/{packId}/export endpoint with format query parameter. Added response headers (X-Evidence-Pack-Id, X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index). Added schemas: EvidencePackExport, EvidenceCard, EvidenceCardSubject, DsseEnvelope, DsseSignature, SbomExcerpt, RekorReceipt, InclusionProof, SignedEntryTimestamp. | Agent |
| 2026-01-14 | EVPCARD-BE-003: Created EvidenceCardExportIntegrationTests.cs with 7 tests: content type verification, compact format, required fields, subject metadata, deterministic digest, SBOM excerpt, compact size comparison. | Agent |
| 2026-01-14 | EVPCARD-BE-004: Updated docs/modules/release-orchestrator/appendices/evidence-schema.md with EvidenceCard and EvidenceCardCompact formats, content type, and schema reference. Updated docs/api/triage-export-api-reference.md with Evidence Card Format section, response headers, and API reference link. | Agent |
## Decisions & Risks
- Decide evidence-card file extension and content type (for example, application/json + .evidence.cdx.json).

9
docs/implplan/SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md
View File

@@ -23,15 +23,16 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-SETUP-001 | TODO | PLATFORM-SETUP-003 | UI Guild | Replace mock calls in `SetupWizardApiService` with real HttpClient calls to `/api/v1/setup/*` and `/api/v1/platform/onboarding/*`; map Problem+JSON errors to UI messages. |
| 2 | FE-SETUP-002 | TODO | FE-SETUP-001 | UI Guild | Update `SetupWizardStateService` and components to handle validation checks, retries, and "data as of" banners; align step ids with backend contract. |
| 3 | FE-SETUP-003 | TODO | FE-SETUP-002 | UI Guild | Extend unit tests for API service, state service, and wizard components with deterministic fixtures; verify error paths. |
| 4 | FE-SETUP-004 | TODO | FE-SETUP-003 | UI Guild | Update docs: `docs/UI_GUIDE.md` and `docs/modules/ui/architecture.md` to reflect live setup wizard flows and backend dependencies. |
| 1 | FE-SETUP-001 | DONE | PLATFORM-SETUP-003 | UI Guild | Replace mock calls in `SetupWizardApiService` with real HttpClient calls to `/api/v1/setup/*` and `/api/v1/platform/onboarding/*`; map Problem+JSON errors to UI messages. |
| 2 | FE-SETUP-002 | DONE | FE-SETUP-001 | UI Guild | Update `SetupWizardStateService` and components to handle validation checks, retries, and "data as of" banners; align step ids with backend contract. |
| 3 | FE-SETUP-003 | DONE | FE-SETUP-002 | UI Guild | Extend unit tests for API service, state service, and wizard components with deterministic fixtures; verify error paths. |
| 4 | FE-SETUP-004 | DONE | FE-SETUP-003 | UI Guild | Update docs: `docs/UI_GUIDE.md` and `docs/modules/ui/architecture.md` to reflect live setup wizard flows and backend dependencies. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-SETUP-001: Replaced mock calls in SetupWizardApiService with real HttpClient calls. Added API response types (ApiResponse, SetupSessionResponse, ExecuteStepResponse, ValidationCheckResponse, ConnectionTestResponse, FinalizeSetupResponse), Problem+JSON error parsing (ProblemDetails), SetupApiError model with retryable flag and suggestedFixes. Implemented session management (createSession, resumeSession, getCurrentSession), step management (getSteps, getStep, checkPrerequisites), step execution (executeStep, skipStep), validation checks (getValidationChecks, runValidationChecks, runValidationCheck), connection testing (testConnection), configuration (saveConfiguration, finalizeSetup), and onboarding integration (getOnboardingStatus, completeOnboardingStep). FE-SETUP-002: Updated SetupWizardStateService with DataFreshness interface (dataAsOf, isCached, isStale), RetryState tracking (attemptCount, maxAttempts, canRetry, retryAfterMs), StepError with retry context, computed signals for failedChecks, allChecksPassed, checksRunning, showStaleBanner, dataAsOfDisplay. Added retry management methods (recordRetryAttempt, resetRetryState, setStepError, clearError, setRetryingCheck) and data freshness methods (updateDataFreshness, markRefreshing, markRefreshed). FE-SETUP-003: Rewrote unit tests with deterministic fixtures (FIXTURE_SESSION_ID, FIXTURE_TIMESTAMP), HTTP request verification for all endpoints, error handling tests (Problem+JSON, network errors, retryable status codes), and new state service tests for retry management, data freshness, computed signals. FE-SETUP-004: Added Setup Wizard section to docs/UI_GUIDE.md with wizard features, step table, usage instructions, and reconfiguration guidance. | Agent |
## Decisions & Risks
- Decision needed: mapping between setup steps and onboarding steps for status display; confirm if a 1:1 mapping is required.

3
docs/implplan/SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md
View File

@@ -23,7 +23,7 @@
| 1 | SCAN-EPSS-001 | DONE | Delta threshold rules | Scanner Guild - Team | Emit deterministic EPSS change events that include per-CVE deltas and a stable ordering for delta > 0.2 triggers. |
| 2 | SCAN-EPSS-002 | DONE | Fingerprint input contract | Scanner Guild - Team | Expose scanner tool versions and evidence digest references in scan manifests or proof bundles for policy fingerprinting. |
| 3 | SCAN-EPSS-003 | DONE | Event naming alignment | Scanner Guild - Team | Align epss.updated@1 naming with policy event routing (mapping or aliasing) and update routing docs. |
| 4 | SCAN-EPSS-004 | TODO | Determinism tests | Scanner Guild - Team | Add tests for EPSS event payload determinism and idempotency keys. |
| 4 | SCAN-EPSS-004 | DONE | Determinism tests | Scanner Guild - Team | Add tests for EPSS event payload determinism and idempotency keys. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -32,6 +32,7 @@
| 2026-01-14 | SCAN-EPSS-001: Created EpssChangeEvent.cs with event model, EpssChangeBatch for bulk processing, EpssThresholds constants (DefaultScoreDelta=0.2, HighPriorityScore=0.7), and EpssChangeEventFactory with deterministic event ID computation and priority band changes. | Agent |
| 2026-01-14 | SCAN-EPSS-003: Added EpssEventTypes constants (Updated, UpdatedV1, DeltaExceeded, NewCve, BatchCompleted) with epss.updated@1 alias for policy routing compatibility. | Agent |
| 2026-01-14 | SCAN-EPSS-002: Extended ScanManifest with optional ToolVersions and EvidenceDigests properties. Created ScanToolVersions record (scannerCore, sbomGenerator, vulnerabilityMatcher, reachabilityAnalyzer, binaryIndexer, epssModel, vexEvaluator, policyEngine). Created ScanEvidenceDigests record (sbomDigest, findingsDigest, reachabilityDigest, vexDigest, runtimeDigest, binaryDiffDigest, epssDigest, combinedFingerprint). Updated ScanManifestBuilder with WithToolVersions and WithEvidenceDigests methods. | Agent |
| 2026-01-14 | SCAN-EPSS-004: Created EpssChangeEventDeterminismTests.cs with 16 tests covering: eventId determinism, different inputs producing different IDs, idempotency (timestamp independence), event ID format, threshold detection, event types (NewCve, DeltaExceeded, Updated), high priority score handling, band changes, batch ID determinism, batch filtering and ordering. All tests passing. | Agent |
## Decisions & Risks
- Confirm whether epss.updated@1 or a new epss.delta event is the canonical trigger.

3
docs/implplan/SPRINT_20260112_005_SIGNALS_runtime_nodehash.md
View File

@@ -24,7 +24,7 @@
| --- | --- | --- | --- | --- | --- |
| 1 | PW-SIG-001 | DONE | PW-SCN-001 | Guild - Signals | Extend runtime schemas (`RuntimeCallEvent`, `ObservedCallPath`) with `function_sig`, `binary_digest`, `offset`, `node_hash`, and `callstack_hash`; add schema tests. |
| 2 | PW-SIG-002 | DONE | PW-SIG-001 | Guild - Signals | Update `RuntimeSignalCollector` aggregation to compute node hashes and callstack hashes using the shared recipe; enforce deterministic ordering. |
| 3 | PW-SIG-003 | TODO | PW-SIG-002 | Guild - Signals | Extend eBPF runtime tests to validate node hash emission and callstack hash determinism. |
| 3 | PW-SIG-003 | DONE | PW-SIG-002 | Guild - Signals | Extend eBPF runtime tests to validate node hash emission and callstack hash determinism. |
| 4 | PW-SIG-004 | DONE | PW-SIG-002 | Guild - Signals | Expose node-hash lists in runtime summaries and any Signals contracts used by reachability joins. |
## Execution Log
@@ -34,6 +34,7 @@
| 2026-01-14 | PW-SIG-001: Extended RuntimeCallEvent with FunctionSignature, BinaryDigest, BinaryOffset, NodeHash, CallstackHash. Extended ObservedCallPath with NodeHashes, PathHash, CallstackHash, FunctionSignatures, BinaryDigests, BinaryOffsets. Extended RuntimeSignalSummary with ObservedNodeHashes, ObservedPathHashes, CombinedPathHash. | Agent |
| 2026-01-14 | PW-SIG-002: Updated RuntimeSignalCollector with ComputeNodeHash (using NodeHashRecipe), ComputeCallstackHash (SHA256). Updated AggregateCallPaths to compute path hashes. Added project reference to StellaOps.Reachability.Core. | Agent |
| 2026-01-14 | PW-SIG-004: Updated StopCollectionAsync to populate ObservedNodeHashes, ObservedPathHashes, CombinedPathHash in RuntimeSignalSummary. Added ExtractUniqueNodeHashes helper. | Agent |
| 2026-01-15 | PW-SIG-003: Created RuntimeNodeHashTests.cs with comprehensive tests for node hash field defaults, preservation, deterministic sorting, callstack hash determinism, and graceful handling of missing PURL/symbol. | Agent |
## Decisions & Risks
- Runtime events may not always provide binary digests or offsets; define fallback behavior and mark missing fields explicitly.

6
docs/implplan/SPRINT_20260112_006_EXCITITOR_vex_change_events.md
View File

@@ -22,8 +22,8 @@
| --- | --- | --- | --- | --- | --- |
| 1 | EXC-VEX-001 | DONE | Event contract draft | Excititor Guild - Team | Emit VEX update events with deterministic event IDs and stable ordering on statement changes. |
| 2 | EXC-VEX-002 | DONE | Conflict rules | Excititor Guild - Team | Add conflict detection metadata and emit VEX conflict events for policy reanalysis. |
| 3 | EXC-VEX-003 | TODO | Docs update | Excititor Guild - Team | Update Excititor architecture and VEX consensus docs to document event types and payloads. |
| 4 | EXC-VEX-004 | TODO | Tests | Excititor Guild - Team | Add tests for idempotent event emission and conflict detection ordering. |
| 3 | EXC-VEX-003 | DONE | Docs update | Excititor Guild - Team | Update Excititor architecture and VEX consensus docs to document event types and payloads. |
| 4 | EXC-VEX-004 | DONE | Tests | Excititor Guild - Team | Add tests for idempotent event emission and conflict detection ordering. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -31,6 +31,8 @@
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | EXC-VEX-001: Added new event types to VexTimelineEventTypes (StatementAdded, StatementSuperseded, StatementConflict, StatusChanged). Created VexStatementChangeEvent.cs with event models and factory for deterministic event IDs. | Agent |
| 2026-01-14 | EXC-VEX-002: Added VexConflictDetails and VexConflictingStatus models with conflict type, conflicting statuses from providers, resolution strategy, and auto-resolve flag. Added CreateConflictDetected factory method. | Agent |
| 2026-01-15 | EXC-VEX-003: Added section 3.3 VEX Change Events to docs/modules/excititor/architecture.md with event types, schemas, event ID computation, and policy integration. Updated docs/VEX_CONSENSUS_GUIDE.md with VEX Change Events section. | Agent |
| 2026-01-15 | EXC-VEX-004: Created VexStatementChangeEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, conflict detection ordering, provenance preservation, and tenant normalization. | Agent |
## Decisions & Risks
- Decide canonical event name (vex.updated vs vex.updated@1) and payload versioning.

12
docs/implplan/SPRINT_20260112_006_FE_evidence_card_ui.md
View File

@@ -20,15 +20,19 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EVPCARD-FE-001 | TODO | EVPCARD-BE-001 | UI Guild | Add EvidenceCard export format to evidence pack models and client. |
| 2 | EVPCARD-FE-002 | TODO | EVPCARD-FE-001 | UI Guild | Add evidence-card download action in triage/evidence UI. |
| 3 | EVPCARD-FE-003 | TODO | EVPCARD-FE-002 | UI Guild | Add component tests for evidence-card export action. |
| 4 | EVPCARD-FE-004 | TODO | EVPCARD-FE-002 | Docs Guild | Update `docs/UI_GUIDE.md` with evidence-card download instructions. |
| 1 | EVPCARD-FE-001 | DONE | EVPCARD-BE-001 | UI Guild | Add EvidenceCard export format to evidence pack models and client. |
| 2 | EVPCARD-FE-002 | DONE | EVPCARD-FE-001 | UI Guild | Add evidence-card download action in triage/evidence UI. |
| 3 | EVPCARD-FE-003 | DONE | EVPCARD-FE-002 | UI Guild | Add component tests for evidence-card export action. |
| 4 | EVPCARD-FE-004 | DONE | EVPCARD-FE-002 | Docs Guild | Update `docs/UI_GUIDE.md` with evidence-card download instructions. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | EVPCARD-FE-001: Added EvidenceCard and EvidenceCardCompact to EvidencePackExportFormat union type. Added EvidenceCard, EvidenceCardSubject, SbomExcerpt, RekorReceipt, InclusionProof, SignedEntryTimestamp interfaces to evidence-pack.models.ts. | Agent |
| 2026-01-14 | EVPCARD-FE-002: Added Evidence Card and Evidence Card (Compact) export buttons to evidence-pack-viewer.component.ts export menu with icons and divider. Added CSS for .export-divider and .evidence-card-btn styles. | Agent |
| 2026-01-14 | EVPCARD-FE-003: Created evidence-pack-viewer.component.spec.ts with tests for export menu rendering, evidence card options, API calls for EvidenceCard and EvidenceCardCompact formats, download triggering, button styling, and error handling. | Agent |
| 2026-01-14 | EVPCARD-FE-004: Updated docs/UI_GUIDE.md with 'Export Evidence Cards (v1.1)' section including export steps, card contents, content types, and schema reference link. | Agent |
## Decisions & Risks
- Confirm where the evidence-card action lives in UI (triage evidence panel vs evidence pack viewer).

3
docs/implplan/SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md
View File

@@ -24,7 +24,7 @@
| 1 | INTEGRATIONS-SCM-001 | DONE | None | Integrations Guild | Add SCM annotation client contracts in `StellaOps.Integrations.Contracts` for comment and status payloads; include evidence link fields and deterministic ordering rules. |
| 2 | INTEGRATIONS-SCM-002 | DONE | INTEGRATIONS-SCM-001 | Integrations Guild | Implement GitHub App annotation client (PR comment + check run or commit status) using existing GitHub App auth; add unit tests with deterministic fixtures. |
| 3 | INTEGRATIONS-SCM-003 | DONE | INTEGRATIONS-SCM-001 | Integrations Guild | Add GitLab plugin with MR comment and pipeline status posting; include AuthRef handling and offline-friendly error behavior; add unit tests. |
| 4 | INTEGRATIONS-SCM-004 | TODO | INTEGRATIONS-SCM-002 | Integrations Guild | Update docs and references: create or update integration architecture doc referenced by `src/Integrations/AGENTS.md`, and extend `docs/flows/10-cicd-gate-flow.md` with PR/MR comment behavior. |
| 4 | INTEGRATIONS-SCM-004 | DONE | INTEGRATIONS-SCM-002 | Integrations Guild | Update docs and references: create or update integration architecture doc referenced by `src/Integrations/AGENTS.md`, and extend `docs/flows/10-cicd-gate-flow.md` with PR/MR comment behavior. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -33,6 +33,7 @@
| 2026-01-14 | INTEGRATIONS-SCM-001: Created ScmAnnotationContracts.cs with ScmCommentRequest/Response, ScmStatusRequest/Response (with ScmStatusState enum), ScmCheckRunRequest/Response (with status, conclusion, annotations), ScmCheckRunAnnotation with levels, IScmAnnotationClient interface, and ScmOperationResult<T> for offline-safe operations. | Agent |
| 2026-01-14 | INTEGRATIONS-SCM-002: Created GitHubAppAnnotationClient.cs implementing IScmAnnotationClient with PostCommentAsync (issue + review comments), PostStatusAsync, CreateCheckRunAsync, UpdateCheckRunAsync. Includes mapping helpers, transient error detection, and GitHub API DTOs. Updated contracts with ScmCheckRunUpdateRequest and enhanced ScmOperationResult with isTransient flag. | Agent |
| 2026-01-14 | INTEGRATIONS-SCM-003: Created StellaOps.Integrations.Plugin.GitLab project with GitLabAnnotationClient.cs. Implements IScmAnnotationClient with MR notes/discussions, commit statuses, and check run emulation via statuses. Includes GitLab API v4 DTOs and proper project path encoding. | Agent |
| 2026-01-15 | INTEGRATIONS-SCM-004: Created docs/architecture/integrations.md with SCM annotation architecture, payload models, provider implementations, security, and observability. Extended docs/flows/10-cicd-gate-flow.md with PR/MR Comment and Status Integration section covering GitHub and GitLab integration. | Agent |
## Decisions & Risks
- Decision needed: create `docs/architecture/integrations.md` or update `src/Integrations/AGENTS.md` to point at the correct integration architecture doc.

