From 8da4e12a90fd82f6b2ec870bb73e0499b4ff6343 Mon Sep 17 00:00:00 2001 From: master <> Date: Fri, 31 Oct 2025 18:50:15 +0200 Subject: [PATCH] Align AOC tasks for Excititor and Concelier --- .gitignore | 68 +- AGENTS.md | 412 +- README.md | 66 +- deploy/README.md | 102 +- deploy/telemetry/storage/README.md | 36 +- docs/10_CONCELIER_CLI_QUICKSTART.md | 708 ++-- docs/11_DATA_SCHEMAS.md | 1100 ++--- docs/12_PERFORMANCE_WORKBOOK.md | 338 +- docs/13_RELEASE_ENGINEERING_PLAYBOOK.md | 460 +-- docs/17_SECURITY_HARDENING_GUIDE.md | 404 +- docs/21_INSTALL_GUIDE.md | 380 +- docs/24_OFFLINE_KIT.md | 572 +-- docs/AGENTS.md | 40 +- docs/accessibility.md | 262 +- docs/airgap/airgap-mode.md | 142 +- docs/aoc/aoc-guardrails.md | 26 +- docs/api/sdk-openapi-program.md | 102 +- docs/cli-vs-ui-parity.md | 310 +- docs/concelier-connector-research-20251011.md | 86 +- docs/deploy/console.md | 456 +- docs/deploy/containers.md | 320 +- docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md | 440 +- docs/dev/30_VEXER_CONNECTOR_GUIDE.md | 440 +- .../31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md | 424 +- docs/dev/BUILDX_PLUGIN_QUICKSTART.md | 238 +- docs/dev/aoc-normalization-removal-notes.md | 40 +- docs/dev/authority-dpop-mtls-plan.md | 292 +- docs/dev/fixtures.md | 90 +- docs/dev/merge_semver_playbook.md | 308 +- docs/dev/raw-linkset-backfill-plan.md | 56 + docs/events/orchestrator-scanner-events.md | 230 +- docs/implplan/EXECPLAN.md | 3662 ++++++++--------- docs/implplan/SPRINTS.md | 2186 +++++----- docs/implplan/SPRINTS_PRIOR_20251019.md | 416 +- docs/implplan/SPRINTS_PRIOR_20251027.md | 168 +- docs/ingestion/aggregation-only-contract.md | 360 +- docs/moat.md | 860 ++-- docs/modules/advisory-ai/AGENTS.md | 44 +- docs/modules/advisory-ai/README.md | 58 +- docs/modules/advisory-ai/TASKS.md | 18 +- docs/modules/advisory-ai/architecture.md | 200 +- .../advisory-ai/implementation_plan.md | 38 +- docs/modules/attestor/AGENTS.md | 44 +- docs/modules/attestor/README.md | 108 +- docs/modules/attestor/TASKS.md | 18 +- docs/modules/attestor/architecture.md | 864 ++-- docs/modules/attestor/implementation_plan.md | 148 +- docs/modules/authority/AGENTS.md | 42 +- docs/modules/authority/README.md | 80 +- docs/modules/authority/TASKS.md | 18 +- docs/modules/authority/implementation_plan.md | 44 +- .../authority/operations/backup-restore.md | 190 +- .../operations/grafana-dashboard.json | 348 +- .../authority/operations/key-rotation.md | 188 +- .../authority/operations/monitoring.md | 166 +- docs/modules/ci/AGENTS.md | 42 +- docs/modules/ci/README.md | 58 +- docs/modules/ci/TASKS.md | 18 +- docs/modules/ci/architecture.md | 14 +- docs/modules/ci/implementation_plan.md | 42 +- docs/modules/ci/recipes.md | 706 ++-- docs/modules/cli/AGENTS.md | 42 +- docs/modules/cli/README.md | 80 +- docs/modules/cli/TASKS.md | 18 +- docs/modules/cli/guides/20_REFERENCE.md | 16 +- docs/modules/cli/guides/cli-reference.md | 626 +-- docs/modules/cli/guides/policy.md | 636 +-- docs/modules/cli/implementation_plan.md | 46 +- .../cli/operations/release-and-packaging.md | 268 +- docs/modules/concelier/AGENTS.md | 42 +- docs/modules/concelier/README.md | 72 +- docs/modules/concelier/TASKS.md | 18 +- docs/modules/concelier/architecture.md | 1185 +++--- docs/modules/concelier/implementation_plan.md | 134 +- .../operations/authority-audit-runbook.md | 318 +- .../operations/conflict-resolution.md | 320 +- .../concelier/operations/connectors/apple.md | 154 +- .../concelier/operations/connectors/cccs.md | 144 +- .../operations/connectors/cve-kev.md | 286 +- .../concelier/operations/connectors/kisa.md | 148 +- .../concelier/operations/connectors/nkcki.md | 96 +- .../concelier/operations/connectors/osv.md | 48 +- docs/modules/concelier/operations/mirror.md | 476 +-- docs/modules/devops/AGENTS.md | 42 +- docs/modules/devops/README.md | 82 +- docs/modules/devops/TASKS.md | 18 +- docs/modules/devops/architecture.md | 976 ++--- docs/modules/devops/implementation_plan.md | 44 +- .../devops/runbooks/deployment-upgrade.md | 302 +- .../modules/devops/runbooks/launch-cutover.md | 256 +- .../devops/runbooks/launch-readiness.md | 98 +- .../runbooks/nuget-preview-bootstrap.md | 128 +- docs/modules/excititor/AGENTS.md | 42 +- docs/modules/excititor/README.md | 66 +- docs/modules/excititor/TASKS.md | 18 +- docs/modules/excititor/architecture.md | 1498 +++---- docs/modules/excititor/implementation_plan.md | 42 +- docs/modules/excititor/mirrors.md | 328 +- docs/modules/export-center/AGENTS.md | 42 +- docs/modules/export-center/README.md | 68 +- docs/modules/export-center/TASKS.md | 18 +- docs/modules/export-center/api.md | 674 +-- docs/modules/export-center/architecture.md | 254 +- docs/modules/export-center/cli.md | 462 +-- .../export-center/implementation_plan.md | 132 +- docs/modules/export-center/mirror-bundles.md | 404 +- .../export-center/operations/runbook.md | 406 +- docs/modules/export-center/overview.md | 126 +- docs/modules/export-center/profiles.md | 278 +- .../export-center/provenance-and-signing.md | 300 +- docs/modules/graph/AGENTS.md | 42 +- docs/modules/graph/README.md | 62 +- docs/modules/graph/TASKS.md | 18 +- docs/modules/graph/architecture.md | 112 +- docs/modules/graph/implementation_plan.md | 128 +- docs/modules/notify/AGENTS.md | 42 +- docs/modules/notify/README.md | 70 +- docs/modules/notify/TASKS.md | 18 +- docs/modules/notify/architecture.md | 1030 ++--- docs/modules/notify/implementation_plan.md | 122 +- docs/modules/orchestrator/AGENTS.md | 42 +- docs/modules/orchestrator/README.md | 58 +- docs/modules/orchestrator/TASKS.md | 18 +- docs/modules/orchestrator/architecture.md | 104 +- .../orchestrator/implementation_plan.md | 124 +- docs/modules/platform/AGENTS.md | 42 +- docs/modules/platform/README.md | 58 +- docs/modules/platform/TASKS.md | 18 +- .../modules/platform/architecture-overview.md | 334 +- docs/modules/platform/architecture.md | 14 +- docs/modules/platform/implementation_plan.md | 44 +- docs/modules/policy/AGENTS.md | 42 +- docs/modules/policy/README.md | 62 +- docs/modules/policy/TASKS.md | 18 +- docs/modules/policy/architecture.md | 490 +-- docs/modules/policy/implementation_plan.md | 134 +- docs/modules/registry/AGENTS.md | 42 +- docs/modules/registry/README.md | 68 +- docs/modules/registry/TASKS.md | 18 +- docs/modules/registry/architecture.md | 14 +- docs/modules/registry/implementation_plan.md | 40 +- .../registry/operations/token-service.md | 132 +- docs/modules/scanner/AGENTS.md | 42 +- docs/modules/scanner/README.md | 76 +- docs/modules/scanner/TASKS.md | 18 +- docs/modules/scanner/implementation_plan.md | 128 +- .../analyzers-grafana-dashboard.json | 310 +- docs/modules/scanner/operations/analyzers.md | 96 +- .../operations/entrypoint-dynamic-analysis.md | 144 +- .../operations/entrypoint-lang-ccpp.md | 48 +- .../operations/entrypoint-lang-deno.md | 44 +- .../operations/entrypoint-lang-dotnet.md | 50 +- .../operations/entrypoint-lang-elixir.md | 44 +- .../scanner/operations/entrypoint-lang-go.md | 48 +- .../operations/entrypoint-lang-java.md | 58 +- .../operations/entrypoint-lang-nginx.md | 48 +- .../operations/entrypoint-lang-node.md | 48 +- .../operations/entrypoint-lang-phpfpm.md | 48 +- .../operations/entrypoint-lang-python.md | 50 +- .../operations/entrypoint-lang-ruby.md | 48 +- .../operations/entrypoint-lang-rust.md | 48 +- .../operations/entrypoint-lang-supervisor.md | 50 +- .../scanner/operations/entrypoint-problem.md | 188 +- .../operations/entrypoint-runtime-overview.md | 304 +- .../operations/entrypoint-shell-analysis.md | 166 +- .../operations/entrypoint-static-analysis.md | 244 +- docs/modules/scanner/operations/entrypoint.md | 52 +- .../scanner/operations/rustfs-migration.md | 176 +- docs/modules/scheduler/AGENTS.md | 42 +- docs/modules/scheduler/README.md | 74 +- docs/modules/scheduler/TASKS.md | 18 +- docs/modules/scheduler/implementation_plan.md | 42 +- .../operations/worker-grafana-dashboard.json | 522 +-- .../operations/worker-prometheus-rules.yaml | 84 +- docs/modules/scheduler/operations/worker.md | 164 +- docs/modules/signer/AGENTS.md | 44 +- docs/modules/signer/README.md | 60 +- docs/modules/signer/TASKS.md | 18 +- docs/modules/signer/architecture.md | 840 ++-- docs/modules/signer/implementation_plan.md | 122 +- docs/modules/telemetry/AGENTS.md | 42 +- docs/modules/telemetry/README.md | 68 +- docs/modules/telemetry/TASKS.md | 18 +- docs/modules/telemetry/architecture.md | 82 +- docs/modules/telemetry/implementation_plan.md | 128 +- .../modules/telemetry/operations/collector.md | 224 +- docs/modules/telemetry/operations/storage.md | 316 +- docs/modules/ui/AGENTS.md | 42 +- docs/modules/ui/README.md | 82 +- docs/modules/ui/TASKS.md | 18 +- docs/modules/ui/architecture.md | 732 ++-- docs/modules/ui/console-architecture.md | 422 +- docs/modules/ui/implementation_plan.md | 50 +- docs/modules/vex-lens/AGENTS.md | 44 +- docs/modules/vex-lens/README.md | 56 +- docs/modules/vex-lens/TASKS.md | 18 +- docs/modules/vex-lens/architecture.md | 138 +- docs/modules/vex-lens/implementation_plan.md | 126 +- docs/modules/vexer/AGENTS.md | 42 +- docs/modules/vexer/README.md | 68 +- docs/modules/vexer/TASKS.md | 18 +- docs/modules/vexer/implementation_plan.md | 130 +- docs/modules/vexer/scoring.md | 166 +- docs/modules/vuln-explorer/AGENTS.md | 44 +- docs/modules/vuln-explorer/README.md | 58 +- docs/modules/vuln-explorer/TASKS.md | 18 +- docs/modules/vuln-explorer/architecture.md | 132 +- .../vuln-explorer/implementation_plan.md | 140 +- docs/modules/zastava/AGENTS.md | 42 +- docs/modules/zastava/README.md | 66 +- docs/modules/zastava/TASKS.md | 18 +- docs/modules/zastava/implementation_plan.md | 38 +- docs/notifications/digests.md | 184 +- docs/notifications/overview.md | 150 +- docs/notifications/templates.md | 260 +- docs/observability/observability.md | 274 +- docs/risk/risk-profiles.md | 114 +- docs/security/authority-scopes.md | 520 +-- docs/updates/2025-10-22-docs-guild.md | 26 +- .../2025-10-29-export-center-provenance.md | 18 +- ops/deployment/AGENTS.md | 8 +- ops/devops/AGENTS.md | 22 +- ops/devops/README.md | 184 +- .../telemetry/package_offline_bundle.py | 272 +- ops/licensing/AGENTS.md | 8 +- ops/offline-kit/AGENTS.md | 8 +- ops/offline-kit/run-python-analyzer-smoke.sh | 72 +- seed-data/cert-bund/README.md | 104 +- .../authority/openapi.yaml | 1378 +++---- src/Cli/StellaOps.Cli/AGENTS.md | 64 +- .../FEEDCONN-CERTCC-02-009_PLAN.md | 118 +- .../Linksets/AdvisoryObservationFactory.cs | 98 +- .../Observations/AdvisoryObservation.cs | 111 +- .../StellaOps.Concelier.Models.csproj | 25 +- .../MIGRATIONS.md | 1 + ...AdvisoryObservationsRawLinksetMigration.cs | 442 ++ .../AdvisoryObservationDocument.cs | 92 +- .../AdvisoryObservationDocumentFactory.cs | 120 +- .../ServiceCollectionExtensions.cs | 1 + .../TASKS.md | 1 + .../AdvisoryObservationFactoryTests.cs | 50 +- .../AdvisoryObservationQueryServiceTests.cs | 42 +- .../Raw/AdvisoryRawServiceTests.cs | 5 +- .../Fixtures/ghsa-semver.actual.json | 127 - .../Fixtures/ghsa-semver.json | 249 +- .../Fixtures/kev-flag.actual.json | 45 - .../Fixtures/kev-flag.json | 85 +- .../Fixtures/nvd-basic.actual.json | 122 - .../Fixtures/nvd-basic.json | 239 +- .../Fixtures/psirt-overlay.actual.json | 125 - .../Fixtures/psirt-overlay.json | 245 +- .../Observations/AdvisoryObservationTests.cs | 44 +- ...oryObservationsRawLinksetMigrationTests.cs | 337 ++ ...AdvisoryObservationDocumentFactoryTests.cs | 70 +- src/Directory.Build.props | 106 +- .../StellaOps.Excititor.WebService/TASKS.md | 188 +- .../StellaOps.Excititor.Attestation/TASKS.md | 2 +- .../Verification/VexAttestationVerifier.cs | 180 +- .../RancherHubConnector.cs | 730 ++-- .../CsafExporter.cs | 1024 ++--- .../CsafNormalizer.cs | 1798 ++++---- .../CycloneDxComponentReconciler.cs | 484 +-- .../CycloneDxExporter.cs | 456 +- .../OpenVexExporter.cs | 434 +- .../OpenVexStatementMerger.cs | 564 +-- .../VexPolicyDiagnostics.cs | 174 +- ...ellaOps.Excititor.Attestation.Tests.csproj | 38 +- .../VexAttestationVerifierTests.cs | 334 +- ...cititor.Connectors.Cisco.CSAF.Tests.csproj | 44 +- .../Connectors/RancherHubConnectorTests.cs | 858 ++-- ...Connectors.SUSE.RancherVEXHub.Tests.csproj | 46 +- .../VexPolicyDiagnosticsTests.cs | 338 +- .../CsafExporterTests.cs | 146 +- .../CycloneDxComponentReconcilerTests.cs | 74 +- .../CycloneDxExporterTests.cs | 94 +- .../OpenVexExporterTests.cs | 98 +- .../OpenVexStatementMergerTests.cs | 78 +- .../StellaOps.Notify.WebService/AGENTS.md | 8 +- src/Notify/StellaOps.Notify.Worker/AGENTS.md | 8 +- .../AGENTS.md | 8 +- .../AGENTS.md | 8 +- .../AGENTS.md | 8 +- .../AGENTS.md | 8 +- .../StellaOps.Notify.Engine/AGENTS.md | 8 +- .../StellaOps.Notify.Models/AGENTS.md | 8 +- .../StellaOps.Notify.Queue/AGENTS.md | 8 +- .../StellaOps.Notify.Storage.Mongo/AGENTS.md | 8 +- .../StellaOps.Notify.Models.Tests.csproj | 48 +- ...tellaOps.Notify.Storage.Mongo.Tests.csproj | 58 +- .../StellaOps.Notify.WebService.Tests.csproj | 38 +- src/Policy/StellaOps.Policy.Engine/TASKS.md | 1 + .../__Libraries/StellaOps.Policy/AGENTS.md | 24 +- .../AGENTS.md | 24 +- .../Internal/RustAnalyzerCollector.cs | 1454 +++---- .../Internal/RustBinaryClassifier.cs | 486 +-- .../Internal/RustCargoLockParser.cs | 624 +-- .../Internal/RustFileCacheKey.cs | 148 +- .../Internal/RustFileHashCache.cs | 90 +- .../Internal/RustFingerprintScanner.cs | 372 +- .../Internal/RustLicenseScanner.cs | 596 +-- .../StellaOps.Scanner.Queue/AGENTS.md | 30 +- .../Fixtures/lang/rust/simple/Cargo.toml | 8 +- .../Fixtures/lang/rust/simple/LICENSE | 32 +- .../simple/vendor/serde-1.0.188/Cargo.toml | 8 +- .../Rust/RustLanguageAnalyzerTests.cs | 118 +- .../scanner.event.report.ready@1.sample.json | 174 +- ...scanner.event.scan.completed@1.sample.json | 186 +- .../StellaOps.Scheduler.WebService/AGENTS.md | 8 +- .../StellaOps.Scheduler.ImpactIndex/AGENTS.md | 8 +- .../StellaOps.Scheduler.Models/AGENTS.md | 8 +- .../StellaOps.Scheduler.Queue/AGENTS.md | 8 +- .../AGENTS.md | 8 +- .../StellaOps.Scheduler.Worker/AGENTS.md | 8 +- .../docs/SCHED-WORKER-16-205-OBSERVABILITY.md | 86 +- .../FixtureUpdater/FixtureUpdater.csproj | 40 +- src/Tools/FixtureUpdater/Program.cs | 756 ++-- .../LanguageAnalyzerSmoke.csproj | 36 +- src/Tools/LanguageAnalyzerSmoke/Program.cs | 696 ++-- .../NotifySmokeCheck/NotifySmokeCheck.csproj | 24 +- src/Tools/NotifySmokeCheck/Program.cs | 396 +- .../PolicyDslValidator.csproj | 28 +- src/Tools/PolicyDslValidator/Program.cs | 112 +- .../PolicySchemaExporter.csproj | 42 +- src/Tools/PolicySchemaExporter/Program.cs | 96 +- .../PolicySimulationSmoke.csproj | 28 +- src/Tools/PolicySimulationSmoke/Program.cs | 582 +-- src/Tools/RustFsMigrator/Program.cs | 572 +-- .../RustFsMigrator/RustFsMigrator.csproj | 22 +- src/Tools/SourceStateSeeder/Program.cs | 692 ++-- .../SourceStateSeeder.csproj | 24 +- src/Tools/certbund_offline_snapshot.py | 888 ++-- .../IMPLEMENTATION_PLAN.md | 210 +- .../FileKmsClient.cs | 1170 +++--- .../FileKmsOptions.cs | 54 +- 334 files changed, 35528 insertions(+), 34546 deletions(-) create mode 100644 docs/dev/raw-linkset-backfill-plan.md create mode 100644 src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureAdvisoryObservationsRawLinksetMigration.cs delete mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.actual.json delete mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.actual.json delete mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.actual.json delete mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.actual.json create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/EnsureAdvisoryObservationsRawLinksetMigrationTests.cs diff --git a/.gitignore b/.gitignore index f23e5517..77154cfa 100644 --- a/.gitignore +++ b/.gitignore @@ -1,34 +1,34 @@ -# Build outputs -bin/ -obj/ -*.pdb -*.dll - -# IDE state -.vs/ -*.user -*.suo -*.userprefs - -# Rider/VSCode -.idea/ -.vscode/ - -# Packages and logs -*.log -TestResults/ - -.dotnet -.DS_Store -seed-data/ics-cisa/*.csv -seed-data/ics-cisa/*.xlsx -seed-data/ics-cisa/*.sha256 -seed-data/cert-bund/**/*.json -seed-data/cert-bund/**/*.sha256 - -out/offline-kit/web/**/* -**/node_modules/**/* -**/.angular/**/* -**/.cache/**/* -**/dist/**/* -tmp/**/* +# Build outputs +bin/ +obj/ +*.pdb +*.dll + +# IDE state +.vs/ +*.user +*.suo +*.userprefs + +# Rider/VSCode +.idea/ +.vscode/ + +# Packages and logs +*.log +TestResults/ + +.dotnet +.DS_Store +seed-data/ics-cisa/*.csv +seed-data/ics-cisa/*.xlsx +seed-data/ics-cisa/*.sha256 +seed-data/cert-bund/**/*.json +seed-data/cert-bund/**/*.sha256 + +out/offline-kit/web/**/* +**/node_modules/**/* +**/.angular/**/* +**/.cache/**/* +**/dist/**/* +tmp/**/* diff --git a/AGENTS.md b/AGENTS.md index 01c94915..0aa368d6 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,206 +1,206 @@ -# 1) What is StellaOps? - -**StellaOps** an next-gen and sovereign container-security toolkit built for high-speed, offline operation, released under AGPL-3.0-or-later. - -Stella Ops is a self-hostable, sovereign container-security platform that makes proof—not promises—default. It binds every container digest to content-addressed SBOMs (SBOM 3.0.0 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency, then layers deterministic, replayable scanning with entry-trace and VEX-first decisioning. “Next-gen” means findings are reproducible and explainable, exploitability is modeled in OpenVEX and merged with lattice logic for stable outcomes, and the same workflow runs online or fully air-gapped. “Sovereign” means cryptographic and operational independence: bring-your-own trust roots, regional crypto readiness (eIDAS/FIPS/GOST/SM), offline bundles, and post-quantum-ready modes—so regulated orgs can comply without phoning home. - -Our