6
docs/implplan/SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md
View File

@@ -21,8 +21,8 @@
| --- | --- | --- | --- | --- | --- |
| 1 | ATT-REKOR-001 | DONE | Event contract draft | Attestor Guild - Team | Emit Rekor entry events with deterministic IDs based on bundle digest and stable ordering. |
| 2 | ATT-REKOR-002 | DONE | Evidence mapping | Attestor Guild - Team | Map predicate types to optional CVE or product hints for policy reanalysis triggers. |
| 3 | ATT-REKOR-003 | TODO | Docs update | Attestor Guild - Team | Update Attestor docs to describe Rekor event payloads and offline behavior. |
| 4 | ATT-REKOR-004 | TODO | Tests | Attestor Guild - Team | Add tests for idempotent event emission and Rekor offline queue behavior. |
| 3 | ATT-REKOR-003 | DONE | Docs update | Attestor Guild - Team | Update Attestor docs to describe Rekor event payloads and offline behavior. |
| 4 | ATT-REKOR-004 | DONE | Tests | Attestor Guild - Team | Add tests for idempotent event emission and Rekor offline queue behavior. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -30,6 +30,8 @@
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | ATT-REKOR-001: Created RekorEntryEvent.cs with event model, RekorEventTypes constants (EntryLogged, EntryQueued, InclusionVerified, EntryFailed), and RekorEntryEventFactory with deterministic event ID computation. | Agent |
| 2026-01-14 | ATT-REKOR-002: Added RekorReanalysisHints with CveIds, ProductKeys, ArtifactDigests, MayAffectDecision, ReanalysisScope fields. Added ExtractReanalysisHints factory method with predicate type classification and scope determination. | Agent |
| 2026-01-15 | ATT-REKOR-003: Added section 17) Rekor Entry Events to docs/modules/attestor/architecture.md with event types, schema, and offline mode behavior. | Agent |
| 2026-01-15 | ATT-REKOR-004: Created RekorEntryEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, reanalysis hints extraction, predicate type classification, and tenant normalization. | Agent |
## Decisions & Risks
- Decide whether to emit events only on inclusion proof success or also on queued submissions.

12
docs/implplan/SPRINT_20260112_007_BE_remediation_pr_generator.md
View File

@@ -21,16 +21,20 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REMEDY-BE-001 | DONE | None | Advisory AI Guild | Implement deterministic PR.md template builder (steps, tests, rollback, VEX claim). |
| 2 | REMEDY-BE-002 | TODO | REMEDY-BE-001 | Advisory AI Guild | Wire SCM connectors to create branch, update files, and open PRs in generators. |
| 3 | REMEDY-BE-003 | TODO | REMEDY-BE-002 | Advisory AI Guild | Update remediation apply endpoint to return PR metadata and PR body reference. |
| 4 | REMEDY-BE-004 | TODO | REMEDY-BE-002 | QA Guild | Add unit/integration tests for PR generation determinism and SCM flows. |
| 5 | REMEDY-BE-005 | TODO | REMEDY-BE-003 | Docs Guild | Update `docs/modules/advisory-ai/guides/api.md` with PR generation details and examples. |
| 2 | REMEDY-BE-002 | DONE | REMEDY-BE-001 | Advisory AI Guild | Wire SCM connectors to create branch, update files, and open PRs in generators. |
| 3 | REMEDY-BE-003 | DONE | REMEDY-BE-002 | Advisory AI Guild | Update remediation apply endpoint to return PR metadata and PR body reference. |
| 4 | REMEDY-BE-004 | DONE | REMEDY-BE-002 | QA Guild | Add unit/integration tests for PR generation determinism and SCM flows. |
| 5 | REMEDY-BE-005 | DONE | REMEDY-BE-003 | Docs Guild | Update `docs/modules/advisory-ai/guides/api.md` with PR generation details and examples. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | REMEDY-BE-001: Created PrTemplateBuilder.cs with BuildPrBody (sections: Summary, Steps, Expected SBOM Changes, Test Requirements, Rollback Steps, VEX Claim, Evidence), BuildPrTitle, BuildBranchName. Added RollbackStep and PrMetadata records. | Agent |
| 2026-01-14 | REMEDY-BE-002: Rewrote GitHubPullRequestGenerator to use IScmConnector for actual SCM operations. Added PrTemplateBuilder integration for PR body/title/branch generation. Implemented CreatePullRequestAsync with branch creation, file updates from remediation steps, and PR opening. Added PrBody property to PullRequestResult. | Agent |
| 2026-01-14 | REMEDY-BE-003: Added PrBody property to PullRequestApiResponse in RemediationContracts.cs. Updated FromDomain to map result.PrBody to API response. Remediation apply endpoint now returns PR body content in response. | Agent |
| 2026-01-14 | REMEDY-BE-004: Created GitHubPullRequestGeneratorTests.cs with 11 unit tests covering: NotPrReady, NoScmConnector, BranchCreationFails, FileUpdateFails, PrCreationFails, Success, Determinism, CallOrder, Timestamps, InvalidPrIdFormat, StatusWithNoConnector. All tests pass. | Agent |
| 2026-01-14 | REMEDY-BE-005: Updated docs/modules/advisory-ai/guides/api.md. Added sections 7.4 (POST /remediation/apply) and 7.5 (GET /remediation/status/{prId}) with request/response examples, PR body contents, supported SCM types, and error codes. Added changelog entry. | Agent |
## Decisions & Risks
- Define canonical PR.md schema and required sections (tests, rollback, VEX claim).

5
docs/implplan/SPRINT_20260112_007_SCANNER_pr_mr_annotations.md
View File

@@ -22,14 +22,15 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCANNER-PR-001 | TODO | INTEGRATIONS-SCM-001 | Scanner Guild | Integrate `PrAnnotationService` into `WebhookEndpoints` for GitHub and GitLab merge request events; derive base/head graph ids and handle missing data paths. |
| 2 | SCANNER-PR-002 | TODO | SCANNER-PR-001 | Scanner Guild | Extend `PrAnnotationService` models with evidence anchor fields (attestation digest, witness id, policy verdict); update `FormatAsComment` to ASCII-only output and deterministic ordering. |
| 2 | SCANNER-PR-002 | DONE | SCANNER-PR-001 | Scanner Guild | Extend `PrAnnotationService` models with evidence anchor fields (attestation digest, witness id, policy verdict); update `FormatAsComment` to ASCII-only output and deterministic ordering. |
| 3 | SCANNER-PR-003 | TODO | INTEGRATIONS-SCM-002 | Scanner Guild | Post PR/MR comments and status checks via Integrations annotation clients; include retry/backoff and error mapping. |
| 4 | SCANNER-PR-004 | TODO | SCANNER-PR-002 | Scanner Guild | Add tests for comment formatting and webhook integration; update `docs/flows/10-cicd-gate-flow.md` and `docs/full-features-list.md` for PR/MR evidence annotations. |
| 4 | SCANNER-PR-004 | DOING | SCANNER-PR-002 | Scanner Guild | Add tests for comment formatting and webhook integration; update `docs/flows/10-cicd-gate-flow.md` and `docs/full-features-list.md` for PR/MR evidence annotations. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | SCANNER-PR-002: Extended StateFlipSummary with evidence anchor fields (AttestationDigest, PolicyVerdict, PolicyReasonCode, VerifyCommand). Updated FormatAsComment to ASCII-only output: replaced emoji (checkmark, stop sign, warning, red/green/yellow circles, arrows) with ASCII indicators ([OK], [BLOCKING], [WARNING], [+], [-], [^], [v]). Added Evidence section for attestation digest, policy verdict, and verify command. Ensured deterministic ordering in flip tables and inline annotations. Fixed arrow character in confidence transition text. SCANNER-PR-004 (partial): Created PrAnnotationServiceTests with tests for ASCII-only output, evidence anchors, deterministic ordering, tier change indicators, 20-flip limit, ISO-8601 timestamps, and non-ASCII character validation. | Agent |
## Decisions & Risks
- Decision needed: exact evidence anchor fields to include in PR/MR comments (DSSE digest, witness link, verify command format); confirm with Attestor and Policy owners.

3
docs/implplan/SPRINT_20260112_008_LB_binary_diff_evidence_models.md
View File

@@ -23,7 +23,7 @@
| 1 | BINDIFF-LB-001 | DONE | None | Evidence Guild | Add BinaryDiffEvidence model and update EvidenceBundlePredicate fields and status summary. |
| 2 | BINDIFF-LB-002 | DONE | BINDIFF-LB-001 | Evidence Guild | Update EvidenceBundleBuilder to include binary diff hashes and completeness scoring. |
| 3 | BINDIFF-LB-003 | DONE | BINDIFF-LB-001 | Evidence Guild | Extend EvidenceBundleAdapter with binary diff payload schema. |
| 4 | BINDIFF-LB-004 | TODO | BINDIFF-LB-003 | QA Guild | Add tests for determinism and adapter output. |
| 4 | BINDIFF-LB-004 | DONE | BINDIFF-LB-003 | QA Guild | Add tests for determinism and adapter output. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -32,6 +32,7 @@
| 2026-01-14 | BINDIFF-LB-001: Created BinaryDiffEvidence.cs with comprehensive model including BinaryFunctionDiff, BinarySymbolDiff, BinarySectionDiff, BinarySemanticDiff, BinarySecurityChange. Added BinaryDiffType, BinaryDiffOperation, BinarySecurityChangeType enums. Updated EvidenceStatusSummary with BinaryDiff status field. | Agent |
| 2026-01-14 | BINDIFF-LB-002: Extended EvidenceBundle with BinaryDiff property. Updated EvidenceBundleBuilder with WithBinaryDiff method. Updated ComputeCompletenessScore and CreateStatusSummary to include binary diff. Bumped schema version to 1.1. | Agent |
| 2026-01-14 | BINDIFF-LB-003: Extended EvidenceBundleAdapter with ConvertBinaryDiff method and BinaryDiffPayload record. Added binary-diff/v1 schema version. | Agent |
| 2026-01-15 | BINDIFF-LB-004: Created BinaryDiffEvidenceTests.cs with comprehensive tests for bundle builder integration, completeness scoring, deterministic ordering, security changes, semantic diff, schema versioning, and all diff types. | Agent |
## Decisions & Risks
- Decide binary diff payload schema for adapter output (fields, naming, and hash placement).

9
docs/implplan/SPRINT_20260112_008_SIGNALS_runtime_telemetry_events.md
View File

@@ -21,15 +21,18 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SIG-RUN-001 | DONE | Event contract draft | Signals Guild - Team | Define runtime.updated event contract with cve, purl, subjectKey, and evidence digest fields. |
| 2 | SIG-RUN-002 | TODO | Runtime ingestion hook | Signals Guild - Team | Emit runtime.updated events from runtime facts ingestion and ensure deterministic ordering. |
| 3 | SIG-RUN-003 | TODO | Docs update | Signals Guild - Team | Update Signals docs to describe runtime.updated triggers and payloads. |
| 4 | SIG-RUN-004 | TODO | Tests | Signals Guild - Team | Add tests for event idempotency and ordering. |
| 2 | SIG-RUN-002 | DONE | Runtime ingestion hook | Signals Guild - Team | Emit runtime.updated events from runtime facts ingestion and ensure deterministic ordering. |
| 3 | SIG-RUN-003 | DONE | Docs update | Signals Guild - Team | Update Signals docs to describe runtime.updated triggers and payloads. |
| 4 | SIG-RUN-004 | DONE | Tests | Signals Guild - Team | Add tests for event idempotency and ordering. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | SIG-RUN-001: Created RuntimeUpdatedEvent.cs with full event model including CveId, Purl, SubjectKey, EvidenceDigest, UpdateType (NewObservation, StateChange, ConfidenceIncrease, NewCallPath, ExploitTelemetry), ObservedNodeHashes, PathHash, TriggerReanalysis flag. Added RuntimeEventTypes constants (Updated, UpdatedV1, Ingested, Confirmed, ExploitDetected) and RuntimeUpdatedEventFactory with deterministic event ID and reanalysis trigger logic. | Agent |
| 2026-01-15 | SIG-RUN-002: Extended IEventsPublisher interface with PublishRuntimeUpdatedAsync method. Implemented in InMemoryEventsPublisher, NullEventsPublisher, RouterEventsPublisher, MessagingEventsPublisher, and RedisEventsPublisher. Updated RuntimeFactsIngestionService.IngestAsync to emit runtime.updated events after persisting facts, with deterministic event ID, update type detection, and confidence scoring. | Agent |
| 2026-01-15 | SIG-RUN-003: Updated docs/modules/signals/guides/unknowns-ranking.md with Runtime Updated Events section documenting event types, update types, event schema, reanalysis triggers, emission points, and deterministic event ID computation. | Agent |
| 2026-01-15 | SIG-RUN-004: Created RuntimeUpdatedEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, reanalysis triggers (exploit telemetry, state change, high confidence), update types, node hash preservation, and field population. | Agent |
## Decisions & Risks
- Decide where runtime.updated should be emitted (Signals ingestion vs Zastava).

7
docs/implplan/SPRINT_20260112_009_FE_unknowns_queue_ui.md
View File

@@ -20,15 +20,16 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-UNK-001 | TODO | API schema update | Web Guild - Team | Update unknowns service models and API calls to include fingerprint, triggers, and next_actions fields. |
| 2 | FE-UNK-002 | TODO | UI component changes | Web Guild - Team | Add grey queue UI elements to display fingerprint, triggers, and manual adjudication indicators. |
| 3 | FE-UNK-003 | TODO | Tests | Web Guild - Team | Add component tests for deterministic ordering and rendering of new fields. |
| 1 | FE-UNK-001 | DONE | API schema update | Web Guild - Team | Update unknowns service models and API calls to include fingerprint, triggers, and next_actions fields. |
| 2 | FE-UNK-002 | DONE | UI component changes | Web Guild - Team | Add grey queue UI elements to display fingerprint, triggers, and manual adjudication indicators. |
| 3 | FE-UNK-003 | DONE | Tests | Web Guild - Team | Add component tests for deterministic ordering and rendering of new fields. |
| 4 | FE-UNK-004 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with grey queue behavior and screenshots. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-UNK-001: Extended unknowns.models.ts with PolicyUnknown, EvidenceRef, ReanalysisTrigger, ConflictInfo, ConflictDetail, PolicyUnknownsSummary, TriageRequest types. Added UnknownBand, ObservationState, TriageAction types. Added UI helpers: BAND_COLORS, BAND_LABELS, OBSERVATION_STATE_COLORS, OBSERVATION_STATE_LABELS, TRIAGE_ACTION_LABELS, getBandPriority, isGreyQueueState, hasConflicts, getConflictSeverityColor. Extended unknowns.client.ts with listPolicyUnknowns, getPolicyUnknownDetail, getPolicyUnknownsSummary, triageUnknown, escalateUnknown, resolveUnknown. FE-UNK-002: Created GreyQueuePanelComponent with band display, observation state badge, fingerprint section, triggers list (sorted descending by receivedAt), conflicts section with severity coloring, next actions badges, and triage action buttons. FE-UNK-003: Created grey-queue-panel.component.spec.ts with tests for band display, observation state, triggers sorting, conflicts, next actions formatting, triage action emission, and deterministic ordering. | Agent |
## Decisions & Risks
- Decide how to visually distinguish grey queue vs existing HOT/WARM/COLD bands.

9
docs/implplan/SPRINT_20260112_009_SCANNER_binary_diff_bundle_export.md
View File

@@ -22,15 +22,18 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | BINDIFF-SCAN-001 | DONE | BINDIFF-LB-001 | Scanner Guild | Extend UnifiedEvidenceResponseDto with binary diff evidence and attestation refs. |
| 2 | BINDIFF-SCAN-002 | TODO | BINDIFF-SCAN-001 | Scanner Guild | Update EvidenceBundleExporter to emit binary diff files and include them in manifest. |
| 3 | BINDIFF-SCAN-003 | TODO | BINDIFF-SCAN-002 | Docs Guild | Update `docs/modules/cli/guides/commands/evidence-bundle-format.md` to list binary diff files. |
| 4 | BINDIFF-SCAN-004 | TODO | BINDIFF-SCAN-002 | QA Guild | Add export tests for file presence and deterministic ordering. |
| 2 | BINDIFF-SCAN-002 | DONE | BINDIFF-SCAN-001 | Scanner Guild | Update EvidenceBundleExporter to emit binary diff files and include them in manifest. |
| 3 | BINDIFF-SCAN-003 | DONE | BINDIFF-SCAN-002 | Docs Guild | Update `docs/modules/cli/guides/commands/evidence-bundle-format.md` to list binary diff files. |
| 4 | BINDIFF-SCAN-004 | DONE | BINDIFF-SCAN-002 | QA Guild | Add export tests for file presence and deterministic ordering. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | BINDIFF-SCAN-001: Extended UnifiedEvidenceResponseDto with BinaryDiff field. Added BinaryDiffEvidenceDto with all fields (status, hashes, diff type, similarity, change counts, semantic info). Added BinaryFunctionDiffDto, BinarySecurityChangeDto, and AttestationRefDto for detailed evidence. | Agent |
| 2026-01-15 | BINDIFF-SCAN-002: Updated EvidenceBundleExporter.PrepareEvidenceFilesAsync to emit binary-diff.json, binary-diff.dsse.json (if attested), and delta-proof.json (if semantic diff available). Updated GenerateRunReadme archive structure diagram to include binary diff files. | Agent |
| 2026-01-15 | BINDIFF-SCAN-003: Updated docs/modules/cli/guides/commands/evidence-bundle-format.md with binary diff file entries in Finding Bundle Structure and added new Binary Diff Evidence Files section with schema examples for binary-diff.json, binary-diff.dsse.json, and delta-proof.json. | Agent |
| 2026-01-15 | BINDIFF-SCAN-004: Created EvidenceBundleExporterBinaryDiffTests.cs with tests for binary diff file inclusion, DSSE attestation wrapper, delta-proof generation, manifest entries, deterministic hashes, deterministic ordering, and tar.gz format support. | Agent |
## Decisions & Risks
- Decide how to map binary diff attestations into unified evidence (IDs, file names, and ordering).

10
docs/implplan/SPRINT_20260112_010_CLI_unknowns_grey_queue_cli.md
View File

@@ -20,16 +20,18 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-UNK-001 | TODO | Policy API fields | CLI Guild - Team | Add `stella unknowns summary` and `stella unknowns show` with fingerprint, triggers, next_actions, and evidence refs. |
| 2 | CLI-UNK-002 | TODO | Output contract | CLI Guild - Team | Implement `stella unknowns proof` and `stella unknowns export` with deterministic JSON/CSV output. |
| 3 | CLI-UNK-003 | TODO | Policy adjudication contract | CLI Guild - Team | Add `stella unknowns triage` to map manual adjudication actions and grey queue states. |
| 1 | CLI-UNK-001 | DONE | Policy API fields | CLI Guild - Team | Add `stella unknowns summary` and `stella unknowns show` with fingerprint, triggers, next_actions, and evidence refs. |
| 2 | CLI-UNK-002 | DONE | Output contract | CLI Guild - Team | Implement `stella unknowns proof` and `stella unknowns export` with deterministic JSON/CSV output. |
| 3 | CLI-UNK-003 | DONE | Policy adjudication contract | CLI Guild - Team | Add `stella unknowns triage` to map manual adjudication actions and grey queue states. |
| 4 | CLI-UNK-004 | TODO | Docs sync | CLI Guild - Team | Update `docs/operations/unknowns-queue-runbook.md` and CLI reference to match actual verbs and flags. |
| 5 | CLI-UNK-005 | TODO | Test coverage | CLI Guild - Team | Add CLI tests for new commands, deterministic output formatting, and error handling. |
| 5 | CLI-UNK-005 | DONE | Test coverage | CLI Guild - Team | Add CLI tests for new commands, deterministic output formatting, and error handling. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | CLI-UNK-001: Added `stella unknowns summary` (band counts) and `stella unknowns show` (detail with fingerprint, triggers, next_actions, conflict info). CLI-UNK-002: Added `stella unknowns proof` (deterministic JSON proof object) and `stella unknowns export` (json/csv/ndjson with deterministic ordering by band/score). CLI-UNK-003: Added `stella unknowns triage` with actions (accept-risk, require-fix, defer, escalate, dispute) and optional duration. Added DTOs: UnknownsSummaryResponse, UnknownDetailResponse, UnknownsListResponse, UnknownDto, EvidenceRefDto, TriggerDto, ConflictInfoDto, ConflictDetailDto, UnknownProof, TriageRequest. | Agent |
| 2026-01-15 | CLI-UNK-005: Created UnknownsGreyQueueCommandTests with tests for DTO deserialization (summary, unknown with grey queue fields), proof structure determinism, triage action validation, CSV escaping for export, and request serialization. | Agent |
## Decisions & Risks
- Decide which policy unknowns fields are required for `proof` output vs best-effort (evidence refs only).

15
docs/implplan/SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md
View File

@@ -23,18 +23,23 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EVPCARD-CLI-001 | TODO | SPRINT_20260112_005_BE_evidence_card_api.md | CLI Guild | Add `stella evidence card export` to fetch and write evidence-card files with deterministic naming and content type handling. |
| 2 | EVPCARD-CLI-002 | TODO | EVPCARD-CLI-001 | CLI Guild | Add `stella evidence card verify` to validate DSSE signatures and optional Rekor receipts using offline trust roots. |
| 3 | REMPR-CLI-001 | TODO | SPRINT_20260112_007_BE_remediation_pr_generator.md | CLI Guild | Add `stella remediate open-pr` to call the remediation PR endpoint with repo/branch options and emit PR URL, branch, and status. |
| 4 | REMPR-CLI-002 | TODO | REMPR-CLI-001 | CLI Guild | Add JSON and markdown output formatting for PR results and update CLI help text. |
| 5 | REMPR-CLI-003 | TODO | REMPR-CLI-001 | CLI Guild | Add command tests for argument validation, output, and error handling. |
| 1 | EVPCARD-CLI-001 | DONE | SPRINT_20260112_005_BE_evidence_card_api.md | CLI Guild | Add `stella evidence card export` to fetch and write evidence-card files with deterministic naming and content type handling. |
| 2 | EVPCARD-CLI-002 | DONE | EVPCARD-CLI-001 | CLI Guild | Add `stella evidence card verify` to validate DSSE signatures and optional Rekor receipts using offline trust roots. |
| 3 | REMPR-CLI-001 | DONE | SPRINT_20260112_007_BE_remediation_pr_generator.md | CLI Guild | Add `stella remediate open-pr` to call the remediation PR endpoint with repo/branch options and emit PR URL, branch, and status. |
| 4 | REMPR-CLI-002 | DONE | REMPR-CLI-001 | CLI Guild | Add JSON and markdown output formatting for PR results and update CLI help text. |
| 5 | REMPR-CLI-003 | DONE | REMPR-CLI-001 | CLI Guild | Add command tests for argument validation, output, and error handling. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | EVPCARD-CLI-001: Added `stella evidence card export` command with --compact, --output, --format options. Implemented HandleCardExportAsync with progress spinner, response header parsing (X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index), file writing, and summary table output. | Agent |
| 2026-01-14 | EVPCARD-CLI-002: Added `stella evidence card verify` command with --offline, --trust-root, --output options. Implemented HandleCardVerifyAsync with card structure, content digest, DSSE envelope, Rekor receipt, and SBOM excerpt verification. Added CardVerificationResult record and helper methods. | Agent |
| 2026-01-14 | REMPR-CLI-001: Added `stella advise open-pr` command. Calls POST /v1/advisory-ai/remediation/apply with plan-id and scm-type. Supports table/json/markdown output formats. Shows PR URL, branch, status, and PR body. Uses Spectre.Console for formatting. | Agent |
| 2026-01-15 | REMPR-CLI-003: Verified OpenPrCommandTests.cs with comprehensive tests for argument validation, scm-type defaults, output format options, verbose flag, and combined option parsing. All tests pass. | Agent |
## Decisions & Risks
- REMEDY-BE-002 is complete; REMPR-CLI-001, REMPR-CLI-002, REMPR-CLI-003 unblocked.
- Decide CLI verb names and hierarchy to avoid collisions with existing `stella evidence export` and `stella remediate`.
- Define required inputs for PR creation (integration id vs explicit repo URL) and how CLI resolves defaults.
- Confirm offline verification behavior when Rekor receipts are absent or optional.

11
docs/implplan/SPRINT_20260112_011_FE_policy_unknowns_queue_integration.md
View File

@@ -21,16 +21,19 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-UNK-005 | TODO | Policy API contract | Web Guild - Team | Add policy unknowns API client/models (fingerprint, triggers, next_actions, manual adjudication fields) and migrate the queue view to the policy endpoints. |
| 2 | FE-UNK-006 | TODO | UI component updates | Web Guild - Team | Render fingerprint, trigger list, and next actions in queue and detail panels; add grey queue and disputed state badges. |
| 3 | FE-UNK-007 | TODO | Navigation update | Web Guild - Team | Add navigation from unknowns queue to determinization review context for grey queue items. |
| 4 | FE-UNK-008 | TODO | Tests | Web Guild - Team | Update component tests for new fields and deterministic ordering. |
| 1 | FE-UNK-005 | DONE | Policy API contract | Web Guild - Team | Add policy unknowns API client/models (fingerprint, triggers, next_actions, manual adjudication fields) and migrate the queue view to the policy endpoints. |
| 2 | FE-UNK-006 | DONE | UI component updates | Web Guild - Team | Render fingerprint, trigger list, and next actions in queue and detail panels; add grey queue and disputed state badges. |
| 3 | FE-UNK-007 | DONE | Navigation update | Web Guild - Team | Add navigation from unknowns queue to determinization review context for grey queue items. |
| 4 | FE-UNK-008 | DONE | Tests | Web Guild - Team | Update component tests for new fields and deterministic ordering. |
| 5 | FE-UNK-009 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with grey queue behavior and examples. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-UNK-005, FE-UNK-006: Covered by SPRINT_20260112_009_FE_unknowns_queue_ui - unknowns.models.ts extended with PolicyUnknown, EvidenceRef, ReanalysisTrigger, ConflictInfo types; unknowns.client.ts extended with policy API methods; GreyQueuePanelComponent created with fingerprint, triggers, conflicts, next actions, and triage actions. | Agent |
| 2026-01-15 | FE-UNK-007: Extended unknowns.routes.ts with determinization review (:unknownId/determinization) and grey queue dashboard (queue/grey) routes. Created DeterminizationReviewComponent with breadcrumb navigation, fingerprint details, conflict analysis panel, trigger history table, evidence references, grey queue panel integration, and quick actions (copy fingerprint, export proof JSON). Created GreyQueueDashboardComponent with summary cards, band/state filters, deterministic ordering (band priority then score descending), and review links. | Agent |
| 2026-01-15 | FE-UNK-008: Created grey-queue-dashboard.component.spec.ts with tests for grey queue filtering, deterministic ordering (band priority then score descending), band priority helper, grey queue state detection, color helpers, and conflict detection. Created determinization-review.component.spec.ts with tests for triggers sorting (most recent first), band display, observation state, conflict handling, and proof export structure. Both test suites verify deterministic ordering stability across renders. | Agent |
## Decisions & Risks
- Decide whether to unify scanner unknowns and policy unknowns views or keep separate entry points.

3
docs/implplan/SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md
View File

@@ -22,7 +22,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REMPR-FE-001 | TODO | SPRINT_20260112_007_BE_remediation_pr_generator.md | UI Guild | Extend Advisory AI API client and models with PR creation request/response fields (PR URL, branch, status, evidence card id). |
| 1 | REMPR-FE-001 | DONE | SPRINT_20260112_007_BE_remediation_pr_generator.md | UI Guild | Extend Advisory AI API client and models with PR creation request/response fields (PR URL, branch, status, evidence card id). |
| 2 | REMPR-FE-002 | TODO | REMPR-FE-001 | UI Guild | Add "Open PR" action to AI Remediate panel with progress, success, and error states plus link/copy affordances. |
| 3 | REMPR-FE-003 | TODO | REMPR-FE-001 | UI Guild | Add SCM connection selector and gating message with link to Integrations Hub when no SCM connection is available. |
| 4 | REMPR-FE-004 | TODO | REMPR-FE-003 | UI Guild | Add settings toggles for remediation PR enablement and evidence-card attachment or PR comment behavior. |
@@ -32,6 +32,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | REMPR-FE-001: Extended advisory-ai.models.ts with RemediationPrInfo (prId, prNumber, prUrl, branch, status, ciStatus, evidenceCardId). Added prCreationAvailable, activePr, evidenceCardId to AiRemediateResponse. Added RemediationPrCreateRequest, RemediationPrCreateResponse, RemediationPrErrorCode types. Added ScmConnectionInfo with ScmCapabilities. Added RemediationPrSettings interface. Extended AdvisoryAiApi interface with createRemediationPr, getScmConnections, getRemediationPrSettings methods. Implemented in AdvisoryAiApiHttpClient and MockAdvisoryAiClient. | Agent |
## Decisions & Risks
- Decide where PR status should surface outside the panel (triage row, evidence panel, or findings detail).

13
docs/implplan/SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md
View File

@@ -21,17 +21,20 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-CONFIG-001 | TODO | Config schema | Policy Guild - Team | Extend `DeterminizationOptions` with reanalysis triggers, conflict policy, and default values (EPSS delta >= 0.2, threshold crossing, Rekor/OpenVEX/telemetry/patch-proof/DSSE changes; tool-version trigger disabled by default). |
| 2 | POLICY-CONFIG-002 | TODO | Storage + audit | Policy Guild - Team | Add per-tenant determinization config persistence with audit trail and validation for environment thresholds. |
| 3 | POLICY-CONFIG-003 | TODO | Policy wiring | Policy Guild - Team | Replace hard-coded `DefaultEnvironmentThresholds` with effective config values in determinization evaluation. |
| 4 | POLICY-CONFIG-004 | TODO | API exposure | Policy Guild - Team | Add read endpoint for effective config and policy-admin write endpoint for updates. |
| 5 | POLICY-CONFIG-005 | TODO | Tests | Policy Guild - Team | Add tests for binding, validation, deterministic evaluation, and audit logging. |
| 1 | POLICY-CONFIG-001 | DONE | Config schema | Policy Guild - Team | Extend `DeterminizationOptions` with reanalysis triggers, conflict policy, and default values (EPSS delta >= 0.2, threshold crossing, Rekor/OpenVEX/telemetry/patch-proof/DSSE changes; tool-version trigger disabled by default). |
| 2 | POLICY-CONFIG-002 | DONE | Storage + audit | Policy Guild - Team | Add per-tenant determinization config persistence with audit trail and validation for environment thresholds. |
| 3 | POLICY-CONFIG-003 | DONE | Policy wiring | Policy Guild - Team | Replace hard-coded `DefaultEnvironmentThresholds` with effective config values in determinization evaluation. |
| 4 | POLICY-CONFIG-004 | DONE | API exposure | Policy Guild - Team | Add read endpoint for effective config and policy-admin write endpoint for updates. |
| 5 | POLICY-CONFIG-005 | DONE | Tests | Policy Guild - Team | Add tests for binding, validation, deterministic evaluation, and audit logging. |
| 6 | POLICY-CONFIG-006 | TODO | Docs update | Policy Guild - Team | Update determinization and unknowns docs with configuration schema and defaults. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | POLICY-CONFIG-001: Extended DeterminizationOptions with ReanalysisTriggerConfig (EpssDeltaThreshold=0.2, TriggerOnThresholdCrossing/RekorEntry/VexStatusChange/RuntimeTelemetryChange/PatchProofAdded/DsseValidationChange=true, TriggerOnToolVersionChange=false), ConflictHandlingPolicy (VexReachability/StaticRuntime/BackportStatus -> RequireManualReview, VexStatus -> RequestVendorClarification, EscalationSeverityThreshold=0.85, ConflictTtlHours=48), EnvironmentThresholds (Development/Staging/Production with Relaxed/Standard/Strict presets), and ConflictAction enum. | Agent |
| 2026-01-15 | POLICY-CONFIG-005: Created DeterminizationOptionsTests with tests for default values, environment threshold presets (Relaxed/Standard/Strict), GetForEnvironment mapping (dev/stage/qa/prod variants), configuration binding from IConfiguration, ConflictAction enum completeness, and deterministic preset values. | Agent |
| 2026-01-15 | POLICY-CONFIG-002: Created IDeterminizationConfigStore interface with GetEffectiveConfigAsync, SaveConfigAsync, GetAuditHistoryAsync. Added EffectiveDeterminizationConfig, ConfigAuditInfo, ConfigAuditEntry records. Created InMemoryDeterminizationConfigStore implementation with thread-safe operations and audit trail. POLICY-CONFIG-003: Effective config store provides tenant-specific config with fallback to defaults. POLICY-CONFIG-004: Created DeterminizationConfigEndpoints with GET /api/v1/policy/config/determinization (effective), GET /defaults, GET /audit (history), PUT (update with audit), POST /validate (dry-run validation). Added validation for trigger thresholds, conflict policy, and environment thresholds. | Agent |
## Decisions & Risks
- Defaults: EPSS delta >= 0.2, trigger on threshold crossings, Rekor entry new, OpenVEX status change, runtime telemetry exploit/reachability change, binary patch proof added, DSSE validation state change; tool-version trigger available but disabled by default.