principles and goals are simple: authenticity & integrity by default, provenance attached to digests, transparency for tamper-evidence, determinism & replay for audits, explainability engineers can act on, and exploitability over enumeration to cut noise. We minimize trust and blast radius with short-lived keys, least-privilege, and content-addressed caches; we stay air-gap friendly with mirrored feeds; and we keep governance honest with reviewable OPA/Rego policy gates and VEX-based waivers. The result is a platform that shortens time-to-truth, makes risk measurable, and lets you ship with confidence—anywhere, under any sovereignty requirement. -More documention is available ./docs/*.md files. Read `docs/README.md` to gather information about the available documentation. You could inquiry specific documents as your work requires it - ---- - -# 3) Practices - -## 3.1) Naming -All modules are .NET projects based on .NET 10 (preview). Exclussion is the UI. It is based on Angular -All modules are contained by one or more projects. Each project goes in its dedicated folder. Each project starts with StellaOps.. In case it is common for for all StellaOps modules it is library or plugin and it is named StellaOps.. - -## 3.2) Key technologies & integrations - -- **Runtime**: .NET 10 (`net10.0`) preview SDK; C# latest preview features. Any dependencies like Microsoft.* should strive to be closests version. -- **Nuget**: Try to re-use / cache nugets to /local-nugets -- **Data**: MongoDB (canonical store and job/export state). MongoDB driver version should be > 3.0 -- **Observability**: structured logs, counters, and (optional) OpenTelemetry traces. -- **Ops posture**: offline‑first, allowlist for remote hosts, strict schema validation, gated LLM fallback (only where explicitly configured). - -# 4) Modules -StellaOps ships as containerised building blocks; each module owns a clear boundary and has its own code folder, deployable image, and deep-dive architecture dossier. - -| Module | Primary path(s) | Key doc | -|--------|-----------------|---------| -| Authority | `src/Authority/StellaOps.Authority`
`src/Authority/StellaOps.Authority.Plugin.*` | `docs/modules/authority/architecture.md` | -| Signer | `src/Signer/StellaOps.Signer` | `docs/modules/signer/architecture.md` | -| Attestor | `src/Attestor/StellaOps.Attestor`
`src/Attestor/StellaOps.Attestor.Verify` | `docs/modules/attestor/architecture.md` | -| Concelier | `src/Concelier/StellaOps.Concelier.WebService`
`src/Concelier/__Libraries/StellaOps.Concelier.*` | `docs/modules/concelier/architecture.md` | -| Excititor | `src/Excititor/StellaOps.Excititor.WebService`
`src/Excititor/__Libraries/StellaOps.Excititor.*` | `docs/modules/excititor/architecture.md` | -| Policy Engine | `src/Policy/StellaOps.Policy.Engine`
`src/Policy/__Libraries/StellaOps.Policy.*` | `docs/modules/policy/architecture.md` | -| Scanner | `src/Scanner/StellaOps.Scanner.WebService`
`src/Scanner/StellaOps.Scanner.Worker`
`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` | -| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`
`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` | -| CLI | `src/Cli/StellaOps.Cli`
`src/Cli/StellaOps.Cli.Core`
`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` | -| UI / Console | `src/UI/StellaOps.UI` | `docs/modules/ui/architecture.md` | -| Notify | `src/Notify/StellaOps.Notify.WebService`
`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` | -| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`
`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` | -| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`
`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` | -| Advisory AI | `src/AdvisoryAI/StellaOps.AdvisoryAI` | `docs/modules/advisory-ai/architecture.md` | -| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | `docs/modules/orchestrator/architecture.md` | -| Vulnerability Explorer | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `docs/modules/vuln-explorer/architecture.md` | -| VEX Lens | `src/VexLens/StellaOps.VexLens` | `docs/modules/vex-lens/architecture.md` | -| Graph Explorer | `src/Graph/StellaOps.Graph.Api`
`src/Graph/StellaOps.Graph.Indexer` | `docs/modules/graph/architecture.md` | -| Telemetry Stack | `ops/devops/telemetry` | `docs/modules/telemetry/architecture.md` | -| DevOps / Release | `ops/devops` | `docs/modules/devops/architecture.md` | -| Platform | *(cross-cutting docs)* | `docs/modules/platform/architecture-overview.md` | -| CI Recipes | *(pipeline templates)* | `docs/modules/ci/architecture.md` | -| Zastava | `src/Zastava/StellaOps.Zastava.Observer`
`src/Zastava/StellaOps.Zastava.Webhook`
`src/Zastava/StellaOps.Zastava.Core` | `docs/modules/zastava/architecture.md` | - -## 4.1 Module cheat sheet - -### Authority -- **Path:** `src/Authority/StellaOps.Authority`, plugins in `src/Authority/StellaOps.Authority.Plugin.*`. -- **Docs:** `docs/modules/authority/architecture.md`. -- **Responsibilities:** Issues short-lived, sender-constrained OpToks (DPoP/mTLS) for services, CLI, and UI; exposes OIDC discovery, device-code, and auth-code flows. -- **Key traits:** Ed25519/ES256 signing with JWKS rotation, tenant-aware scopes, stateless JWT validation, optional introspection, and structured audit trails. - -### Signer -- **Path:** `src/Signer/StellaOps.Signer`. -- **Docs:** `docs/modules/signer/architecture.md`. -- **Responsibilities:** Authenticates callers, enforces Proof-of-Entitlement, verifies scanner release signatures, and returns DSSE bundles for SBOMs and reports. -- **Key traits:** Supports keyless (Fulcio) and keyful (KMS/HSM) signing, applies plan quotas, stores audit trails, and delegates Rekor logging to the Attestor. - -### Attestor -- **Path:** `src/Attestor/StellaOps.Attestor`, proof helpers in `src/Attestor/StellaOps.Attestor.Verify`. -- **Docs:** `docs/modules/attestor/architecture.md`. -- **Responsibilities:** Submits DSSE bundles to Rekor v2, caches `{uuid, index, proof}`, and serves verification bundles to Scanner, UI, CLI, and Export Center. -- **Key traits:** mTLS + OpTok enforcement for Signer-only submissions, Mongo/Redis idempotency, optional DSSE archive mirroring, and resilient retry/backoff. - -### Concelier -- **Path:** `src/Concelier/StellaOps.Concelier.WebService` with connectors/exporters under `src/Concelier/__Libraries/StellaOps.Concelier.*`. -- **Docs:** `docs/modules/concelier/architecture.md`. -- **Responsibilities:** Applies the Aggregation-Only Contract to ingest advisories, produce immutable observations, correlate linksets, and publish deterministic exports. -- **Key traits:** Restart-time connectors/exporters, Mongo-backed scheduling, canonical JSON/Trivy outputs, Offline Kit parity, and hash-stable manifests. - -### Excititor -- **Path:** `src/Excititor/StellaOps.Excititor.WebService`, connectors/adapters in `src/Excititor/__Libraries/StellaOps.Excititor.*`. -- **Docs:** `docs/modules/excititor/architecture.md`. -- **Responsibilities:** Normalises VEX statements into observations, builds provenance-rich linksets, and surfaces consensus/conflicts for policy suppression. -- **Key traits:** Aggregation-only guardrails, restart-time plug-ins, Mongo persistence, deterministic exports, and Offline Kit-ready bundles. - -### Policy Engine -- **Path:** `src/Policy/StellaOps.Policy.Engine`, shared libraries under `src/Policy/__Libraries/StellaOps.Policy.*`. -- **Docs:** `docs/modules/policy/architecture.md`. -- **Responsibilities:** Evaluates `stella-dsl@1` policies, joins SBOM/advisory/VEX evidence, materialises effective findings, and emits explain traces. -- **Key traits:** Deterministic evaluation (no wall clock), change-stream driven increments, simulation endpoints, and Authority-scoped tenancy/RBAC enforcement. - -### Scanner.WebService -- **Path:** `src/Scanner/StellaOps.Scanner.WebService`. -- **Docs:** `docs/modules/scanner/architecture.md`. -- **Responsibilities:** Hosts scan/diff/export APIs, enqueues work, serves SBOM and diff artifacts, and publishes DSSE-ready report metadata. -- **Key traits:** Minimal APIs with Redis/NATS queue clients, RustFS artifact integration, BOM-index lookups, and DSSE hand-off to Signer/Attestor. - -### Scanner.Worker -- **Path:** `src/Scanner/StellaOps.Scanner.Worker` with analyzers/caches in `src/Scanner/__Libraries/StellaOps.Scanner.