9
docs/implplan/SPRINT_20260112_013_FE_determinization_config_pane.md
View File

@@ -20,16 +20,17 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-CONFIG-001 | TODO | Policy config API | Web Guild - Team | Add API client/models for determinization config (effective config read + admin update). |
| 2 | FE-CONFIG-002 | TODO | UI section | Web Guild - Team | Add a Configuration Pane section for determinization thresholds and reanalysis triggers, with read-only view for non-admins. |
| 3 | FE-CONFIG-003 | TODO | Validation feedback | Web Guild - Team | Surface server-side validation errors and show effective vs overridden values per environment. |
| 4 | FE-CONFIG-004 | TODO | Tests | Web Guild - Team | Add component and service tests for config load/save and deterministic rendering. |
| 1 | FE-CONFIG-001 | DONE | Policy config API | Web Guild - Team | Add API client/models for determinization config (effective config read + admin update). |
| 2 | FE-CONFIG-002 | DONE | UI section | Web Guild - Team | Add a Configuration Pane section for determinization thresholds and reanalysis triggers, with read-only view for non-admins. |
| 3 | FE-CONFIG-003 | DONE | Validation feedback | Web Guild - Team | Surface server-side validation errors and show effective vs overridden values per environment. |
| 4 | FE-CONFIG-004 | DONE | Tests | Web Guild - Team | Add component and service tests for config load/save and deterministic rendering. |
| 5 | FE-CONFIG-005 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with configuration workflow and screenshots. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-CONFIG-001: Created determinization-config.client.ts with ReanalysisTriggerConfig, ConflictHandlingPolicy, EnvironmentThreshold, EnvironmentThresholds, DeterminizationConfig, EffectiveConfigResponse, UpdateConfigRequest, ValidationResponse, AuditEntry, AuditHistoryResponse models. Added DeterminizationConfigClient with getEffectiveConfig, getDefaultConfig, updateConfig, validateConfig, getAuditHistory methods. Added CONFLICT_ACTION_LABELS, ENVIRONMENT_LABELS, DEFAULT_TRIGGER_CONFIG constants. FE-CONFIG-002, FE-CONFIG-003: Created DeterminizationConfigPaneComponent with reanalysis triggers section (EPSS delta threshold, toggle triggers), conflict handling policy section (conflict actions per type, escalation threshold, TTL), environment thresholds table (development/staging/production), edit mode with deep clone, validation error/warning display, save with reason requirement, metadata display (last updated, version). FE-CONFIG-004: Created determinization-config-pane.component.spec.ts with tests for config display, edit mode toggling, deep clone on edit, admin-only edit button, conflict action labels, environment labels, validation state, deterministic rendering order, and metadata display. | Agent |
## Decisions & Risks
- UI write access must align with policy admin scope; read access follows policy viewer.

3
docs/implplan/SPRINT_20260112_013_FE_witness_ui_wiring.md
View File

@@ -26,7 +26,7 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FE-WIT-001 | TODO | Scanner witness endpoints | Guild - UI | Replace `WitnessMockClient` usage with real `WitnessHttpClient` wiring; align base paths and query parameters with Scanner endpoints; add error handling and unit tests. |
| 2 | FE-WIT-002 | TODO | PW-DOC-001 | Guild - UI | Extend `witness.models.ts` and view models to include `node_hashes`, `path_hash`, evidence URIs, and runtime evidence metadata; keep deterministic ordering in rendering and tests. |
| 2 | FE-WIT-002 | DONE | PW-DOC-001 | Guild - UI | Extend `witness.models.ts` and view models to include `node_hashes`, `path_hash`, evidence URIs, and runtime evidence metadata; keep deterministic ordering in rendering and tests. |
| 3 | FE-WIT-003 | TODO | FE-WIT-001, FE-WIT-002 | Guild - UI | Update witness modal and vulnerability explorer views to render node hash and path hash details, evidence links, and runtime join status; update component tests. |
| 4 | FE-WIT-004 | TODO | Scanner verify endpoint | Guild - UI | Wire verify action to `/witnesses/{id}/verify`, display DSSE signature status and error details, and add unit tests. |
| 5 | FE-WIT-005 | TODO | Backend download/export endpoints | Guild - UI | Add UI actions for witness JSON download and SARIF export; show disabled states until endpoints exist; add tests and help text. |
@@ -35,6 +35,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-15 | FE-WIT-002: Extended witness.models.ts with path witness fields: nodeHashes (array of algorithm-prefixed hashes), pathHash (blake3/sha256 prefixed), runtimeEvidence (RuntimeEvidenceMetadata with available, source, lastObservedAt, invocationCount, confirmsStatic, traceUri). Extended WitnessEvidence with evidence URIs: dsseUri, rekorUri, sbomUri, callGraphUri, attestationUri for linking to external artifacts. All fields are optional for backward compatibility. | Agent |
## Decisions & Risks
- `docs/modules/ui/implementation_plan.md` is listed as required reading but is missing; restore or update the prerequisites before work starts.

11
docs/implplan/SPRINT_20260112_014_CLI_config_viewer.md
View File

@@ -20,11 +20,11 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-CONFIG-010 | TODO | Config catalog | Build a config catalog from SectionName constants and setup prefixes; define canonical CLI paths and aliases (case-insensitive, `:` and `.` interchangeable). |
| 2 | CLI-CONFIG-011 | TODO | Command surface | Add `stella config list` and `stella config <path> show` (example: `stella config policy.determinization show`). |
| 3 | CLI-CONFIG-012 | TODO | Data sources | Implement config readers for effective config (policy endpoint where available; local config file fallback). |
| 4 | CLI-CONFIG-013 | TODO | Output and redaction | Deterministic table/json output with stable ordering and redaction of secret keys. |
| 5 | CLI-CONFIG-014 | TODO | Tests | Add CLI tests for list/show behavior, alias matching, and deterministic output. |
| 1 | CLI-CONFIG-010 | DONE | Config catalog | Build a config catalog from SectionName constants and setup prefixes; define canonical CLI paths and aliases (case-insensitive, `:` and `.` interchangeable). |
| 2 | CLI-CONFIG-011 | DONE | Command surface | Add `stella config list` and `stella config <path> show` (example: `stella config policy.determinization show`). |
| 3 | CLI-CONFIG-012 | DONE | Data sources | Implement config readers for effective config (policy endpoint where available; local config file fallback). |
| 4 | CLI-CONFIG-013 | DONE | Output and redaction | Deterministic table/json output with stable ordering and redaction of secret keys. |
| 5 | CLI-CONFIG-014 | DONE | Tests | Add CLI tests for list/show behavior, alias matching, and deterministic output. |
| 6 | CLI-CONFIG-015 | TODO | Docs update | Update CLI reference docs with config list/show usage and examples. |
## Config Inventory (SectionName keys by module)
@@ -77,6 +77,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; expanded to cover all config sections and CLI path aliases. | Planning |
| 2026-01-15 | CLI-CONFIG-010/011/012/013: Created ConfigCatalog with 90+ entries covering Policy, Scanner, Notifier, Concelier, Attestor, BinaryIndex, Signals, Signer, AdvisoryAI, AirGap, Excititor, ExportCenter, Orchestrator, Scheduler, VexLens, Zastava, Platform, Authority, and Setup modules. Created ConfigCommandGroup with list/show commands. Created CommandHandlers.Config with deterministic table/json/yaml output, secret redaction, and category filtering. | Agent |
## Decisions & Risks
- Canonical path normalization: lower-case, `:` and `.` treated as separators, module prefix added when SectionName has no prefix (example: `policy.determinization`).

10
docs/implplan/SPRINT_20260112_014_CLI_witness_commands.md
View File

@@ -25,16 +25,18 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-WIT-001 | TODO | Scanner endpoints | Guild - CLI | Implement witness API calls in `IBackendOperationsClient` and `BackendOperationsClient` for list/get/verify; add unit tests. |
| 2 | CLI-WIT-002 | TODO | CLI-WIT-001 | Guild - CLI | Replace placeholders in `CommandHandlers.Witness.cs` with real API calls; enforce ASCII-only output and deterministic ordering; update CLI tests. |
| 3 | CLI-WIT-003 | TODO | Backend export endpoints | Guild - CLI | Implement `witness export` to download JSON/SARIF when endpoints are available; add safe fallback messaging and tests. |
| 4 | CLI-WIT-004 | TODO | CLI-WIT-001 | Guild - CLI | Implement `witness verify` to call `/witnesses/{id}/verify` and report DSSE status; add tests for error paths and offline mode behavior. |
| 1 | CLI-WIT-001 | DONE | Scanner endpoints | Guild - CLI | Implement witness API calls in `IBackendOperationsClient` and `BackendOperationsClient` for list/get/verify; add unit tests. |
| 2 | CLI-WIT-002 | DONE | CLI-WIT-001 | Guild - CLI | Replace placeholders in `CommandHandlers.Witness.cs` with real API calls; enforce ASCII-only output and deterministic ordering; update CLI tests. |
| 3 | CLI-WIT-003 | DONE | Backend export endpoints | Guild - CLI | Implement `witness export` to download JSON/SARIF when endpoints are available; add safe fallback messaging and tests. |
| 4 | CLI-WIT-004 | DONE | CLI-WIT-001 | Guild - CLI | Implement `witness verify` to call `/witnesses/{id}/verify` and report DSSE status; add tests for error paths and offline mode behavior. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | Added `docs/modules/cli/implementation_plan.md` to satisfy CLI charter prerequisites. | Planning |
| 2026-01-15 | CLI-WIT-001: Created WitnessModels.cs with WitnessListRequest/Response, WitnessSummary, WitnessDetailResponse (with path_hash, node_hashes, evidence_uris, predicate_type), WitnessVerifyResponse, WitnessExportFormat enum. Extended IBackendOperationsClient with ListWitnessesAsync, GetWitnessAsync, VerifyWitnessAsync, DownloadWitnessAsync. Implemented all methods in BackendOperationsClient. | Agent |
| 2026-01-15 | CLI-WIT-002/003/004: Replaced placeholder handlers in CommandHandlers.Witness.cs with real API calls. HandleWitnessShowAsync now calls GetWitnessAsync; HandleWitnessListAsync calls ListWitnessesAsync with deterministic ordering (sorted by CVE then WitnessId); HandleWitnessVerifyAsync calls VerifyWitnessAsync with ASCII-only output ([OK]/[FAIL]); HandleWitnessExportAsync calls DownloadWitnessAsync with format selection. Added ConvertToWitnessDto, ExtractPackageName, ExtractPackageVersion helpers. | Agent |
## Decisions & Risks
- Export/download depends on backend endpoints that do not yet exist; coordinate with Scanner owners or defer CLI-WIT-003.

3
docs/implplan/SPRINT_20260112_015_SIGNER_path_witness_predicate.md
View File

@@ -23,7 +23,7 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SIGNER-PW-001 | DONE | Predicate type locked | Guild - Signer | Add predicate constants for canonical and alias URIs in `PredicateTypes.cs`; update `GetAllowedPredicateTypes`, `IsReachabilityRelatedType`, and `IsAllowedPredicateType`. |
| 2 | SIGNER-PW-002 | TODO | SIGNER-PW-001 | Guild - Signer | Add or update Signer tests to validate allowed predicate lists and reachability classification for the new predicate types. |
| 2 | SIGNER-PW-002 | DONE | SIGNER-PW-001 | Guild - Signer | Add or update Signer tests to validate allowed predicate lists and reachability classification for the new predicate types. |
| 3 | SIGNER-PW-003 | DONE | SIGNER-PW-001 | Guild - Signer | Update `PredicateTypes.IsStellaOpsType` and `SignerStatementBuilder.GetRecommendedStatementType` to recognize `https://stella.ops/` and `https://stella-ops.org/` URIs as StellaOps types; add Keyless signer tests for Statement v1 selection. |
## Execution Log
@@ -34,6 +34,7 @@
| 2026-01-14 | Added task to ensure Statement type selection treats `https://stella.ops/` predicate URIs as StellaOps types. | Planning |
| 2026-01-14 | SIGNER-PW-001: Added PathWitnessCanonical, PathWitnessAlias1, PathWitnessAlias2 constants. Added IsPathWitnessType() helper. Updated IsReachabilityRelatedType() and GetAllowedPredicateTypes() to include all path witness types. | Agent |
| 2026-01-14 | SIGNER-PW-003: Updated IsStellaOpsType to recognize https://stella.ops/ and https://stella-ops.org/ URI prefixes as StellaOps types. | Agent |
| 2026-01-15 | SIGNER-PW-002: Created PredicateTypesTests.cs with comprehensive tests for IsPathWitnessType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType, IsStellaOpsType, constant values, backward compatibility (Alias1 = StellaOpsPathWitness), no duplicates, and deterministic ordering. | Agent |
## Decisions & Risks
- Predicate allowlist changes can affect downstream verification policies; coordinate with Attestor and Policy owners.

69
docs/implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md Normal file
View File

@@ -0,0 +1,69 @@
# Sprint 20260112-016-CLI-attest-verify-offline - Offline Attestation Verification CLI
## Topic & Scope
- Implement `stella attest verify --offline` CLI command for air-gapped attestation verification.
- Current state evidence: `RekorOfflineReceiptVerifier` exists in AirGap module but no CLI exposure (`src/AirGap/StellaOps.AirGap.Importer/Validation/RekorOfflineReceiptVerifier.cs`).
- Evidence to produce: CLI command implementation, bundled verification script generation, and golden test fixtures.
- **Working directory:** `src/Cli`.
- **Compliance item:** Item 1 - Attestation caching (offline).
## Dependencies & Concurrency
- Depends on existing `RekorOfflineReceiptVerifier` and `OfflineVerifier` services.
- Parallel safe with other CLI sprints; no shared DB migrations.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/airgap/guides/portable-evidence-bundle-verification.md`
- `docs/modules/cli/guides/commands/attest.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ATTEST-CLI-001 | TODO | None | CLI Guild | Add `AttestCommandGroup.cs` with `verify` subcommand skeleton. |
| 2 | ATTEST-CLI-002 | TODO | ATTEST-CLI-001 | CLI Guild | Implement `--offline` flag with bundle path input, checkpoint path, and trust root options. |
| 3 | ATTEST-CLI-003 | TODO | ATTEST-CLI-002 | CLI Guild | Wire `RekorOfflineReceiptVerifier` for Merkle proof validation without network. |
| 4 | ATTEST-CLI-004 | TODO | ATTEST-CLI-002 | CLI Guild | Wire `OfflineVerifier` for DSSE envelope and org signature validation. |
| 5 | ATTEST-CLI-005 | TODO | ATTEST-CLI-003 | CLI Guild | Add JSON/text output formatters for verification results (pass/fail + details). |
| 6 | ATTEST-CLI-006 | TODO | ATTEST-CLI-004 | CLI Guild | Generate `VERIFY.md` script in exported bundles with sha256 + signature chain report. |
| 7 | ATTEST-CLI-007 | TODO | ATTEST-CLI-005 | Testing Guild | Create golden test fixtures for cross-platform bundle verification. |
| 8 | ATTEST-CLI-008 | TODO | ATTEST-CLI-007 | Testing Guild | Add determinism tests verifying identical results across Windows/Linux/macOS. |
| 9 | ATTEST-CLI-009 | TODO | ATTEST-CLI-006 | Docs Guild | Update `docs/modules/cli/guides/commands/attest.md` with verify subcommand documentation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: offline attestation verification CLI. | Planning |
## Decisions & Risks
- Decide on trust root bundling format (PEM directory vs single bundle file).
- Checkpoint signature verification requires bundled public keys; document sourcing procedure.
- Cross-platform hash determinism must be validated (UTF-8 BOM handling, line endings).
## Acceptance Criteria
```bash
# Demo: Verify attestation bundle offline (Wi-Fi off)
stella attest verify --offline \
--bundle evidence.tar.gz \
--checkpoint checkpoint.sig \
--trust-root /path/to/roots/
# Expected output:
# Attestation Verification Report
# ================================
# Bundle: evidence.tar.gz
# Status: VERIFIED
#
# Checks:
# [PASS] DSSE envelope signature valid
# [PASS] Merkle inclusion proof verified (log index: 12345)
# [PASS] Checkpoint signature valid (origin: rekor.sigstore.dev)
# [PASS] Content hash matches manifest
#
# Artifact: sha256:abc123...
# Signed by: identity@example.com
# Timestamp: 2026-01-14T10:30:00Z
```
## Next Checkpoints
- TBD (set once staffed).

73
docs/implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md Normal file
View File

@@ -0,0 +1,73 @@
# Sprint 20260112-016-CLI-sbom-verify-offline - Offline SBOM Verification CLI
## Topic & Scope
- Implement `stella sbom verify` CLI command for offline signed SBOM archive verification.
- Current state evidence: SBOM export exists (`SbomExportService.cs`) but no verification CLI; signing exists in Signer module.
- Evidence to produce: CLI command, offline verification workflow, and integration with signed SBOM archive format.
- **Working directory:** `src/Cli`.
- **Compliance item:** Item 3 - Signed SBOM archives (immutable).
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec` for archive format.
- Parallel safe with attestation verify sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/sbom-service/architecture.md`
- `docs/modules/signer/architecture.md`
- `docs/modules/cli/guides/commands/sbom.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SBOM-CLI-001 | TODO | None | CLI Guild | Add `SbomCommandGroup.cs` with `verify` subcommand skeleton. |
| 2 | SBOM-CLI-002 | TODO | SBOM-CLI-001 | CLI Guild | Implement `--offline` flag with archive path, trust root, and output format options. |
| 3 | SBOM-CLI-003 | TODO | SBOM-CLI-002 | CLI Guild | Implement archive extraction and manifest hash validation. |
| 4 | SBOM-CLI-004 | TODO | SBOM-CLI-003 | CLI Guild | Wire DSSE envelope verification for SBOM payload signature. |
| 5 | SBOM-CLI-005 | TODO | SBOM-CLI-004 | CLI Guild | Validate SBOM schema (SPDX/CycloneDX) against bundled JSON schemas. |
| 6 | SBOM-CLI-006 | TODO | SBOM-CLI-005 | CLI Guild | Verify tool version metadata matches expected format. |
| 7 | SBOM-CLI-007 | TODO | SBOM-CLI-006 | CLI Guild | Add JSON/HTML verification report output with pass/fail status. |
| 8 | SBOM-CLI-008 | TODO | SBOM-CLI-007 | Testing Guild | Create unit tests for archive parsing, hash validation, and signature verification. |
| 9 | SBOM-CLI-009 | TODO | SBOM-CLI-008 | Testing Guild | Create integration tests with sample signed SBOM archives. |
| 10 | SBOM-CLI-010 | TODO | SBOM-CLI-009 | Docs Guild | Update `docs/modules/cli/guides/commands/sbom.md` with verify documentation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: offline SBOM verification CLI. | Planning |
## Decisions & Risks
- Archive format must align with `SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec`.
- Need to bundle JSON schemas for SPDX 2.3/3.0.1 and CycloneDX 1.4-1.7 for offline validation.
- Consider Fulcio root bundling for keyless signature verification in offline mode.
## Acceptance Criteria
```bash
# Demo: Verify signed SBOM archive offline
stella sbom verify \
--archive signed-sbom-sha256-abc123-20260115.tar.gz \
--offline \
--trust-root /path/to/roots/
# Expected output:
# SBOM Verification Report
# ========================
# Archive: signed-sbom-sha256-abc123-20260115.tar.gz
# Status: VERIFIED
#
# Checks:
# [PASS] Archive integrity (all hashes match manifest)
# [PASS] DSSE envelope signature valid
# [PASS] SBOM schema valid (SPDX 2.3)
# [PASS] Tool version present (StellaOps Scanner v2027.Q1)
# [PASS] Timestamp within validity window
#
# SBOM Details:
# Format: SPDX 2.3
# Components: 142
# Artifact: sha256:abc123...
# Generated: 2026-01-14T10:30:00Z
```
## Next Checkpoints
- TBD (set once staffed).

53
docs/implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md Normal file
View File

@@ -0,0 +1,53 @@
# Sprint 20260112-016-DOCS-blue-green-deployment - Blue/Green Deployment Documentation
## Topic & Scope
- Create comprehensive blue/green deployment documentation for platform-level upgrades with evidence continuity.
- Current state evidence: Multi-tenant policy rollout exists (`docs/flows/14-multi-tenant-policy-rollout-flow.md`) but no platform-level deployment guide.
- Evidence to produce: Deployment guide, upgrade runbook, and evidence continuity procedures.
- **Working directory:** `docs/operations`.
- **Compliance item:** Item 7 - Upgrade & evidence-migration paths.
## Dependencies & Concurrency
- Depends on understanding of existing backup/restore procedures (`docs/modules/authority/operations/backup-restore.md`).
- Parallel safe with all other sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/db/MIGRATION_STRATEGY.md`
- `docs/releases/VERSIONING.md`
- `docs/flows/13-evidence-bundle-export-flow.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | BG-DOC-001 | TODO | None | Docs Guild | Create `docs/operations/blue-green-deployment.md` skeleton. |
| 2 | BG-DOC-002 | TODO | BG-DOC-001 | Docs Guild | Document blue/green environment setup (namespaces, DNS, load balancer). |
| 3 | BG-DOC-003 | TODO | BG-DOC-002 | Docs Guild | Document pre-deployment checklist (backup, evidence export, health checks). |
| 4 | BG-DOC-004 | TODO | BG-DOC-003 | Docs Guild | Document deployment sequence (deploy green, validate, switch traffic). |
| 5 | BG-DOC-005 | TODO | BG-DOC-004 | Docs Guild | Document health check timing and validation procedures. |
| 6 | BG-DOC-006 | TODO | BG-DOC-005 | Docs Guild | Document traffic switching procedure (gradual vs instant). |
| 7 | BG-DOC-007 | TODO | BG-DOC-006 | Docs Guild | Document rollback procedure with evidence preservation. |
| 8 | BG-DOC-008 | TODO | BG-DOC-007 | Docs Guild | Document evidence bundle continuity during cutover. |
| 9 | BG-DOC-009 | TODO | BG-DOC-008 | Docs Guild | Create `docs/operations/upgrade-runbook.md` with step-by-step procedures. |
| 10 | BG-DOC-010 | TODO | BG-DOC-009 | Docs Guild | Document evidence locker health checks and integrity validation. |
| 11 | BG-DOC-011 | TODO | BG-DOC-010 | Docs Guild | Document post-upgrade verification report generation. |
| 12 | BG-DOC-012 | TODO | BG-DOC-011 | DevOps Guild | Create Helm values examples for blue/green deployment. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: blue/green deployment documentation. | Planning |
## Decisions & Risks
- Blue/green requires double infrastructure; document cost implications.
- Database migrations must be backward-compatible (N-1 version) for safe rollback.
- Evidence bundles created during cutover may reference both environments.
## Acceptance Criteria
- Complete blue/green deployment guide with diagrams.
- Step-by-step upgrade runbook with evidence continuity focus.
- Rollback procedure that preserves all evidence integrity.
- Health check procedures specific to evidence services.
## Next Checkpoints
- TBD (set once staffed).

90
docs/implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md Normal file
View File

@@ -0,0 +1,90 @@
# Sprint 20260112-016-SCANNER-signed-sbom-archive-spec - Signed SBOM Archive Format Specification
## Topic & Scope
- Define and implement unified signed SBOM archive format combining SBOM, signatures, metadata, and verification materials.
- Current state evidence: Evidence bundles exist (`EvidenceBundleExporter.cs`) but no SBOM-specific signed archive format.
- Evidence to produce: Format specification, exporter implementation, and documentation.
- **Working directory:** `src/Scanner`.
- **Compliance item:** Item 3 - Signed SBOM archives (immutable).
## Dependencies & Concurrency
- Depends on existing `SbomExportService` and `SignerPipeline`.
- Blocks `SPRINT_20260112_016_CLI_sbom_verify_offline`.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/sbom-service/architecture.md`
- `docs/modules/signer/architecture.md`
- `docs/modules/attestor/bundle-format.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SBOM-SPEC-001 | TODO | None | Scanner Guild | Create `docs/modules/scanner/signed-sbom-archive-spec.md` with format specification. |
| 2 | SBOM-SPEC-002 | TODO | SBOM-SPEC-001 | Scanner Guild | Define archive structure: sbom.{spdx,cdx}.json, sbom.dsse.json, manifest.json, metadata.json, certs/, schemas/. |
| 3 | SBOM-SPEC-003 | TODO | SBOM-SPEC-002 | Scanner Guild | Implement `SignedSbomArchiveBuilder` service in Scanner module. |
| 4 | SBOM-SPEC-004 | TODO | SBOM-SPEC-003 | Scanner Guild | Capture tool versions in metadata.json (stellaOpsVersion, scannerVersion, signerVersion). |
| 5 | SBOM-SPEC-005 | TODO | SBOM-SPEC-004 | Scanner Guild | Capture source container digest (Scanner image digest) in metadata. |
| 6 | SBOM-SPEC-006 | TODO | SBOM-SPEC-005 | Scanner Guild | Add manifest.json with file inventory and SHA-256 hashes. |
| 7 | SBOM-SPEC-007 | TODO | SBOM-SPEC-006 | Signer Guild | Sign manifest as separate DSSE envelope OR include in SBOM predicate. |
| 8 | SBOM-SPEC-008 | TODO | SBOM-SPEC-007 | Scanner Guild | Bundle Fulcio root + Rekor public log for offline verification. |
| 9 | SBOM-SPEC-009 | TODO | SBOM-SPEC-008 | Scanner Guild | Generate VERIFY.md with one-click verification instructions. |
| 10 | SBOM-SPEC-010 | TODO | SBOM-SPEC-009 | Scanner Guild | Add API endpoint `GET /scans/{scanId}/exports/signed-sbom-archive`. |
| 11 | SBOM-SPEC-011 | TODO | SBOM-SPEC-010 | Testing Guild | Create unit tests for archive structure and content. |
| 12 | SBOM-SPEC-012 | TODO | SBOM-SPEC-011 | Docs Guild | Update OpenAPI spec with new export endpoint. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: signed SBOM archive specification. | Planning |
## Archive Format Specification
```
signed-sbom-{artifact_digest_short}-{timestamp}.tar.gz
|
+-- sbom.spdx.json # OR sbom.cdx.json (CycloneDX)
+-- sbom.dsse.json # DSSE envelope with signature
+-- manifest.json # File inventory with SHA-256 hashes
+-- metadata.json # Tool versions, timestamps, generation info
+-- certs/
| +-- signing-cert.pem # Certificate chain from signer
| +-- fulcio-root.pem # Fulcio root CA (for offline keyless verify)
+-- rekor-proof/ # Optional transparency log proof
| +-- inclusion-proof.json
| +-- checkpoint.sig
+-- schemas/ # Bundled JSON schemas for offline validation
| +-- spdx-2.3-schema.json
| +-- cyclonedx-1.7-schema.json
+-- VERIFY.md # One-click verification instructions
```
### metadata.json Schema
```json
{
"schemaVersion": "1.0.0",
"stellaOpsVersion": "2027.Q1",
"scannerVersion": "1.2.3",
"scannerDigest": "sha256:abc123...",
"signerVersion": "1.0.0",
"sbomServiceVersion": "1.1.0",
"generatedAt": "2026-01-15T12:34:56Z",
"generatedAtHlc": "...",
"input": {
"imageRef": "myregistry/app:1.0",
"imageDigest": "sha256:def456..."
},
"reproducibility": {
"deterministic": true,
"expectedDigest": "sha256:..."
}
}
```
## Decisions & Risks
- Choose between signing manifest separately vs including manifest hash in SBOM predicate.
- RFC 3161 TSA integration deferred to Phase 3 (medium-term).
- Decide compression format: tar.gz vs tar.zst (zstd preferred for smaller size).
## Next Checkpoints
- TBD (set once staffed).

89
docs/implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md Normal file
View File

@@ -0,0 +1,89 @@
# Sprint 20260112-017-ATTESTOR-checkpoint-divergence-detection - Checkpoint Divergence Detection
## Topic & Scope
- Implement root hash divergence detection and mismatch alarms for Rekor checkpoints.
- Current state evidence: Checkpoint verification exists but no active monitoring for conflicting checkpoints.
- Evidence to produce: Divergence detector, monotonicity checks, and alerting integration.
- **Working directory:** `src/Attestor`.
- **Compliance item:** Item 5 - Local Rekor (transparency) mirrors.
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync` for checkpoint storage.
- Parallel safe with other Attestor sprints after checkpoint store is available.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/attestor/rekor-verification-design.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DIVERGE-001 | TODO | REKOR-SYNC-002 | Attestor Guild | Create `ICheckpointDivergenceDetector` interface. |
| 2 | DIVERGE-002 | TODO | DIVERGE-001 | Attestor Guild | Implement root hash comparison at same tree size. |
| 3 | DIVERGE-003 | TODO | DIVERGE-002 | Attestor Guild | Implement monotonicity check (tree size only increases). |
| 4 | DIVERGE-004 | TODO | DIVERGE-003 | Attestor Guild | Detect rollback attempts (tree size regression). |
| 5 | DIVERGE-005 | TODO | DIVERGE-004 | Attestor Guild | Implement cross-log consistency check (primary vs mirror). |
| 6 | DIVERGE-006 | TODO | DIVERGE-005 | Attestor Guild | Add metric: `attestor.rekor_checkpoint_mismatch_total{backend,origin}`. |
| 7 | DIVERGE-007 | TODO | DIVERGE-006 | Attestor Guild | Add metric: `attestor.rekor_checkpoint_rollback_detected_total`. |
| 8 | DIVERGE-008 | TODO | DIVERGE-007 | Notify Guild | Integrate with Notify service for alert dispatch. |
| 9 | DIVERGE-009 | TODO | DIVERGE-008 | Attestor Guild | Create `CheckpointDivergenceEvent` for audit trail. |
| 10 | DIVERGE-010 | TODO | DIVERGE-009 | Testing Guild | Create unit tests for divergence detection scenarios. |
| 11 | DIVERGE-011 | TODO | DIVERGE-010 | Testing Guild | Create integration tests simulating Byzantine scenarios. |
| 12 | DIVERGE-012 | TODO | DIVERGE-011 | Docs Guild | Document divergence detection and incident response procedures. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: checkpoint divergence detection. | Planning |
## Technical Specification
### Divergence Detection Rules
| Check | Condition | Severity | Action |
|-------|-----------|----------|--------|
| Root mismatch | Same tree_size, different root_hash | CRITICAL | Alert + quarantine |
| Monotonicity violation | New tree_size < stored tree_size | CRITICAL | Alert + reject |
| Cross-log divergence | Primary root != mirror root at same size | WARNING | Alert + investigate |
| Stale checkpoint | Checkpoint age > threshold | WARNING | Alert |
### Alert Payload
```json
{
"eventType": "rekor.checkpoint.divergence",
"severity": "critical",
"origin": "rekor.sigstore.dev",
"treeSize": 12345678,
"expectedRootHash": "sha256:abc123...",
"actualRootHash": "sha256:def456...",
"detectedAt": "2026-01-15T12:34:56Z",
"backend": "sigstore-prod",
"description": "Checkpoint root hash mismatch detected. Possible split-view attack."
}
```
### Metrics
```
# Counter: total checkpoint mismatches
attestor_rekor_checkpoint_mismatch_total{backend="sigstore-prod",origin="rekor.sigstore.dev"} 0
# Counter: rollback attempts detected
attestor_rekor_checkpoint_rollback_detected_total{backend="sigstore-prod"} 0
# Gauge: seconds since last valid checkpoint
attestor_rekor_checkpoint_age_seconds{backend="sigstore-prod"} 120
```
## Decisions & Risks
- Define response to detected divergence: quarantine all proofs or alert-only.
- Cross-log divergence may indicate network partition vs attack.
- False positive handling for transient network issues.
## Acceptance Criteria
- Alert triggered within 1 minute of divergence detection.
- Metrics visible in Grafana dashboard.
- Audit trail for all divergence events.
- Runbook for incident response to checkpoint divergence.
## Next Checkpoints
- TBD (set once staffed).

101
docs/implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md Normal file
View File

@@ -0,0 +1,101 @@
# Sprint 20260112-017-ATTESTOR-periodic-rekor-sync - Periodic Rekor Checkpoint Sync
## Topic & Scope
- Implement background service for periodic Rekor checkpoint and tile synchronization.
- Current state evidence: `HttpRekorTileClient` exists for on-demand fetching but no periodic sync service.
- Evidence to produce: Background sync service, local checkpoint storage, and tile caching.
- **Working directory:** `src/Attestor`.
- **Compliance item:** Item 5 - Local Rekor (transparency) mirrors.
## Dependencies & Concurrency
- Depends on existing `IRekorTileClient` implementation.
- Parallel safe with checkpoint divergence detection sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/attestor/rekor-verification-design.md`
- `docs/modules/attestor/transparency.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REKOR-SYNC-001 | TODO | None | Attestor Guild | Create `IRekorCheckpointStore` interface for local checkpoint persistence. |
| 2 | REKOR-SYNC-002 | TODO | REKOR-SYNC-001 | Attestor Guild | Implement `PostgresRekorCheckpointStore` for checkpoint storage. |
| 3 | REKOR-SYNC-003 | TODO | REKOR-SYNC-002 | Attestor Guild | Create `IRekorTileCache` interface for tile storage. |
| 4 | REKOR-SYNC-004 | TODO | REKOR-SYNC-003 | Attestor Guild | Implement `FileSystemRekorTileCache` for air-gapped tile storage. |
| 5 | REKOR-SYNC-005 | TODO | REKOR-SYNC-004 | Attestor Guild | Create `RekorSyncBackgroundService` as IHostedService. |
| 6 | REKOR-SYNC-006 | TODO | REKOR-SYNC-005 | Attestor Guild | Implement periodic checkpoint fetching (configurable interval, default 5 min). |
| 7 | REKOR-SYNC-007 | TODO | REKOR-SYNC-006 | Attestor Guild | Implement incremental tile sync (only new entries since last sync). |
| 8 | REKOR-SYNC-008 | TODO | REKOR-SYNC-007 | Attestor Guild | Add checkpoint signature verification during sync. |
| 9 | REKOR-SYNC-009 | TODO | REKOR-SYNC-008 | Attestor Guild | Add metrics: `attestor.rekor_sync_checkpoint_age_seconds`, `attestor.rekor_sync_tiles_cached`. |
| 10 | REKOR-SYNC-010 | TODO | REKOR-SYNC-009 | Testing Guild | Create unit tests for sync service and stores. |
| 11 | REKOR-SYNC-011 | TODO | REKOR-SYNC-010 | Testing Guild | Create integration tests with mock Rekor server. |
| 12 | REKOR-SYNC-012 | TODO | REKOR-SYNC-011 | Docs Guild | Document sync configuration options and operational procedures. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: periodic Rekor checkpoint sync. | Planning |
## Technical Specification
### Checkpoint Store Schema
```sql
CREATE TABLE attestor.rekor_checkpoints (
checkpoint_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
origin TEXT NOT NULL,
tree_size BIGINT NOT NULL,
root_hash BYTEA NOT NULL,
signature BYTEA NOT NULL,
fetched_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
verified BOOLEAN NOT NULL DEFAULT FALSE,
UNIQUE(origin, tree_size)
);
CREATE INDEX idx_rekor_checkpoints_origin_tree_size
ON attestor.rekor_checkpoints(origin, tree_size DESC);
```
### Tile Cache Structure
```
/var/lib/stellaops/rekor-cache/
+-- {origin}/
+-- checkpoints/
| +-- checkpoint-{tree_size}.sig
+-- tiles/
+-- level-0/
| +-- tile-{index}.bin
+-- level-1/
+-- tile-{index}.bin
```
### Configuration
```yaml
attestor:
rekor:
sync:
enabled: true
intervalMinutes: 5
maxCheckpointAgeDays: 30
tileCachePath: "/var/lib/stellaops/rekor-cache"
tileCacheSizeMb: 1024
backends:
- name: "sigstore-prod"
url: "https://rekor.sigstore.dev"
publicKeyPath: "/etc/stellaops/rekor-sigstore-prod.pub"
```
## Decisions & Risks
- Tile cache size management: LRU eviction vs time-based.
- Multiple Rekor backend support for redundancy.
- Network failure handling: exponential backoff with jitter.
## Acceptance Criteria
- Background service syncing checkpoints every 5 minutes.
- Offline verification using cached tiles (no network).
- Metrics dashboard showing cache health and sync lag.
## Next Checkpoints
- TBD (set once staffed).