*`. -- **Docs:** `docs/modules/scanner/architecture.md`. -- **Responsibilities:** Runs deterministic OS/language/native analyzers per layer, composes inventory and usage SBOM fragments, and streams them back to the catalog. -- **Key traits:** Layer/file CAS caching, restart-time analyzer plug-ins under `plugins/scanner/**`, bounded retries with lease renewals, and DSSE-ready outputs. - -### Scheduler -- **Path:** `src/Scheduler/StellaOps.Scheduler.WebService`, `src/Scheduler/StellaOps.Scheduler.Worker`. -- **Docs:** `docs/modules/scheduler/architecture.md`. -- **Responsibilities:** Detects advisory/VEX deltas, selects impacted assets via BOM index, and schedules analysis-only runs toward Scanner and Policy Engine. -- **Key traits:** Mongo impact cursors, Redis/NATS orchestration, webhook fan-out (Policy/Notify/Runtime), and deterministic evaluation windows. - -### CLI -- **Path:** `src/Cli/StellaOps.Cli`, helpers in `src/Cli/StellaOps.Cli.Core`, plug-ins in `src/Cli/StellaOps.Cli.Plugins.*`. -- **Docs:** `docs/modules/cli/architecture.md`. -- **Responsibilities:** Provides deterministic verbs for scan/diff/export/report, Buildx SBOM orchestration, policy/VEX administration, and offline kit workflows. -- **Key traits:** Native AOT binaries, device-code/client-credential login with DPoP storage, golden-output tests, and restart-time plug-in manifests in `plugins/cli/**`. - -### UI -- **Path:** `src/UI/StellaOps.UI`. -- **Docs:** `docs/modules/ui/architecture.md`. -- **Responsibilities:** Angular SPA for scans, policy authoring, VEX evidence exploration, runtime posture, and admin tooling via backend APIs. -- **Key traits:** Angular Signals with `@ngrx/signals`, typed API clients handling DPoP + SSE, Tailwind theming, and immutable content-hashed bundles. - -### Notify -- **Path:** `src/Notify/StellaOps.Notify.WebService`, `src/Notify/StellaOps.Notify.Worker`, connectors in `src/Notify/__Libraries`. -- **Docs:** `docs/modules/notify/architecture.md`. -- **Responsibilities:** Evaluates notification rules on platform events, renders channel-specific payloads, and delivers messages with throttling/digests. -- **Key traits:** Tenant-scoped rule engine, idempotent delivery queues, secrets referenced rather than stored, and comprehensive audit/metrics coverage. - -### Export Center -- **Path:** `src/ExportCenter/StellaOps.ExportCenter.WebService`, `src/ExportCenter/StellaOps.ExportCenter.Worker`, adapters in `src/ExportCenter/StellaOps.ExportCenter.*`. -- **Docs:** `docs/modules/export-center/architecture.md`. -- **Responsibilities:** Packages reproducible evidence bundles (JSON, Trivy, mirror) with provenance, signing, and distribution manifests for offline or mirror deployments. -- **Key traits:** Profile-driven exports, Orchestrator-backed job leases, Mongo/object storage staging, and cosign-compatible provenance/signature emission. - -### Registry Token Service -- **Path:** `src/Registry/StellaOps.Registry.TokenService`, with integration tests in `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`. -- **Docs:** `docs/modules/registry/operations/token-service.md`. -- **Responsibilities:** Issues scoped pull tokens for container/image registries, enforces licence/plan constraints, and publishes audit telemetry for token usage. -- **Key traits:** Authority-issued OpTok validation, Mongo-backed issuance ledger, deterministic checksum manifests for Offline Kit bundles, and emergency revoke/rotation tooling. - -### Zastava -- **Path:** `src/Zastava/StellaOps.Zastava.Observer`, `src/Zastava/StellaOps.Zastava.Webhook`, shared contracts in `src/Zastava/StellaOps.Zastava.Core`. -- **Docs:** `docs/modules/zastava/architecture.md`. -- **Responsibilities:** Observes running workloads, emits runtime posture events, and enforces admission-time policy (signed images, SBOM availability, policy verdict). -- **Key traits:** Authority-issued OpToks with DPoP/mTLS, ND-JSON batching with local buffering, delta-scan triggers on drift, and Kubernetes webhook enforcement. - ---- - -### 4.1.4) Glossary (quick) - -- **OVAL** — Vendor/distro security definition format; authoritative for OS packages. -- **NEVRA / EVR** — RPM and Debian version semantics for OS packages. -- **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems. -- **KEV** — Known Exploited Vulnerabilities (flag only). - ---- -# 5) Your role as StellaOps contributor - -You acting as information technology engineer that will take different type of roles in goal achieving StellaOps production implementation -In order you to work - you have to be supplied with directory that contains `AGENTS.md`,`TASKS.md` files. There will you have more information about the role you have, the scope of your work and the tasks you will have. - -Boundaries: -- You operate only in the working directories I gave you, unless there is dependencies that makes you to work on dependency in shared directory. Then you ask for confirmation. - -You main characteristics: -- Keep endpoints small, deterministic, and cancellation-aware. -- Improve logs/metrics as per tasks. -- Update `TASKS.md` when moving tasks forward. -- When you are done with all task you state explicitly you are done. -- Impersonate the role described on working directory `AGENTS.md` you will read, if role is not available - take role of the CTO of the StellaOps in early stages. -- You always strive for best practices -- You always strive for re-usability -- When in doubt of design decision - you ask then act -- You are autonomus - meaning that you will work for long time alone and achieve maximum without stopping for stupid questions -- You operate on the same directory where other agents will work. In case you need to work on directory that is dependency on provided `AGENTS.md`,`TASKS.md` files you have to ask for confirmation first. - -## 5.1) Type of contributions - -- **BE‑Base (Platform & Pipeline)** - Owns DI, plugin host, job scheduler/coordinator, configuration binding, minimal API endpoints, and Mongo bootstrapping. -- **BE‑Conn‑X (Connectors)** - One agent per source family (NVD, Red Hat, Ubuntu, Debian, SUSE, GHSA, OSV, PSIRTs, CERTs, KEV, ICS). Implements fetch/parse/map with incremental watermarks. -- **BE‑Merge (Canonical Merge & Dedupe)** - Identity graph, precedence policies, canonical JSON serializer, and deterministic hashing (`merge_event`). -- **BE‑Export (JSON & Trivy DB)** - Deterministic export trees, Trivy DB packaging, optional ORAS push, and offline bundle. -- **QA (Validation & Observability)** - Schema tests, fixture goldens, determinism checks, metrics/logs/traces, e2e reproducibility runs. -- **DevEx/Docs** - Maintains this agent framework, templates, and per‑directory guides; assists parallelization and reviews. - - -## 5.2) Work rules (important) - -- **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. -- **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. -- **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. -- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. -- **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. -- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. -- **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. -- **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. -- **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. -- **Additional references**: When a task mentions historical epics, consult the corresponding module guides or domain playbooks under `docs/modules/**`, `docs/api/`, `docs/risk/`, or `docs/airgap/` for the latest specification. - ---- +# 1) What is StellaOps? + +**StellaOps** an next-gen and sovereign container-security toolkit built for high-speed, offline operation, released under AGPL-3.0-or-later. + +Stella Ops is a self-hostable, sovereign container-security platform that makes proof—not promises—default. It binds every container digest to content-addressed SBOMs (SBOM 3.0.0 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency, then layers deterministic, replayable scanning with entry-trace and VEX-first decisioning. “Next-gen” means findings are reproducible and explainable, exploitability is modeled in OpenVEX and merged with lattice logic for stable outcomes, and the same workflow runs online or fully air-gapped. “Sovereign” means cryptographic and operational independence: bring-your-own trust roots, regional crypto readiness (eIDAS/FIPS/GOST/SM), offline bundles, and post-quantum-ready modes—so regulated orgs can comply without phoning home. + +Our principles and goals are simple: authenticity & integrity by default, provenance attached to digests, transparency for tamper-evidence, determinism & replay for audits, explainability engineers can act on, and exploitability over enumeration to cut noise. We minimize trust and blast radius with short-lived keys, least-privilege, and content-addressed caches; we stay air-gap friendly with mirrored feeds; and we keep governance honest with reviewable OPA/Rego policy gates and VEX-based waivers. The result is a platform that shortens time-to-truth, makes risk measurable, and lets you ship with confidence—anywhere, under any sovereignty requirement. +More documention is available ./docs/*.md files. Read `docs/README.md` to gather information about the available documentation. You could inquiry specific documents as your work requires it + +--- + +# 3) Practices + +## 3.1) Naming +All modules are .NET projects based on .NET 10 (preview). Exclussion is the UI. It is based on Angular +All modules are contained by one or more projects. Each project goes in its dedicated folder. Each project starts with StellaOps.. In case it is common for for all StellaOps modules it is library or plugin and it is named StellaOps.. + +## 3.2) Key technologies & integrations + +- **Runtime**: .NET 10 (`net10.0`) preview SDK; C# latest preview features. Any dependencies like Microsoft.* should strive to be closests version. +- **Nuget**: Try to re-use / cache nugets to /local-nugets +- **Data**: MongoDB (canonical store and job/export state). MongoDB driver version should be > 3.0 +- **Observability**: structured logs, counters, and (optional) OpenTelemetry traces. +- **Ops posture**: offline‑first, allowlist for remote hosts, strict schema validation, gated LLM fallback (only where explicitly configured). + +# 4) Modules +StellaOps ships as containerised building blocks; each module owns a clear boundary and has its own code folder, deployable image, and deep-dive architecture dossier. + +| Module | Primary path(s) | Key doc | +|--------|-----------------|---------| +| Authority | `src/Authority/StellaOps.Authority`