82
docs/implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md Normal file
View File

@@ -0,0 +1,82 @@
# Sprint 20260112-017-CRYPTO-pkcs11-hsm-implementation - PKCS#11 HSM Implementation
## Topic & Scope
- Complete PKCS#11 HSM integration using Net.Pkcs11Interop library.
- Current state evidence: `HsmPlugin` exists with stub implementation (`src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs`), `Pkcs11HsmClient` throws `NotImplementedException`.
- Evidence to produce: Working PKCS#11 client, HSM connectivity validation, and operational runbook.
- **Working directory:** `src/Cryptography`.
- **Compliance item:** Item 4 - HSM / key escrow patterns.
## Dependencies & Concurrency
- Depends on Net.Pkcs11Interop NuGet package addition.
- Parallel safe with Rekor sync sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/signer/architecture.md`
- `docs/operations/key-rotation-runbook.md`
- `docs/modules/authority/operations/key-rotation.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | HSM-001 | TODO | None | Crypto Guild | Add Net.Pkcs11Interop NuGet package to `src/Directory.Packages.props`. |
| 2 | HSM-002 | TODO | HSM-001 | Crypto Guild | Implement `Pkcs11HsmClient.SignAsync()` with PKCS#11 session management. |
| 3 | HSM-003 | TODO | HSM-002 | Crypto Guild | Implement `Pkcs11HsmClient.VerifyAsync()` for signature verification. |
| 4 | HSM-004 | TODO | HSM-003 | Crypto Guild | Add session pooling and reconnection logic for HSM connection stability. |
| 5 | HSM-005 | TODO | HSM-004 | Crypto Guild | Implement multi-slot failover support. |
| 6 | HSM-006 | TODO | HSM-005 | Crypto Guild | Add key attribute enforcement (CKA_PRIVATE, CKA_EXTRACTABLE policy). |
| 7 | HSM-007 | TODO | HSM-006 | Crypto Guild | Implement `GetMetadataAsync()` for key versioning info. |
| 8 | HSM-008 | TODO | HSM-007 | Testing Guild | Create SoftHSM2 test fixtures for integration testing. |
| 9 | HSM-009 | TODO | HSM-008 | Testing Guild | Add unit tests for session management, signing, and verification. |
| 10 | HSM-010 | TODO | HSM-009 | Doctor Guild | Update `HsmConnectivityCheck` to validate actual PKCS#11 operations. |
| 11 | HSM-011 | TODO | HSM-010 | Docs Guild | Create `docs/operations/hsm-setup-runbook.md` with configuration guide. |
| 12 | HSM-012 | TODO | HSM-011 | Docs Guild | Document SoftHSM2 test environment setup for development. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: PKCS#11 HSM implementation. | Planning |
## Technical Specification
### Supported Mechanisms
| Algorithm | PKCS#11 Mechanism | Status |
|-----------|------------------|--------|
| RSA-SHA256 | CKM_SHA256_RSA_PKCS | TODO |
| RSA-SHA384 | CKM_SHA384_RSA_PKCS | TODO |
| RSA-SHA512 | CKM_SHA512_RSA_PKCS | TODO |
| RSA-PSS | CKM_SHA256_RSA_PKCS_PSS | TODO |
| ECDSA-P256 | CKM_ECDSA_SHA256 | TODO |
| ECDSA-P384 | CKM_ECDSA_SHA384 | TODO |
| AES-GCM-128 | CKM_AES_GCM | TODO |
| AES-GCM-256 | CKM_AES_GCM | TODO |
### Configuration
```yaml
signing:
provider: "hsm"
hsm:
type: "pkcs11"
libraryPath: "/opt/hsm/libpkcs11.so"
slotId: 0
pin: "${HSM_PIN}"
tokenLabel: "StellaOps"
connectionTimeoutSeconds: 30
maxSessions: 10
sessionIdleTimeoutSeconds: 300
```
## Decisions & Risks
- SoftHSM2 for testing vs real HSM for production validation.
- PIN management via environment variable or secrets manager.
- Session exhaustion recovery strategy.
## Acceptance Criteria
- Working signing and verification with SoftHSM2.
- Key rotation demonstration with attestation continuity.
- Doctor check validating HSM connectivity.
- Runbook with step-by-step HSM configuration.
## Next Checkpoints
- TBD (set once staffed).

109
docs/implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md Normal file
View File

@@ -0,0 +1,109 @@
# Sprint 20260112-017-POLICY-cvss-threshold-gate - CVSS Threshold Policy Gate
## Topic & Scope
- Implement dedicated `CvssThresholdGate` for static CVSS score enforcement.
- Current state evidence: EPSS quarantine rules exist (priority 20) but no explicit CVSS threshold gate class.
- Evidence to produce: Gate implementation, configuration, and documentation.
- **Working directory:** `src/Policy`.
- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class).
## Dependencies & Concurrency
- Depends on existing `IPolicyGate` interface.
- Parallel safe with SBOM presence gate sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/policy/determinization-api.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CVSS-GATE-001 | DONE | None | Policy Guild | Create `CvssThresholdGate` class implementing `IPolicyGate`. |
| 2 | CVSS-GATE-002 | DONE | CVSS-GATE-001 | Policy Guild | Support CVSS v3.1 base score threshold configuration. |
| 3 | CVSS-GATE-003 | DONE | CVSS-GATE-002 | Policy Guild | Support CVSS v4.0 base score threshold configuration. |
| 4 | CVSS-GATE-004 | DONE | CVSS-GATE-003 | Policy Guild | Add per-environment threshold overrides (prod: 7.0, staging: 8.0, dev: 9.0). |
| 5 | CVSS-GATE-005 | DONE | CVSS-GATE-004 | Policy Guild | Add CVE allowlist/denylist support for exceptions. |
| 6 | CVSS-GATE-006 | DONE | CVSS-GATE-005 | Policy Guild | Implement offline operation (no external lookups). |
| 7 | CVSS-GATE-007 | DONE | CVSS-GATE-006 | Policy Guild | Register gate in `PolicyGateRegistry` with configurable priority. |
| 8 | CVSS-GATE-008 | DONE | CVSS-GATE-007 | Testing Guild | Create unit tests for threshold enforcement. |
| 9 | CVSS-GATE-009 | DONE | CVSS-GATE-008 | Testing Guild | Create tests for environment-specific overrides. |
| 10 | CVSS-GATE-010 | TODO | CVSS-GATE-009 | Docs Guild | Update policy architecture docs with CVSS gate. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: CVSS threshold policy gate. | Planning |
| 2026-01-15 | CVSS-GATE-001 to 007: Created CvssThresholdGate implementing IPolicyGate with full feature set. Options: Enabled, Priority, DefaultThreshold, per-environment Thresholds (prod/staging/dev), CvssVersionPreference (v3.1/v4.0/highest), Allowlist, Denylist, FailOnMissingCvss, RequireAllVersionsPass. Gate evaluates CVSS v3.1 and v4.0 scores, supports offline operation via injectable lookup or context metadata. Created CvssThresholdGateExtensions for DI registration and PolicyGateRegistry integration. CVSS-GATE-008/009: Created CvssThresholdGateTests with 20+ test cases covering: disabled gate, denylist/allowlist, missing CVSS handling, threshold enforcement at various score levels, environment-specific thresholds (staging/dev), version preference (v3.1/v4.0/highest), RequireAllVersionsPass mode, metadata fallback, case-insensitive CVE matching, and complete details in result. | Agent |
## Technical Specification
### Gate Configuration
```yaml
policy:
gates:
cvssThreshold:
enabled: true
priority: 15
defaultThreshold: 7.0
thresholds:
production: 7.0
staging: 8.0
development: 9.0
cvssVersionPreference: "v4.0" # v3.1, v4.0, or highest
allowlist:
- "CVE-2024-12345" # Known false positive
denylist:
- "CVE-2024-99999" # Always block
```
### Gate Interface
```csharp
public sealed class CvssThresholdGate : IPolicyGate
{
public string Name => "CvssThreshold";
public int Priority => _options.Priority;
public Task<GateResult> EvaluateAsync(
GateContext context,
CancellationToken ct)
{
var finding = context.Finding;
var environment = context.Environment;
// Get CVSS score (prefer v4.0 if available)
var cvssScore = GetCvssScore(finding, _options.CvssVersionPreference);
// Check denylist first
if (_options.Denylist.Contains(finding.CveId))
return Task.FromResult(GateResult.Blocked($"CVE {finding.CveId} is denylisted"));
// Check allowlist
if (_options.Allowlist.Contains(finding.CveId))
return Task.FromResult(GateResult.Passed("CVE is allowlisted"));
// Get environment-specific threshold
var threshold = GetThreshold(environment);
if (cvssScore >= threshold)
return Task.FromResult(GateResult.Blocked(
$"CVSS {cvssScore:F1} exceeds threshold {threshold:F1} for {environment}"));
return Task.FromResult(GateResult.Passed());
}
}
```
## Decisions & Risks
- CVSS v4.0 adoption is emerging; fallback to v3.1 required.
- Denylist takes precedence over allowlist.
- Offline operation means CVSS scores must be pre-populated in findings.
## Acceptance Criteria
- Gate blocks CVEs exceeding configured threshold.
- Environment-specific thresholds enforced correctly.
- Allowlist/denylist exceptions work as expected.
- Gate operates without network (offline determinism).
## Next Checkpoints
- TBD (set once staffed).

128
docs/implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md Normal file
View File

@@ -0,0 +1,128 @@
# Sprint 20260112-017-POLICY-sbom-presence-gate - SBOM Presence Policy Gate
## Topic & Scope
- Implement dedicated `SbomPresenceGate` for SBOM inventory validation.
- Current state evidence: `SbomLineageEvidence` mentioned in config but no dedicated presence gate.
- Evidence to produce: Gate implementation, schema validation, and configuration.
- **Working directory:** `src/Policy`.
- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class).
## Dependencies & Concurrency
- Depends on existing `IPolicyGate` interface.
- Parallel safe with CVSS threshold gate sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/sbom-service/architecture.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SBOM-GATE-001 | DONE | None | Policy Guild | Create `SbomPresenceGate` class implementing `IPolicyGate`. |
| 2 | SBOM-GATE-002 | DONE | SBOM-GATE-001 | Policy Guild | Require SBOM presence for release artifacts. |
| 3 | SBOM-GATE-003 | DONE | SBOM-GATE-002 | Policy Guild | Validate SBOM format (SPDX 2.3/3.0.1, CycloneDX 1.4-1.7). |
| 4 | SBOM-GATE-004 | DONE | SBOM-GATE-003 | Policy Guild | Validate SBOM schema against bundled JSON schemas. |
| 5 | SBOM-GATE-005 | DONE | SBOM-GATE-004 | Policy Guild | Check minimum component inventory (configurable threshold). |
| 6 | SBOM-GATE-006 | DONE | SBOM-GATE-005 | Policy Guild | Add per-environment enforcement levels (prod: required, dev: optional). |
| 7 | SBOM-GATE-007 | DONE | SBOM-GATE-006 | Policy Guild | Add SBOM signature verification requirement option. |
| 8 | SBOM-GATE-008 | DONE | SBOM-GATE-007 | Policy Guild | Register gate in `PolicyGateRegistry`. |
| 9 | SBOM-GATE-009 | DONE | SBOM-GATE-008 | Testing Guild | Create unit tests for presence and schema validation. |
| 10 | SBOM-GATE-010 | TODO | SBOM-GATE-009 | Docs Guild | Update policy architecture docs with SBOM gate. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: SBOM presence policy gate. | Planning |
| 2026-01-15 | SBOM-GATE-001 to 008: Created SbomPresenceGate implementing IPolicyGate. Options: Enabled, Priority, per-environment Enforcement (Required/Recommended/Optional), AcceptedFormats (spdx-2.2/2.3/3.0.1, cyclonedx-1.4-1.7), MinimumComponents, RequireSignature, SchemaValidation, RequirePrimaryComponent. Gate validates SBOM presence, format normalization (handles case variations, cdx alias), component count, schema validity, signature requirement, and primary component. Created SbomPresenceGateExtensions for DI and registry integration. SbomInfo record captures all SBOM metadata. SBOM-GATE-009: Created SbomPresenceGateTests with 25+ test cases covering: disabled gate, enforcement levels (optional/recommended/required), missing SBOM handling, valid SBOM, accepted formats, invalid formats, insufficient components, schema validation, signature requirements (missing/invalid/valid), primary component requirement, environment-specific enforcement, default enforcement fallback, metadata parsing, format normalization variations, and optional metadata inclusion. | Agent |
## Technical Specification
### Gate Configuration
```yaml
policy:
gates:
sbomPresence:
enabled: true
priority: 5
enforcement:
production: required
staging: required
development: optional
formats:
- "spdx-2.3"
- "spdx-3.0.1"
- "cyclonedx-1.4"
- "cyclonedx-1.5"
- "cyclonedx-1.6"
- "cyclonedx-1.7"
minimumComponents: 1
requireSignature: false
schemaValidation: true
```
### Gate Interface
```csharp
public sealed class SbomPresenceGate : IPolicyGate
{
public string Name => "SbomPresence";
public int Priority => _options.Priority;
public Task<GateResult> EvaluateAsync(
GateContext context,
CancellationToken ct)
{
var artifact = context.Artifact;
var environment = context.Environment;
// Get enforcement level for environment
var enforcement = GetEnforcementLevel(environment);
if (enforcement == EnforcementLevel.Optional)
return Task.FromResult(GateResult.Passed("SBOM optional for environment"));
// Check SBOM presence
var sbom = context.Evidence.GetSbom(artifact.Digest);
if (sbom is null)
return Task.FromResult(GateResult.Blocked("SBOM not found for artifact"));
// Validate format
if (!_options.Formats.Contains(sbom.Format))
return Task.FromResult(GateResult.Blocked(
$"SBOM format '{sbom.Format}' not in allowed list"));
// Validate schema
if (_options.SchemaValidation)
{
var schemaResult = ValidateSchema(sbom);
if (!schemaResult.IsValid)
return Task.FromResult(GateResult.Blocked(
$"SBOM schema validation failed: {schemaResult.Error}"));
}
// Check minimum components
if (sbom.ComponentCount < _options.MinimumComponents)
return Task.FromResult(GateResult.Blocked(
$"SBOM has {sbom.ComponentCount} components, minimum is {_options.MinimumComponents}"));
// Check signature if required
if (_options.RequireSignature && !sbom.IsSigned)
return Task.FromResult(GateResult.Blocked("SBOM signature required but not present"));
return Task.FromResult(GateResult.Passed());
}
}
```
## Decisions & Risks
- Schema validation requires bundling JSON schemas for offline operation.
- Minimum component threshold prevents empty SBOMs.
- Signature requirement may be too strict for some environments.
## Acceptance Criteria
- Gate blocks artifacts without SBOM in production.
- Schema validation works offline with bundled schemas.
- Environment-specific enforcement works correctly.
- Signature verification optional but functional.
## Next Checkpoints
- TBD (set once staffed).

150
docs/implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md Normal file
View File

@@ -0,0 +1,150 @@
# Sprint 20260112-017-POLICY-signature-required-gate - Signature Required Policy Gate
## Topic & Scope
- Implement standalone `SignatureRequiredGate` for generic payload signature enforcement.
- Current state evidence: `VexProofGate` has `RequireSignedStatements` but no standalone signature gate.
- Evidence to produce: Generic gate implementation for any evidence type.
- **Working directory:** `src/Policy`.
- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class).
## Dependencies & Concurrency
- Depends on existing `IPolicyGate` interface.
- Parallel safe with other policy gate sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/signer/architecture.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SIG-GATE-001 | DONE | None | Policy Guild | Create `SignatureRequiredGate` class implementing `IPolicyGate`. |
| 2 | SIG-GATE-002 | DONE | SIG-GATE-001 | Policy Guild | Configure required signatures per evidence type (SBOM, VEX, attestation). |
| 3 | SIG-GATE-003 | DONE | SIG-GATE-002 | Policy Guild | Validate DSSE envelope structure. |
| 4 | SIG-GATE-004 | DONE | SIG-GATE-003 | Policy Guild | Verify signature against trusted key set. |
| 5 | SIG-GATE-005 | DONE | SIG-GATE-004 | Policy Guild | Support keyless (Fulcio) signature verification with bundled roots. |
| 6 | SIG-GATE-006 | DONE | SIG-GATE-005 | Policy Guild | Add per-environment signature requirements. |
| 7 | SIG-GATE-007 | DONE | SIG-GATE-006 | Policy Guild | Add issuer/identity constraints (e.g., only accept signatures from specific emails). |
| 8 | SIG-GATE-008 | DONE | SIG-GATE-007 | Policy Guild | Register gate in `PolicyGateRegistry`. |
| 9 | SIG-GATE-009 | DONE | SIG-GATE-008 | Testing Guild | Create unit tests for signature validation scenarios. |
| 10 | SIG-GATE-010 | TODO | SIG-GATE-009 | Docs Guild | Update policy architecture docs with signature gate. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: signature required policy gate. | Planning |
| 2026-01-15 | SIG-GATE-001 to 008: Created SignatureRequiredGate implementing IPolicyGate. Options: Enabled, Priority, EvidenceTypes (per-type config with Required, TrustedIssuers with wildcard support, TrustedKeyIds, AcceptedAlgorithms), Environments (RequiredOverride, AdditionalIssuers, SkipEvidenceTypes), EnableKeylessVerification, FulcioRoots, RekorUrl, RequireTransparencyLogInclusion. SignatureInfo record captures EvidenceType, HasSignature, SignatureValid, Algorithm, SignerIdentity, KeyId, IsKeyless, HasTransparencyLogInclusion, CertificateChainValid, VerificationErrors. Gate validates per-evidence-type signatures with issuer wildcard matching (*@domain.com), algorithm enforcement (ES256/RS256/EdDSA), key ID constraints, keyless (Fulcio) verification with transparency log requirement, certificate chain validation, and environment-specific overrides. Created SignatureRequiredGateExtensions for DI and registry integration. SIG-GATE-009: Created SignatureRequiredGateTests with 18+ test cases covering: disabled gate, missing/invalid signatures, issuer validation with wildcards, algorithm enforcement, key ID constraints, keyless signatures with/without transparency log, keyless disabled, environment overrides (skip types, additional issuers), certificate chain validation, and subdomain wildcard matching. | Agent |
## Technical Specification
### Gate Configuration
```yaml
policy:
gates:
signatureRequired:
enabled: true
priority: 3
evidenceTypes:
sbom:
required: true
trustedIssuers:
- "build@company.com"
- "release@company.com"
vex:
required: true
trustedIssuers:
- "security@company.com"
attestation:
required: true
trustedIssuers:
- "*@company.com" # Wildcard support
keylessVerification:
enabled: true
fulcioRootPath: "/etc/stellaops/fulcio-root.pem"
rekorPublicKeyPath: "/etc/stellaops/rekor.pub"
enforcement:
production: required
staging: required
development: optional
```
### Gate Interface
```csharp
public sealed class SignatureRequiredGate : IPolicyGate
{
public string Name => "SignatureRequired";
public int Priority => _options.Priority;
public Task<GateResult> EvaluateAsync(
GateContext context,
CancellationToken ct)
{
var environment = context.Environment;
var enforcement = GetEnforcementLevel(environment);
if (enforcement == EnforcementLevel.Optional)
return Task.FromResult(GateResult.Passed("Signatures optional"));
var failures = new List<string>();
foreach (var evidence in context.Evidence.All)
{
var config = GetEvidenceConfig(evidence.Type);
if (!config.Required) continue;
// Check signature presence
if (evidence.Signature is null)
{
failures.Add($"{evidence.Type}: No signature present");
continue;
}
// Validate DSSE envelope
var dsseResult = ValidateDsseEnvelope(evidence.Signature);
if (!dsseResult.IsValid)
{
failures.Add($"{evidence.Type}: Invalid DSSE - {dsseResult.Error}");
continue;
}
// Verify signature
var verifyResult = await VerifySignatureAsync(
evidence.Signature,
config.TrustedIssuers,
ct);
if (!verifyResult.IsValid)
{
failures.Add($"{evidence.Type}: Signature invalid - {verifyResult.Error}");
continue;
}
// Check issuer constraints
if (!MatchesIssuerConstraints(verifyResult.Issuer, config.TrustedIssuers))
{
failures.Add($"{evidence.Type}: Issuer '{verifyResult.Issuer}' not trusted");
}
}
if (failures.Count > 0)
return Task.FromResult(GateResult.Blocked(string.Join("; ", failures)));
return Task.FromResult(GateResult.Passed());
}
}
```
## Decisions & Risks
- Wildcard issuer matching syntax (e.g., `*@company.com`).
- Keyless verification requires bundled Fulcio root for offline.
- Performance impact of signature verification on every evaluation.
## Acceptance Criteria
- Gate blocks unsigned evidence when required.
- Issuer constraints enforced correctly.
- Keyless verification works offline with bundled roots.
- Environment-specific enforcement works correctly.
## Next Checkpoints
- TBD (set once staffed).

157
docs/implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md Normal file
View File

@@ -0,0 +1,157 @@
# Sprint 20260112-018-AUTH-local-rbac-fallback - Local RBAC Policy Fallback
## Topic & Scope
- Implement local file-based RBAC policy fallback for offline/air-gapped Authority operation.
- Current state evidence: Authority is PostgreSQL-only; no local policy fallback exists.
- Evidence to produce: File-based policy store, fallback mechanism, and break-glass account.
- **Working directory:** `src/Authority`.
- **Compliance item:** Item 2 - Offline RBAC & break-glass.
## Dependencies & Concurrency
- Depends on existing Authority architecture understanding.
- Parallel safe with other Authority sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/authority/architecture.md`
- `docs/modules/authority/AUTHORITY.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | RBAC-001 | DONE | None | Authority Guild | Create `ILocalPolicyStore` interface. |
| 2 | RBAC-002 | DONE | RBAC-001 | Authority Guild | Implement `FileBasedPolicyStore` with YAML/JSON policy files. |
| 3 | RBAC-003 | DONE | RBAC-002 | Authority Guild | Define local policy file schema (roles, scopes, subjects). |
| 4 | RBAC-004 | DONE | RBAC-003 | Authority Guild | Implement policy file hot-reload with inotify/FileSystemWatcher. |
| 5 | RBAC-005 | DONE | RBAC-004 | Authority Guild | Create fallback mechanism when PostgreSQL is unavailable. |
| 6 | RBAC-006 | DONE | RBAC-005 | Authority Guild | Implement break-glass account with bootstrap credentials. |
| 7 | RBAC-007 | DONE | RBAC-006 | Authority Guild | Add break-glass usage audit logging (mandatory reason codes). |
| 8 | RBAC-008 | DONE | RBAC-007 | Authority Guild | Implement automatic break-glass session timeout (configurable, default 15 min). |
| 9 | RBAC-009 | DONE | RBAC-008 | Authority Guild | Add break-glass session extension with re-authentication. |
| 10 | RBAC-010 | TODO | RBAC-009 | AirGap Guild | Include local policy in Offline Kit bundles. |
| 11 | RBAC-011 | DONE | RBAC-010 | Testing Guild | Create unit tests for local policy store. |
| 12 | RBAC-012 | TODO | RBAC-011 | Testing Guild | Create integration tests for fallback scenarios. |
| 13 | RBAC-013 | TODO | RBAC-012 | Docs Guild | Create break-glass account runbook. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: local RBAC policy fallback. | Planning |
| 2026-01-15 | RBAC-001: Created ILocalPolicyStore interface with GetPolicyAsync, GetSubjectRolesAsync, GetRoleScopesAsync, HasScopeAsync, GetSubjectScopesAsync, ValidateBreakGlassCredentialAsync, IsAvailableAsync, ReloadAsync, and PolicyReloaded event. RBAC-002/003/004: Created FileBasedPolicyStore implementing ILocalPolicyStore with YAML/JSON loading via YamlDotNet, FileSystemWatcher hot-reload with debouncing, role inheritance resolution, subject index with tenant/expiration checks, schema version validation. Created LocalPolicyModels with LocalPolicy, LocalRole, LocalSubject, BreakGlassConfig, BreakGlassAccount, BreakGlassSession records. Created LocalPolicyStoreOptions with PolicyFilePath, EnableHotReload, RequireSignature, FallbackBehavior, SupportedSchemaVersions. RBAC-005: Created FallbackPolicyStore with IPrimaryPolicyStoreHealthCheck integration, PolicyStoreMode enum (Primary/Fallback/Degraded), automatic failover after FailureThreshold consecutive failures, recovery with MinFallbackDurationMs cooldown, ModeChanged event. RBAC-006/007/008/009: Created BreakGlassSessionManager with IBreakGlassSessionManager interface, session creation with credential validation (bcrypt), mandatory reason codes from AllowedReasonCodes, configurable SessionTimeoutMinutes (default 15), MaxExtensions with re-authentication, automatic expired session cleanup, IBreakGlassAuditLogger with BreakGlassAuditEvent (SessionCreated/Extended/Terminated/Expired/AuthenticationFailed/InvalidReasonCode/MaxExtensionsReached). RBAC-011: Created FileBasedPolicyStoreTests with 15+ unit tests covering policy serialization, role inheritance, subject enable/expiration, break-glass config, session validity, options defaults, mode change events. | Agent |
## Technical Specification
### Local Policy File Schema
```yaml
# /etc/stellaops/authority/local-policy.yaml
schemaVersion: "1.0.0"
lastUpdated: "2026-01-15T12:00:00Z"
signatureRequired: true
signature: "base64-encoded-dsse-signature"
roles:
- name: "admin"
scopes:
- "authority:read"
- "authority:write"
- "platform:admin"
- name: "operator"
scopes:
- "orch:operate"
- "orch:view"
- name: "auditor"
scopes:
- "audit:read"
- "obs:incident"
subjects:
- id: "user@company.com"
roles: ["admin"]
tenant: "default"
- id: "ops@company.com"
roles: ["operator"]
tenant: "default"
breakGlass:
enabled: true
accounts:
- id: "break-glass-admin"
passwordHash: "$argon2id$v=19$m=65536,t=3,p=4$..."
roles: ["admin"]
sessionTimeoutMinutes: 15
maxExtensions: 2
requireReasonCode: true
allowedReasonCodes:
- "emergency-incident"
- "database-outage"
- "security-event"
- "scheduled-maintenance"
```
### Break-Glass Audit Event
```json
{
"eventType": "authority.break_glass.activated",
"severity": "warning",
"accountId": "break-glass-admin",
"reasonCode": "database-outage",
"reasonDetails": "PostgreSQL cluster unreachable",
"activatedAt": "2026-01-15T12:34:56Z",
"sessionId": "bg-session-abc123",
"expiresAt": "2026-01-15T12:49:56Z",
"clientIp": "10.0.0.5",
"userAgent": "StellaOps-CLI/2027.Q1"
}
```
### Configuration
```yaml
authority:
localPolicy:
enabled: true
policyPath: "/etc/stellaops/authority/local-policy.yaml"
fallbackMode: "on_db_unavailable" # on_db_unavailable, always_local, hybrid
reloadIntervalSeconds: 30
requireSignature: true
signaturePublicKeyPath: "/etc/stellaops/authority/policy-signing.pub"
breakGlass:
enabled: true
maxSessionMinutes: 60
alertOnActivation: true
alertChannels: ["email", "slack", "pagerduty"]
```
### Fallback Logic
```csharp
public async Task<AuthorizationResult> AuthorizeAsync(
AuthorizationRequest request,
CancellationToken ct)
{
// Try PostgreSQL first
if (await _postgresStore.IsAvailableAsync(ct))
{
return await _postgresStore.AuthorizeAsync(request, ct);
}
// Fallback to local policy
_logger.LogWarning("PostgreSQL unavailable, using local policy fallback");
_metrics.IncrementFallbackActivations();
return await _localPolicyStore.AuthorizeAsync(request, ct);
}
```
## Decisions & Risks
- Local policy must be signed to prevent tampering.
- Break-glass password storage: Argon2id hash in file.
- Alert-on-activation to notify security team.
- Policy sync between PostgreSQL and local file.
## Acceptance Criteria
- Local policy fallback activates when PostgreSQL unavailable.
- Break-glass account authenticates with reason code.
- Session timeout enforced with audit trail.
- Alert dispatched on break-glass activation.
## Next Checkpoints
- TBD (set once staffed).

143
docs/implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md Normal file
View File

@@ -0,0 +1,143 @@
# Sprint 20260112-018-CRYPTO-key-escrow-shamir - Key Escrow with Shamir Secret Sharing
## Topic & Scope
- Implement key escrow mechanisms using Shamir's Secret Sharing for key recovery.
- Current state evidence: No key recovery or escrow mechanisms exist.
- Evidence to produce: Shamir splitting, escrow storage, and recovery procedures.
- **Working directory:** `src/Cryptography`.
- **Compliance item:** Item 4 - HSM / key escrow patterns.
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_018_SIGNER_dual_control_ceremonies` for recovery ceremony.
- Parallel safe with other crypto sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/signer/architecture.md`
- `docs/operations/key-rotation-runbook.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ESCROW-001 | TODO | None | Crypto Guild | Implement `ShamirSecretSharing` class with split/combine operations. |
| 2 | ESCROW-002 | TODO | ESCROW-001 | Crypto Guild | Use GF(2^8) for byte-level secret sharing. |
| 3 | ESCROW-003 | TODO | ESCROW-002 | Crypto Guild | Create `IKeyEscrowService` interface. |
| 4 | ESCROW-004 | TODO | ESCROW-003 | Crypto Guild | Implement key splitting with configurable M-of-N threshold. |
| 5 | ESCROW-005 | TODO | ESCROW-004 | Crypto Guild | Create `KeyShare` record with share index, data, and metadata. |
| 6 | ESCROW-006 | TODO | ESCROW-005 | Crypto Guild | Implement encrypted share storage (shares encrypted at rest). |
| 7 | ESCROW-007 | TODO | ESCROW-006 | Crypto Guild | Create `IEscrowAgentStore` interface for share custody. |
| 8 | ESCROW-008 | TODO | ESCROW-007 | Crypto Guild | Implement share distribution to escrow agents. |
| 9 | ESCROW-009 | TODO | ESCROW-008 | Crypto Guild | Create key recovery workflow with share collection. |
| 10 | ESCROW-010 | TODO | ESCROW-009 | Crypto Guild | Integrate with dual-control ceremonies for recovery authorization. |
| 11 | ESCROW-011 | TODO | ESCROW-010 | Testing Guild | Create unit tests for Shamir splitting/combining. |
| 12 | ESCROW-012 | TODO | ESCROW-011 | Testing Guild | Create integration tests for recovery workflow. |
| 13 | ESCROW-013 | TODO | ESCROW-012 | Docs Guild | Create key escrow and recovery runbook. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: key escrow with Shamir secret sharing. | Planning |
## Technical Specification
### Shamir Secret Sharing
```csharp
public sealed class ShamirSecretSharing
{
/// <summary>
/// Split a secret into N shares where any M shares can reconstruct.
/// Uses GF(2^8) arithmetic for byte-level operations.
/// </summary>
public IReadOnlyList<KeyShare> Split(
byte[] secret,
int threshold, // M - minimum shares needed
int totalShares, // N - total shares created
IGuidGenerator guidGenerator,
TimeProvider timeProvider)
{
// Validate: 2 <= M <= N <= 255
// For each byte of secret:
// 1. Generate random polynomial of degree M-1 with secret as constant term
// 2. Evaluate polynomial at points 1..N
// 3. Store evaluation results as share data
}
/// <summary>
/// Reconstruct secret from M or more shares using Lagrange interpolation.
/// </summary>
public byte[] Combine(IReadOnlyList<KeyShare> shares)
{
// Validate: shares.Count >= threshold
// Use Lagrange interpolation at x=0 to recover constant term (secret)
}
}
```
### Key Share Model
```csharp
public sealed record KeyShare
{
public required Guid ShareId { get; init; }
public required int Index { get; init; } // 1..N
public required byte[] EncryptedData { get; init; }
public required string KeyId { get; init; }
public required int Threshold { get; init; }
public required int TotalShares { get; init; }
public required DateTimeOffset CreatedAt { get; init; }
public required DateTimeOffset ExpiresAt { get; init; }
public required string CustodianId { get; init; }
public required string ChecksumHex { get; init; } // SHA-256 of unencrypted share
}
```
### Escrow Agent Configuration
```yaml
cryptography:
escrow:
enabled: true
defaultThreshold: 3
defaultTotalShares: 5
shareEncryptionKeyPath: "/etc/stellaops/escrow-encryption.key"
agents:
- id: "escrow-agent-1"
name: "Primary Security Officer"
email: "cso@company.com"
publicKeyPath: "/etc/stellaops/escrow-agents/agent1.pub"
- id: "escrow-agent-2"
name: "Backup Security Officer"
email: "backup-cso@company.com"
publicKeyPath: "/etc/stellaops/escrow-agents/agent2.pub"
- id: "escrow-agent-3"
name: "External Custodian"
email: "custodian@escrow-service.com"
publicKeyPath: "/etc/stellaops/escrow-agents/agent3.pub"
shareRetentionDays: 365
autoDeleteOnRecovery: false
```
### Recovery Workflow
```
1. Recovery request initiated (requires dual-control ceremony)
2. Notify escrow agents of recovery request
3. Each agent authenticates and submits their share
4. System collects shares until threshold reached
5. Secret reconstructed using Lagrange interpolation
6. Key imported/restored to target HSM or keystore
7. Recovery audit event logged
8. (Optional) Shares re-generated with new random polynomial
```
## Decisions & Risks
- Share storage security: encrypt shares at rest with separate key.
- Agent identity verification during recovery.
- Re-escrow after recovery to prevent share replay.
- External escrow agent integration complexity.
## Acceptance Criteria
- 3-of-5 Shamir splitting demonstrated.
- Key recovery from 3 shares successful.
- Escrow agent notification workflow functional.
- Recovery audit trail complete.
## Next Checkpoints
- TBD (set once staffed).