`src/Authority/StellaOps.Authority.Plugin.*` | `docs/modules/authority/architecture.md` | +| Signer | `src/Signer/StellaOps.Signer` | `docs/modules/signer/architecture.md` | +| Attestor | `src/Attestor/StellaOps.Attestor`
`src/Attestor/StellaOps.Attestor.Verify` | `docs/modules/attestor/architecture.md` | +| Concelier | `src/Concelier/StellaOps.Concelier.WebService`
`src/Concelier/__Libraries/StellaOps.Concelier.*` | `docs/modules/concelier/architecture.md` | +| Excititor | `src/Excititor/StellaOps.Excititor.WebService`
`src/Excititor/__Libraries/StellaOps.Excititor.*` | `docs/modules/excititor/architecture.md` | +| Policy Engine | `src/Policy/StellaOps.Policy.Engine`
`src/Policy/__Libraries/StellaOps.Policy.*` | `docs/modules/policy/architecture.md` | +| Scanner | `src/Scanner/StellaOps.Scanner.WebService`
`src/Scanner/StellaOps.Scanner.Worker`
`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` | +| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`
`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` | +| CLI | `src/Cli/StellaOps.Cli`
`src/Cli/StellaOps.Cli.Core`
`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` | +| UI / Console | `src/UI/StellaOps.UI` | `docs/modules/ui/architecture.md` | +| Notify | `src/Notify/StellaOps.Notify.WebService`
`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` | +| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`
`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` | +| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`
`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` | +| Advisory AI | `src/AdvisoryAI/StellaOps.AdvisoryAI` | `docs/modules/advisory-ai/architecture.md` | +| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | `docs/modules/orchestrator/architecture.md` | +| Vulnerability Explorer | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `docs/modules/vuln-explorer/architecture.md` | +| VEX Lens | `src/VexLens/StellaOps.VexLens` | `docs/modules/vex-lens/architecture.md` | +| Graph Explorer | `src/Graph/StellaOps.Graph.Api`
`src/Graph/StellaOps.Graph.Indexer` | `docs/modules/graph/architecture.md` | +| Telemetry Stack | `ops/devops/telemetry` | `docs/modules/telemetry/architecture.md` | +| DevOps / Release | `ops/devops` | `docs/modules/devops/architecture.md` | +| Platform | *(cross-cutting docs)* | `docs/modules/platform/architecture-overview.md` | +| CI Recipes | *(pipeline templates)* | `docs/modules/ci/architecture.md` | +| Zastava | `src/Zastava/StellaOps.Zastava.Observer`
`src/Zastava/StellaOps.Zastava.Webhook`
`src/Zastava/StellaOps.Zastava.Core` | `docs/modules/zastava/architecture.md` | + +## 4.1 Module cheat sheet + +### Authority +- **Path:** `src/Authority/StellaOps.Authority`, plugins in `src/Authority/StellaOps.Authority.Plugin.*`. +- **Docs:** `docs/modules/authority/architecture.md`. +- **Responsibilities:** Issues short-lived, sender-constrained OpToks (DPoP/mTLS) for services, CLI, and UI; exposes OIDC discovery, device-code, and auth-code flows. +- **Key traits:** Ed25519/ES256 signing with JWKS rotation, tenant-aware scopes, stateless JWT validation, optional introspection, and structured audit trails. + +### Signer +- **Path:** `src/Signer/StellaOps.Signer`. +- **Docs:** `docs/modules/signer/architecture.md`. +- **Responsibilities:** Authenticates callers, enforces Proof-of-Entitlement, verifies scanner release signatures, and returns DSSE bundles for SBOMs and reports. +- **Key traits:** Supports keyless (Fulcio) and keyful (KMS/HSM) signing, applies plan quotas, stores audit trails, and delegates Rekor logging to the Attestor. + +### Attestor +- **Path:** `src/Attestor/StellaOps.Attestor`, proof helpers in `src/Attestor/StellaOps.Attestor.Verify`. +- **Docs:** `docs/modules/attestor/architecture.md`. +- **Responsibilities:** Submits DSSE bundles to Rekor v2, caches `{uuid, index, proof}`, and serves verification bundles to Scanner, UI, CLI, and Export Center. +- **Key traits:** mTLS + OpTok enforcement for Signer-only submissions, Mongo/Redis idempotency, optional DSSE archive mirroring, and resilient retry/backoff. + +### Concelier +- **Path:** `src/Concelier/StellaOps.Concelier.WebService` with connectors/exporters under `src/Concelier/__Libraries/StellaOps.Concelier.*`. +- **Docs:** `docs/modules/concelier/architecture.md`. +- **Responsibilities:** Applies the Aggregation-Only Contract to ingest advisories, produce immutable observations, correlate linksets, and publish deterministic exports. +- **Key traits:** Restart-time connectors/exporters, Mongo-backed scheduling, canonical JSON/Trivy outputs, Offline Kit parity, and hash-stable manifests. + +### Excititor +- **Path:** `src/Excititor/StellaOps.Excititor.WebService`, connectors/adapters in `src/Excititor/__Libraries/StellaOps.Excititor.*`. +- **Docs:** `docs/modules/excititor/architecture.md`. +- **Responsibilities:** Normalises VEX statements into observations, builds provenance-rich linksets, and surfaces consensus/conflicts for policy suppression. +- **Key traits:** Aggregation-only guardrails, restart-time plug-ins, Mongo persistence, deterministic exports, and Offline Kit-ready bundles. + +### Policy Engine +- **Path:** `src/Policy/StellaOps.Policy.Engine`, shared libraries under `src/Policy/__Libraries/StellaOps.Policy.*`. +- **Docs:** `docs/modules/policy/architecture.md`. +- **Responsibilities:** Evaluates `stella-dsl@1` policies, joins SBOM/advisory/VEX evidence, materialises effective findings, and emits explain traces. +- **Key traits:** Deterministic evaluation (no wall clock), change-stream driven increments, simulation endpoints, and Authority-scoped tenancy/RBAC enforcement. + +### Scanner.WebService +- **Path:** `src/Scanner/StellaOps.Scanner.WebService`. +- **Docs:** `docs/modules/scanner/architecture.md`. +- **Responsibilities:** Hosts scan/diff/export APIs, enqueues work, serves SBOM and diff artifacts, and publishes DSSE-ready report metadata. +- **Key traits:** Minimal APIs with Redis/NATS queue clients, RustFS artifact integration, BOM-index lookups, and DSSE hand-off to Signer/Attestor. + +### Scanner.Worker +- **Path:** `src/Scanner/StellaOps.Scanner.Worker` with analyzers/caches in `src/Scanner/__Libraries/StellaOps.Scanner.*`. +- **Docs:** `docs/modules/scanner/architecture.md`. +- **Responsibilities:** Runs deterministic OS/language/native analyzers per layer, composes inventory and usage SBOM fragments, and streams them back to the catalog. +- **Key traits:** Layer/file CAS caching, restart-time analyzer plug-ins under `plugins/scanner/**`, bounded retries with lease renewals, and DSSE-ready outputs. + +### Scheduler +- **Path:** `src/Scheduler/StellaOps.Scheduler.WebService`, `src/Scheduler/StellaOps.Scheduler.Worker`. +- **Docs:** `docs/modules/scheduler/architecture.md`. +- **Responsibilities:** Detects advisory/VEX deltas, selects impacted assets via BOM index, and schedules analysis-only runs toward Scanner and Policy Engine. +- **Key traits:** Mongo impact cursors, Redis/NATS orchestration, webhook fan-out (Policy/Notify/Runtime), and deterministic evaluation windows. + +### CLI +- **Path:** `src/Cli/StellaOps.Cli`, helpers in `src/Cli/StellaOps.Cli.Core`, plug-ins in `src/Cli/StellaOps.Cli.Plugins.*`. +- **Docs:** `docs/modules/cli/architecture.md`. +- **Responsibilities:** Provides deterministic verbs for scan/diff/export/report, Buildx SBOM orchestration, policy/VEX administration, and offline kit workflows. +- **Key traits:** Native AOT binaries, device-code/client-credential login with DPoP storage, golden-output tests, and restart-time plug-in manifests in `plugins/cli/**`. + +### UI +- **Path:** `src/UI/StellaOps.UI`. +- **Docs:** `docs/modules/ui/architecture.md`. +- **Responsibilities:** Angular SPA for scans, policy authoring, VEX evidence exploration, runtime posture, and admin tooling via backend APIs. +- **Key traits:** Angular Signals with `@ngrx/signals`, typed API clients handling DPoP + SSE, Tailwind theming, and immutable content-hashed bundles. + +### Notify +- **Path:** `src/Notify/StellaOps.Notify.WebService`, `src/Notify/StellaOps.Notify.Worker`, connectors in `src/Notify/__Libraries`. +- **Docs:** `docs/modules/notify/architecture.md`. +- **Responsibilities:** Evaluates notification rules on platform events, renders channel-specific payloads, and delivers messages with throttling/digests. +- **Key traits:** Tenant-scoped rule engine, idempotent delivery queues, secrets referenced rather than stored, and comprehensive audit/metrics coverage. + +### Export Center +- **Path:** `src/ExportCenter/StellaOps.ExportCenter.WebService`, `src/ExportCenter/StellaOps.ExportCenter.Worker`, adapters in `src/ExportCenter/StellaOps.ExportCenter.*`. +- **Docs:** `docs/modules/export-center/architecture.md`. +- **Responsibilities:** Packages reproducible evidence bundles (JSON, Trivy, mirror) with provenance, signing, and distribution manifests for offline or mirror deployments. +- **Key traits:** Profile-driven exports, Orchestrator-backed job leases, Mongo/object storage staging, and cosign-compatible provenance/signature emission. + +### Registry Token Service +- **Path:** `src/Registry/StellaOps.Registry.TokenService`, with integration tests in `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`. +- **Docs:** `docs/modules/registry/operations/token-service.md`. +- **Responsibilities:** Issues scoped pull tokens for container/image registries, enforces licence/plan constraints, and publishes audit telemetry for token usage. +- **Key traits:** Authority-issued OpTok validation, Mongo-backed issuance ledger, deterministic checksum manifests for Offline Kit bundles, and emergency revoke/rotation tooling. + +### Zastava +- **Path:** `src/Zastava/StellaOps.Zastava.Observer`, `src/Zastava/StellaOps.Zastava.Webhook`, shared contracts in `src/Zastava/StellaOps.Zastava.Core`. +- **Docs:** `docs/modules/zastava/architecture.md`. +- **Responsibilities:** Observes running workloads, emits runtime posture events, and enforces admission-time policy (signed images, SBOM availability, policy verdict). +- **Key traits:** Authority-issued OpToks with DPoP/mTLS, ND-JSON batching with local buffering, delta-scan triggers on drift, and Kubernetes webhook enforcement. + +--- + +### 4.1.4) Glossary (quick) + +- **OVAL** — Vendor/distro security definition format; authoritative for OS packages. +- **NEVRA / EVR** — RPM and Debian version semantics for OS packages. +- **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems. +- **KEV** — Known Exploited Vulnerabilities (flag only). + +--- +# 5) Your role as StellaOps contributor + +You acting as information technology engineer that will take different type of roles in goal achieving StellaOps production implementation +In order you to work - you have to be supplied with directory that contains `AGENTS.md`,`TASKS.md` files. There will you have more information about the role you have, the scope of your work and the tasks you will have. + +Boundaries: +- You operate only in the working directories I gave you, unless there is dependencies that makes you to work on dependency in shared directory. Then you ask for confirmation. + +You main characteristics: +- Keep endpoints small, deterministic, and cancellation-aware. +- Improve logs/metrics as per tasks. +- Update `TASKS.md` when moving tasks forward. +- When you are done with all task you state explicitly you are done. +- Impersonate the role described on working directory `AGENTS.md` you will read, if role is not available - take role of the CTO of the StellaOps in early stages. +- You always strive for best practices +- You always strive for re-usability +- When in doubt of design decision - you ask then act +- You are autonomus - meaning that you will work for long time alone and achieve maximum without stopping for stupid questions +- You operate on the same directory where other agents will work. In case you need to work on directory that is dependency on provided `AGENTS.md`,`TASKS.md` files you have to ask for confirmation first. + +## 5.1) Type of contributions + +- **BE‑Base (Platform & Pipeline)** + Owns DI, plugin host, job scheduler/coordinator, configuration binding, minimal API endpoints, and Mongo bootstrapping. +- **BE‑Conn‑X (Connectors)** + One agent per source family (NVD, Red Hat, Ubuntu, Debian, SUSE, GHSA, OSV, PSIRTs, CERTs, KEV, ICS). Implements fetch/parse/map with incremental watermarks. +- **BE‑Merge (Canonical Merge & Dedupe)** + Identity graph, precedence policies, canonical JSON serializer, and deterministic hashing (`merge_event`). +- **BE‑Export (JSON & Trivy DB)** + Deterministic export trees, Trivy DB packaging, optional ORAS push, and offline bundle. +- **QA (Validation & Observability)** + Schema tests, fixture goldens, determinism checks, metrics/logs/traces, e2e reproducibility runs. +- **DevEx/Docs** + Maintains this agent framework, templates, and per‑directory guides; assists parallelization and reviews. + + +## 5.2) Work rules (important) + +- **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. +- **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. +- **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. +- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. +- **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. +- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. +- **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. +- **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. +- **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. +- **Additional references**: When a task mentions historical epics, consult the corresponding module guides or domain playbooks under `docs/modules/**`, `docs/api/`, `docs/risk/`, or `docs/airgap/` for the latest specification. + +--- diff --git a/README.md b/README.md index b055fc41..f86eff58 100755 --- a/README.md +++ b/README.md @@ -1,33 +1,33 @@ -# StellaOps Concelier & CLI - -This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the -first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from -authoritative sources, stores them in MongoDB, and exports deterministic JSON and -Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job -control against the Concelier API. - -## Quickstart - -1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`. -2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry - settings. -3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token - lifetimes, and plug-in descriptors, then edit the companion manifests under - `etc/authority.plugins/*.yaml` to match your deployment. -4. Start the web service with `dotnet run --project src/Concelier/StellaOps.Concelier.WebService`. -5. Configure the CLI via environment variables (e.g. `STELLAOPS_BACKEND_URL`) and trigger - jobs with `dotnet run --project src/Cli/StellaOps.Cli -- db merge`. - -Detailed operator guidance is available in `docs/10_CONCELIER_CLI_QUICKSTART.md`. API and -command reference material lives in `docs/09_API_CLI_REFERENCE.md`. - -Pipeline note: deployment workflows should template `etc/concelier.yaml` during CI/CD, -injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming -releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart -for integration steps once available. - -## Documentation - -- `docs/README.md` now consolidates the platform index and points to the updated high-level architecture. -- Module architecture dossiers now live under `docs/modules//`. The most relevant here are `docs/modules/concelier/ARCHITECTURE.md` (service layout, merge engine, exports) and `docs/modules/cli/ARCHITECTURE.md` (command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy. -- Offline operation guidance moved to `docs/24_OFFLINE_KIT.md`, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay in `docs/modules/concelier/operations/connectors/*.md` with companion runbooks in `docs/modules/concelier/operations/`. +# StellaOps Concelier & CLI + +This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the +first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from +authoritative sources, stores them in MongoDB, and exports deterministic JSON and +Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job +control against the Concelier API. + +## Quickstart + +1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`. +2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry + settings. +3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token + lifetimes, and plug-in descriptors, then edit the companion manifests under + `etc/authority.plugins/*.yaml` to match your deployment. +4. Start the web service with `dotnet run --project src/Concelier/StellaOps.Concelier.WebService`. +5. Configure the CLI via environment variables (e.g. `STELLAOPS_BACKEND_URL`) and trigger + jobs with `dotnet run --project src/Cli/StellaOps.Cli -- db merge`. + +Detailed operator guidance is available in `docs/10_CONCELIER_CLI_QUICKSTART.md`. API and +command reference material lives in `docs/09_API_CLI_REFERENCE.md`. + +Pipeline note: deployment workflows should template `etc/concelier.yaml` during CI/CD, +injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming +releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart +for integration steps once available. + +## Documentation + +- `docs/README.md` now consolidates the platform index and points to the updated high-level architecture. +- Module architecture dossiers now live under `docs/modules//`. The most relevant here are `docs/modules/concelier/ARCHITECTURE.md` (service layout, merge engine, exports) and `docs/modules/cli/ARCHITECTURE.md` (command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy. +- Offline operation guidance moved to `docs/24_OFFLINE_KIT.md`, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay in `docs/modules/concelier/operations/connectors/*.md` with companion runbooks in `docs/modules/concelier/operations/`. diff --git a/deploy/README.md b/deploy/README.md index 4d0b920d..6647d0c7 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -1,51 +1,51 @@ -# Deployment Profiles - -This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`. - -## Structure - -- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests. -- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files. -- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth. -- `compose/docker-compose.telemetry.yaml` – optional OpenTelemetry collector overlay (mutual TLS, OTLP pipelines). -- `compose/docker-compose.telemetry-storage.yaml` – optional Prometheus/Tempo/Loki stack for observability backends. -- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap. -- `telemetry/` – shared OpenTelemetry collector configuration and certificate artefacts (generated via tooling). -- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile. - -## Workflow - -1. Update or add a release manifest under `releases/` with the new digests. -2. Mirror the digests into the Compose and Helm profiles that correspond to that channel. -3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly. -4. If telemetry ingest is required for the release, generate development certificates using - `./ops/devops/telemetry/generate_dev_tls.sh` and run the collector smoke test with - `python ./ops/devops/telemetry/smoke_otel_collector.py` to verify the OTLP endpoints. -5. Commit the change alongside any documentation updates (e.g. install guide cross-links). - -Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments. - -### Additional tooling - -- `deploy/tools/check-channel-alignment.py` – verifies that Helm/Compose profiles reference the exact images listed in a release manifest. Run it for each channel before promoting a release. -- `ops/devops/telemetry/generate_dev_tls.sh` – produces local CA/server/client certificates for Compose-based collector testing. -- `ops/devops/telemetry/smoke_otel_collector.py` – sends OTLP traffic and asserts the collector accepted traces, metrics, and logs. -- `ops/devops/telemetry/package_offline_bundle.py` – packages telemetry assets (config/Helm/Compose) into a signed tarball for air-gapped installs. -- `docs/modules/devops/runbooks/deployment-upgrade.md` – end-to-end instructions for upgrade, rollback, and channel promotion workflows (Helm + Compose). - -## CI smoke checks - -The `.gitea/workflows/build-test-deploy.yml` pipeline includes a `notify-smoke` stage that validates scanner event propagation after staging deployments. Configure the following repository secrets (or environment-level secrets) so the job can connect to Redis and the Notify API: - -- `NOTIFY_SMOKE_REDIS_DSN` – Redis connection string (`redis://user:pass@host:port/db`). -- `NOTIFY_SMOKE_NOTIFY_BASEURL` – Base URL for the staging Notify WebService (e.g. `https://notify.stage.stella-ops.internal`). -- `NOTIFY_SMOKE_NOTIFY_TOKEN` – OAuth bearer token (service account) with permission to read deliveries. -- `NOTIFY_SMOKE_NOTIFY_TENANT` – Tenant identifier used for the smoke validation requests. -- *(Optional)* `NOTIFY_SMOKE_NOTIFY_TENANT_HEADER` – Override for the tenant header name (defaults to `X-StellaOps-Tenant`). - -Define the following repository variables (or secrets) to drive the assertions performed by the smoke check: - -- `NOTIFY_SMOKE_EXPECT_KINDS` – Comma-separated event kinds the checker must observe (for example `scanner.report.ready,scanner.scan.completed`). -- `NOTIFY_SMOKE_LOOKBACK_MINUTES` – Time window (in minutes) used when scanning the Redis stream for recent events (for example `30`). - -All of the above values are required—the workflow fails fast with a descriptive error if any are missing or empty. Provide the variables at the organisation or repository scope before enabling the smoke stage. +# Deployment Profiles + +This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`. + +## Structure + +- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests. +- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files. +- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth. +- `compose/docker-compose.telemetry.yaml` – optional OpenTelemetry collector overlay (mutual TLS, OTLP pipelines). +- `compose/docker-compose.telemetry-storage.yaml` – optional Prometheus/Tempo/Loki stack for observability backends. +- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap. +- `telemetry/` – shared OpenTelemetry collector configuration and certificate artefacts (generated via tooling). +- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile. + +## Workflow + +1. Update or add a release manifest under `releases/` with the new digests. +2. Mirror the digests into the Compose and Helm profiles that correspond to that channel. +3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly. +4. If telemetry ingest is required for the release, generate development certificates using + `./ops/devops/telemetry/generate_dev_tls.sh` and run the collector smoke test with + `python ./ops/devops/telemetry/smoke_otel_collector.py` to verify the OTLP endpoints. +5. Commit the change alongside any documentation updates (e.g. install guide cross-links). + +Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments. + +### Additional tooling + +- `deploy/tools/check-channel-alignment.py` – verifies that Helm/Compose profiles reference the exact images listed in a release manifest. Run it for each channel before promoting a release. +- `ops/devops/telemetry/generate_dev_tls.sh` – produces local CA/server/client certificates for Compose-based collector testing. +- `ops/devops/telemetry/smoke_otel_collector.py` – sends OTLP traffic and asserts the collector accepted traces, metrics, and logs. +- `ops/devops/telemetry/package_offline_bundle.py` – packages telemetry assets (config/Helm/Compose) into a signed tarball for air-gapped installs. +- `docs/modules/devops/runbooks/deployment-upgrade.md` – end-to-end instructions for upgrade, rollback, and channel promotion workflows (Helm + Compose). + +## CI smoke checks + +The `.gitea/workflows/build-test-deploy.yml` pipeline includes a `notify-smoke` stage that validates scanner event propagation after staging deployments. Configure the following repository secrets (or environment-level secrets) so the job can connect to Redis and the Notify API: + +- `NOTIFY_SMOKE_REDIS_DSN` – Redis connection string (`redis://user:pass@host:port/db`). +- `NOTIFY_SMOKE_NOTIFY_BASEURL` – Base URL for the staging Notify WebService (e.g. `https://notify.stage.stella-ops.internal`). +- `NOTIFY_SMOKE_NOTIFY_TOKEN` – OAuth bearer token (service account) with permission to read deliveries. +- `NOTIFY_SMOKE_NOTIFY_TENANT` – Tenant identifier used for the smoke validation requests. +- *(Optional)* `NOTIFY_SMOKE_NOTIFY_TENANT_HEADER` – Override for the tenant header name (defaults to `X-StellaOps-Tenant`). + +Define the following repository variables (or secrets) to drive the assertions performed by the smoke check: + +- `NOTIFY_SMOKE_EXPECT_KINDS` – Comma-separated event kinds the checker must observe (for example `scanner.report.ready,scanner.scan.completed`). +- `NOTIFY_SMOKE_LOOKBACK_MINUTES` – Time window (in minutes) used when scanning the Redis stream for recent events (for example `30`). + +All of the above values are required—the workflow fails fast with a descriptive error if