131
docs/implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md Normal file
View File

@@ -0,0 +1,131 @@
# Sprint 20260112-018-DOCS-upgrade-runbook-evidence-continuity - Upgrade Runbook with Evidence Continuity
## Topic & Scope
- Create comprehensive upgrade runbook with evidence continuity procedures.
- Current state evidence: DB migrations documented but no evidence-focused upgrade guide.
- Evidence to produce: Step-by-step runbook, pre-flight checklists, and validation procedures.
- **Working directory:** `docs/operations`.
- **Compliance item:** Item 7 - Upgrade & evidence-migration paths.
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_016_DOCS_blue_green_deployment` for deployment procedures.
- Depends on `SPRINT_20260112_018_EVIDENCE_reindex_tooling` for CLI commands.
- Parallel safe with implementation sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/db/MIGRATION_STRATEGY.md`
- `docs/releases/VERSIONING.md`
- `docs/flows/13-evidence-bundle-export-flow.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | RUNBOOK-001 | TODO | None | Docs Guild | Create `docs/operations/upgrade-runbook.md` structure. |
| 2 | RUNBOOK-002 | TODO | RUNBOOK-001 | Docs Guild | Document pre-upgrade checklist (backup, health checks, evidence export). |
| 3 | RUNBOOK-003 | TODO | RUNBOOK-002 | Docs Guild | Document evidence integrity pre-flight validation. |
| 4 | RUNBOOK-004 | TODO | RUNBOOK-003 | Docs Guild | Document database backup procedures with evidence focus. |
| 5 | RUNBOOK-005 | TODO | RUNBOOK-004 | Docs Guild | Document step-by-step upgrade sequence. |
| 6 | RUNBOOK-006 | TODO | RUNBOOK-005 | Docs Guild | Document evidence reindex procedures (reference CLI sprint). |
| 7 | RUNBOOK-007 | TODO | RUNBOOK-006 | Docs Guild | Document chain-of-custody verification steps. |
| 8 | RUNBOOK-008 | TODO | RUNBOOK-007 | Docs Guild | Document post-upgrade validation checklist. |
| 9 | RUNBOOK-009 | TODO | RUNBOOK-008 | Docs Guild | Document rollback procedures with evidence considerations. |
| 10 | RUNBOOK-010 | TODO | RUNBOOK-009 | Docs Guild | Document breaking changes matrix per version. |
| 11 | RUNBOOK-011 | TODO | RUNBOOK-010 | Docs Guild | Create `docs/operations/evidence-migration.md` for detailed procedures. |
| 12 | RUNBOOK-012 | TODO | RUNBOOK-011 | Docs Guild | Document air-gap upgrade path with evidence handling. |
| 13 | RUNBOOK-013 | TODO | RUNBOOK-012 | Docs Guild | Create troubleshooting section for common upgrade issues. |
| 14 | RUNBOOK-014 | TODO | RUNBOOK-013 | Docs Guild | Add version-specific migration notes template. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: upgrade runbook with evidence continuity. | Planning |
## Runbook Outline
### 1. Pre-Upgrade Phase
```markdown
## Pre-Upgrade Checklist
### 1.1 Environment Assessment
- [ ] Current version identified
- [ ] Target version confirmed compatible (see compatibility matrix)
- [ ] Resource requirements verified (CPU, memory, storage)
- [ ] Maintenance window scheduled
### 1.2 Backup Procedures
- [ ] PostgreSQL full backup completed
- [ ] Evidence Locker export completed (all tenants)
- [ ] Attestation bundles archived
- [ ] Configuration files backed up
- [ ] Backup integrity verified
### 1.3 Evidence Integrity Pre-Flight
- [ ] Run `stella evidence verify-all --output pre-upgrade-report.json`
- [ ] Verify all Merkle roots valid
- [ ] Export root cross-reference baseline
- [ ] Document current evidence count by type
### 1.4 Health Checks
- [ ] All services healthy (green status)
- [ ] No pending migrations
- [ ] Queue depths at zero
- [ ] Recent scan/attestation successful
```
### 2. Upgrade Phase
```markdown
## Upgrade Sequence
### 2.1 Blue/Green Preparation
- [ ] Deploy green environment with new version
- [ ] Apply database migrations (Category A: startup)
- [ ] Verify green environment health
### 2.2 Evidence Migration
- [ ] Run `stella evidence migrate --dry-run` on green
- [ ] Review migration impact report
- [ ] Execute evidence migration if needed
- [ ] Verify evidence integrity post-migration
### 2.3 Traffic Cutover
- [ ] Switch traffic to green (gradual or instant)
- [ ] Monitor error rates and latency
- [ ] Verify all services responding correctly
```
### 3. Post-Upgrade Phase
```markdown
## Post-Upgrade Validation
### 3.1 Evidence Continuity Verification
- [ ] Run `stella evidence verify-continuity --pre pre-upgrade-report.json`
- [ ] Confirm chain-of-custody preserved
- [ ] Verify artifact digests unchanged
- [ ] Generate continuity report for audit
### 3.2 Functional Validation
- [ ] Execute smoke test suite
- [ ] Verify scan capability
- [ ] Verify attestation generation
- [ ] Verify policy evaluation
### 3.3 Cleanup
- [ ] Decommission blue environment (after observation period)
- [ ] Archive upgrade artifacts
- [ ] Update documentation with version
```
## Decisions & Risks
- Minimum observation period before blue decommission (recommend 72 hours).
- Evidence export timing (before or during maintenance window).
- Rollback trigger criteria definition.
## Acceptance Criteria
- Complete runbook with all checklists.
- Evidence-focused procedures clearly documented.
- Rollback procedures tested and validated.
- Troubleshooting section covers common issues.
## Next Checkpoints
- TBD (set once staffed).

157
docs/implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md Normal file
View File

@@ -0,0 +1,157 @@
# Sprint 20260112-018-EVIDENCE-reindex-tooling - Evidence Re-Index Tooling
## Topic & Scope
- Implement CLI tooling for evidence re-indexing and chain-of-custody verification after upgrades.
- Current state evidence: Evidence bundles exist but no re-indexing or migration tooling.
- Evidence to produce: CLI commands, migration scripts, and verification reports.
- **Working directory:** `src/Cli`, `src/EvidenceLocker`.
- **Compliance item:** Item 7 - Upgrade & evidence-migration paths.
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_016_DOCS_blue_green_deployment` for upgrade procedures.
- Parallel safe with other Evidence sprints.
## Documentation Prerequisites
- `docs/README.md`
- `docs/flows/13-evidence-bundle-export-flow.md`
- `docs/db/MIGRATION_STRATEGY.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REINDEX-001 | TODO | None | CLI Guild | Add `stella evidence reindex` command skeleton. |
| 2 | REINDEX-002 | TODO | REINDEX-001 | CLI Guild | Implement `--dry-run` mode for impact assessment. |
| 3 | REINDEX-003 | TODO | REINDEX-002 | Evidence Guild | Create `IEvidenceReindexService` interface. |
| 4 | REINDEX-004 | TODO | REINDEX-003 | Evidence Guild | Implement Merkle root recomputation from existing evidence. |
| 5 | REINDEX-005 | TODO | REINDEX-004 | Evidence Guild | Create old/new root cross-reference mapping. |
| 6 | REINDEX-006 | TODO | REINDEX-005 | Evidence Guild | Implement chain-of-custody verification (old proofs still valid). |
| 7 | REINDEX-007 | TODO | REINDEX-006 | Evidence Guild | Add `stella evidence verify-continuity` command. |
| 8 | REINDEX-008 | TODO | REINDEX-007 | Evidence Guild | Generate verification report (JSON, HTML formats). |
| 9 | REINDEX-009 | TODO | REINDEX-008 | CLI Guild | Add `stella evidence migrate` command for schema migrations. |
| 10 | REINDEX-010 | TODO | REINDEX-009 | Evidence Guild | Implement batch processing with progress reporting. |
| 11 | REINDEX-011 | TODO | REINDEX-010 | Evidence Guild | Add rollback capability for failed migrations. |
| 12 | REINDEX-012 | TODO | REINDEX-011 | Testing Guild | Create unit tests for reindex operations. |
| 13 | REINDEX-013 | TODO | REINDEX-012 | Testing Guild | Create integration tests with sample evidence bundles. |
| 14 | REINDEX-014 | TODO | REINDEX-013 | Docs Guild | Document evidence migration procedures in upgrade runbook. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: evidence re-index tooling. | Planning |
## Technical Specification
### CLI Commands
```bash
# Dry-run reindex to assess impact
stella evidence reindex --dry-run --since 2026-01-01
# Execute reindex with progress
stella evidence reindex --since 2026-01-01 --batch-size 100
# Verify chain-of-custody after upgrade
stella evidence verify-continuity \
--old-root sha256:abc123... \
--new-root sha256:def456... \
--output report.html
# Migrate evidence schema
stella evidence migrate \
--from-version 1.0 \
--to-version 2.0 \
--dry-run
# Generate upgrade readiness report
stella evidence upgrade-check --target-version 2027.Q2
```
### Reindex Service Interface
```csharp
public interface IEvidenceReindexService
{
/// <summary>
/// Recompute Merkle roots for evidence bundles.
/// </summary>
Task<ReindexResult> ReindexAsync(
ReindexOptions options,
IProgress<ReindexProgress> progress,
CancellationToken ct);
/// <summary>
/// Verify chain-of-custody between old and new roots.
/// </summary>
Task<ContinuityVerificationResult> VerifyContinuityAsync(
string oldRoot,
string newRoot,
CancellationToken ct);
/// <summary>
/// Generate cross-reference mapping between old and new roots.
/// </summary>
Task<RootCrossReferenceMap> GenerateCrossReferenceAsync(
DateTimeOffset since,
CancellationToken ct);
}
```
### Cross-Reference Map
```json
{
"schemaVersion": "1.0.0",
"generatedAt": "2026-01-15T12:34:56Z",
"fromVersion": "2027.Q1",
"toVersion": "2027.Q2",
"entries": [
{
"bundleId": "bundle-abc123",
"oldRoot": "sha256:old123...",
"newRoot": "sha256:new456...",
"evidenceCount": 15,
"verified": true,
"digestsPreserved": true
}
],
"summary": {
"totalBundles": 1500,
"successfulMigrations": 1498,
"failedMigrations": 2,
"digestsPreserved": 1500
}
}
```
### Verification Report
```html
<!DOCTYPE html>
<html>
<head>
<title>Evidence Continuity Report - 2027.Q1 to 2027.Q2</title>
</head>
<body>
<h1>Evidence Continuity Verification Report</h1>
<h2>Summary</h2>
<ul>
<li>Upgrade: 2027.Q1 -> 2027.Q2</li>
<li>Bundles Verified: 1500</li>
<li>Chain-of-Custody: PRESERVED</li>
<li>Artifact Digests: UNCHANGED</li>
</ul>
<h2>Details</h2>
<!-- Bundle-by-bundle verification results -->
</body>
</html>
```
## Decisions & Risks
- Batch size tuning for large evidence stores.
- Rollback strategy for partial failures.
- Digest preservation guarantee documentation.
## Acceptance Criteria
- Dry-run mode shows accurate impact assessment.
- Reindex completes with progress reporting.
- Continuity verification confirms chain-of-custody.
- HTML report suitable for auditor review.
## Next Checkpoints
- TBD (set once staffed).

143
docs/implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md Normal file
View File

@@ -0,0 +1,143 @@
# Sprint 20260112-018-SIGNER-dual-control-ceremonies - Dual-Control Signing Ceremonies
## Topic & Scope
- Implement M-of-N threshold signing ceremonies for high-assurance key operations.
- Current state evidence: Key rotation service exists but no dual-control or threshold signing.
- Evidence to produce: Ceremony protocol, approval workflow, and audit trail.
- **Working directory:** `src/Signer`.
- **Compliance item:** Item 4 - HSM / key escrow patterns.
## Dependencies & Concurrency
- Depends on `SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation` for HSM integration.
- Parallel safe with key escrow sprint.
## Documentation Prerequisites
- `docs/README.md`
- `docs/modules/signer/architecture.md`
- `docs/operations/key-rotation-runbook.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DUAL-001 | DONE | None | Signer Guild | Design M-of-N ceremony protocol specification. |
| 2 | DUAL-002 | DONE | DUAL-001 | Signer Guild | Create `ICeremonyOrchestrator` interface. |
| 3 | DUAL-003 | DONE | DUAL-002 | Signer Guild | Implement ceremony state machine (Pending, PartiallyApproved, Approved, Executed, Expired). |
| 4 | DUAL-004 | DONE | DUAL-003 | Signer Guild | Create `CeremonyApproval` record with approver identity, timestamp, and signature. |
| 5 | DUAL-005 | DONE | DUAL-004 | Signer Guild | Implement approval collection with threshold checking. |
| 6 | DUAL-006 | DONE | DUAL-005 | Signer Guild | Add ceremony timeout and expiration handling. |
| 7 | DUAL-007 | DONE | DUAL-006 | Signer Guild | Integrate with Authority for approver identity verification. |
| 8 | DUAL-008 | DONE | DUAL-007 | Signer Guild | Create ceremony audit event (`signer.ceremony.initiated`, `.approved`, `.executed`). |
| 9 | DUAL-009 | DONE | DUAL-008 | DB Guild | Create `signer.ceremonies` PostgreSQL table for state persistence. |
| 10 | DUAL-010 | TODO | DUAL-009 | API Guild | Add ceremony API endpoints (`POST /ceremonies`, `POST /ceremonies/{id}/approve`). |
| 11 | DUAL-011 | DONE | DUAL-010 | Testing Guild | Create unit tests for ceremony state machine. |
| 12 | DUAL-012 | TODO | DUAL-011 | Testing Guild | Create integration tests for multi-approver workflows. |
| 13 | DUAL-013 | TODO | DUAL-012 | Docs Guild | Create dual-control ceremony runbook. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created for compliance readiness gap: dual-control signing ceremonies. | Planning |
| 2026-01-15 | DUAL-001: Protocol specification embedded in sprint. DUAL-002: Created ICeremonyOrchestrator interface with CreateCeremonyAsync, ApproveCeremonyAsync, GetCeremonyAsync, ListCeremoniesAsync, ExecuteCeremonyAsync, CancelCeremonyAsync, ProcessExpiredCeremoniesAsync methods. Added CeremonyFilter for list queries. DUAL-003: Created CeremonyStateMachine with IsValidTransition, ComputeStateAfterApproval, CanAcceptApproval, CanExecute, CanCancel, IsTerminalState, GetStateDescription methods. DUAL-004: Created CeremonyApproval record with ApprovalId, CeremonyId, ApproverIdentity, ApprovedAt, ApprovalSignature, ApprovalReason, SigningKeyId, SignatureAlgorithm. DUAL-005/006: Implemented CeremonyOrchestrator with threshold checking, expiration handling via ProcessExpiredCeremoniesAsync. DUAL-007: Created ICeremonyApproverValidator interface and ApproverValidationResult for Authority integration. DUAL-008: Created CeremonyAuditEvents constants and event records (CeremonyInitiatedEvent, CeremonyApprovedEvent, CeremonyExecutedEvent, CeremonyExpiredEvent, CeremonyCancelledEvent, CeremonyApprovalRejectedEvent). DUAL-009: Created ICeremonyRepository interface. DUAL-011: Created CeremonyStateMachineTests with 50+ test cases for state transitions, approval computation, and state queries. | Agent |
## Technical Specification
### Ceremony Protocol
```
1. Initiator creates ceremony request with operation details
2. System notifies required approvers
3. Each approver authenticates and provides approval + signature
4. System collects approvals until M-of-N threshold reached
5. Operation executes with audit trail
6. Ceremony marked complete with all approvals recorded
```
### Ceremony State Machine
```
+----------------+
| Pending |
+-------+--------+
|
(approval received)
v
+----------------------+
| PartiallyApproved |
+----------+-----------+
|
(threshold reached OR timeout)
|
+---------+---------+
v v
+-----------+ +-----------+
| Approved | | Expired |
+-----+-----+ +-----------+
|
(execution)
v
+-----------+
| Executed |
+-----------+
```
### Database Schema
```sql
CREATE TABLE signer.ceremonies (
ceremony_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
operation_type TEXT NOT NULL, -- key_generation, key_rotation, key_revocation
operation_payload JSONB NOT NULL,
threshold_required INT NOT NULL,
threshold_reached INT NOT NULL DEFAULT 0,
state TEXT NOT NULL DEFAULT 'pending',
initiated_by TEXT NOT NULL,
initiated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ NOT NULL,
executed_at TIMESTAMPTZ,
CONSTRAINT valid_state CHECK (state IN ('pending', 'partially_approved', 'approved', 'executed', 'expired'))
);
CREATE TABLE signer.ceremony_approvals (
approval_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
ceremony_id UUID NOT NULL REFERENCES signer.ceremonies(ceremony_id),
approver_identity TEXT NOT NULL,
approved_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
approval_signature BYTEA NOT NULL,
approval_reason TEXT,
UNIQUE(ceremony_id, approver_identity)
);
```
### Configuration
```yaml
signer:
ceremonies:
enabled: true
defaultThreshold: 2
expirationMinutes: 60
operations:
key_generation:
threshold: 3
requiredRoles: ["crypto-custodian"]
key_rotation:
threshold: 2
requiredRoles: ["crypto-custodian", "security-admin"]
key_revocation:
threshold: 2
requiredRoles: ["crypto-custodian"]
notifications:
channels: ["email", "slack"]
```
## Decisions & Risks
- Threshold signing vs approval collection (approval is simpler, threshold signing is cryptographically stronger).
- Ceremony timeout to prevent indefinite pending operations.
- Approver identity must be verified via Authority.
## Acceptance Criteria
- 2-of-3 ceremony workflow demonstrated.
- Audit trail captures all approvals with signatures.
- Expired ceremonies handled gracefully.
- Runbook with step-by-step ceremony instructions.
## Next Checkpoints
- TBD (set once staffed).