any are missing or empty. Provide the variables at the organisation or repository scope before enabling the smoke stage. diff --git a/deploy/telemetry/storage/README.md b/deploy/telemetry/storage/README.md index 3ffce99b..d91e32d6 100644 --- a/deploy/telemetry/storage/README.md +++ b/deploy/telemetry/storage/README.md @@ -1,19 +1,19 @@ -# Telemetry Storage Stack - -Configuration snippets for the default StellaOps observability backends used in -staging and production environments. The stack comprises: - -- **Prometheus** for metrics (scraping the collector's Prometheus exporter) -- **Tempo** for traces (OTLP ingest via mTLS) -- **Loki** for logs (HTTP ingest with tenant isolation) - -## Files - -| Path | Description | -| ---- | ----------- | -| `prometheus.yaml` | Scrape configuration for the collector (mTLS + bearer token placeholder). | -| `tempo.yaml` | Tempo configuration with multitenancy enabled and local storage paths. | -| `loki.yaml` | Loki configuration enabling per-tenant overrides and boltdb-shipper storage. | +# Telemetry Storage Stack + +Configuration snippets for the default StellaOps observability backends used in +staging and production environments. The stack comprises: + +- **Prometheus** for metrics (scraping the collector's Prometheus exporter) +- **Tempo** for traces (OTLP ingest via mTLS) +- **Loki** for logs (HTTP ingest with tenant isolation) + +## Files + +| Path | Description | +| ---- | ----------- | +| `prometheus.yaml` | Scrape configuration for the collector (mTLS + bearer token placeholder). | +| `tempo.yaml` | Tempo configuration with multitenancy enabled and local storage paths. | +| `loki.yaml` | Loki configuration enabling per-tenant overrides and boltdb-shipper storage. | | `tenants/tempo-overrides.yaml` | Example tenant overrides for Tempo (retention, limits). | | `tenants/loki-overrides.yaml` | Example tenant overrides for Loki (rate limits, retention). | | `auth/` | Placeholder directory for Prometheus bearer token files (e.g., `token`). | @@ -32,5 +32,5 @@ ensure TLS, multitenancy, and override references remain intact. - Both Tempo and Loki require mutual TLS. - Prometheus uses mTLS plus a bearer token that should be minted by Authority. - Update the overrides files to enforce per-tenant retention/ingestion limits. - -For comprehensive deployment steps see `docs/modules/telemetry/operations/storage.md`. + +For comprehensive deployment steps see `docs/modules/telemetry/operations/storage.md`. diff --git a/docs/10_CONCELIER_CLI_QUICKSTART.md b/docs/10_CONCELIER_CLI_QUICKSTART.md index 9f3d1d18..47003267 100644 --- a/docs/10_CONCELIER_CLI_QUICKSTART.md +++ b/docs/10_CONCELIER_CLI_QUICKSTART.md @@ -1,354 +1,354 @@ -# 10 · Concelier + CLI Quickstart - -This guide walks through configuring the Concelier web service and the `stellaops-cli` -tool so an operator can ingest advisories, merge them, and publish exports from a -single workstation. It focuses on deployment-facing surfaces only (configuration, -runtime wiring, CLI usage) and leaves connector/internal customization for later. - ---- - -## 0 · Prerequisites - -- .NET SDK **10.0.100-preview** (matches `global.json`) -- MongoDB instance reachable from the host (local Docker or managed) -- `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI) -- Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo) -- Optional: Docker/Podman runtime if you plan to run scanners locally - -> **Tip** – air-gapped installs should preload `trivy-db` and `oras` binaries into the -> runner image since Concelier never fetches them dynamically. - ---- - -## 1 · Configure Concelier - -1. Copy the sample config to the expected location (CI/CD pipelines can stamp values - into this file during deployment—see the “Deployment automation” note below): - - ```bash - mkdir -p etc - cp etc/concelier.yaml.sample etc/concelier.yaml - ``` - -2. Edit `etc/concelier.yaml` and update the MongoDB DSN (and optional database name). - The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/` - and disables remote telemetry exporters by default. - -3. (Optional) Override settings via environment variables. All keys are prefixed with - `CONCELIER_`. Example: - - ```bash - export CONCELIER_STORAGE__DSN="mongodb://user:pass@mongo:27017/concelier" - export CONCELIER_TELEMETRY__ENABLETRACING=false - ``` - -4. Start the web service from the repository root: - - ```bash - dotnet run --project src/Concelier/StellaOps.Concelier.WebService - ``` - - On startup Concelier validates the options, boots MongoDB indexes, loads plug-ins, - and exposes: - - - `GET /health` – returns service status and telemetry settings - - `GET /ready` – performs a MongoDB `ping` - - `GET /jobs` + `POST /jobs/{kind}` – inspect and trigger connector/export jobs - - > **Security note** – authentication now ships via StellaOps Authority. Keep - > `authority.allowAnonymousFallback: true` only during the staged rollout and - > disable it before **2025-12-31 UTC** so tokens become mandatory. - -Rollout checkpoints for the two Authority toggles: - -| Phase | `authority.enabled` | `authority.allowAnonymousFallback` | Goal | Observability focus | -| ----- | ------------------- | ---------------------------------- | ---- | ------------------- | -| **Validation (staging)** | `true` | `true` | Verify token issuance, CLI scopes, and audit log noise without breaking cron jobs. | Watch `Concelier.Authorization.Audit` for `bypass=True` events and scope gaps; confirm CLI `auth status` succeeds. | -| **Cutover rehearsal** | `true` | `false` | Exercise production-style enforcement before the deadline; ensure only approved maintenance ranges remain in `bypassNetworks`. | Expect some HTTP 401s; verify `web.jobs.triggered` metrics flatten for unauthenticated calls and audit logs highlight missing tokens. | -| **Enforced (steady state)** | `true` | `false` | Production baseline after the 2025-12-31 UTC cutoff. | Alert on new `bypass=True` entries and on repeated 401 bursts; correlate with Authority availability dashboards. | - -### Authority companion configuration (preview) - -1. Copy the Authority sample configuration: - - ```bash - cp etc/authority.yaml.sample etc/authority.yaml - ``` - -2. Update the issuer URL, token lifetimes, and plug-in descriptors to match your - environment. Authority expects per-plugin manifests in `etc/authority.plugins/`; - sample `standard.yaml` and `ldap.yaml` files are provided as starting points. - For air-gapped installs keep the default plug-in binary directory - (`../StellaOps.Authority.PluginBinaries`) so packaged plug-ins load without outbound access. - -3. Environment variables prefixed with `STELLAOPS_AUTHORITY_` override individual - fields. Example: - - ```bash - export STELLAOPS_AUTHORITY__ISSUER="https://authority.stella-ops.local" - export STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0="/srv/authority/plugins" - ``` - ---- - -## 2 · Configure the CLI - -The CLI reads configuration from JSON/YAML files *and* environment variables. The -defaults live in `src/Cli/StellaOps.Cli/appsettings.json` and expect overrides at runtime. - -| Setting | Environment variable | Default | Purpose | -| ------- | -------------------- | ------- | ------- | -| `BackendUrl` | `STELLAOPS_BACKEND_URL` | _empty_ | Base URL of the Concelier web service | -| `ApiKey` | `API_KEY` | _empty_ | Reserved for legacy key auth; leave empty when using Authority | -| `ScannerCacheDirectory` | `STELLAOPS_SCANNER_CACHE_DIRECTORY` | `scanners` | Local cache folder | -| `ResultsDirectory` | `STELLAOPS_RESULTS_DIRECTORY` | `results` | Where scan outputs are written | -| `Authority.Url` | `STELLAOPS_AUTHORITY_URL` | _empty_ | StellaOps Authority issuer/token endpoint | -| `Authority.ClientId` | `STELLAOPS_AUTHORITY_CLIENT_ID` | _empty_ | Client identifier for the CLI | -| `Authority.ClientSecret` | `STELLAOPS_AUTHORITY_CLIENT_SECRET` | _empty_ | Client secret (omit when using username/password grant) | -| `Authority.Username` | `STELLAOPS_AUTHORITY_USERNAME` | _empty_ | Username for password grant flows | -| `Authority.Password` | `STELLAOPS_AUTHORITY_PASSWORD` | _empty_ | Password for password grant flows | -| `Authority.Scope` | `STELLAOPS_AUTHORITY_SCOPE` | `concelier.jobs.trigger advisory:ingest` | Space-separated OAuth scopes requested for backend operations | -| `Authority.TokenCacheDirectory` | `STELLAOPS_AUTHORITY_TOKEN_CACHE_DIR` | `~/.stellaops/tokens` | Directory that persists cached tokens | -| `Authority.Resilience.EnableRetries` | `STELLAOPS_AUTHORITY_ENABLE_RETRIES` | `true` | Toggle Polly retry handler for Authority HTTP calls | -| `Authority.Resilience.RetryDelays` | `STELLAOPS_AUTHORITY_RETRY_DELAYS` | `1s,2s,5s` | Comma- or space-separated backoff delays (hh:mm:ss) | -| `Authority.Resilience.AllowOfflineCacheFallback` | `STELLAOPS_AUTHORITY_ALLOW_OFFLINE_CACHE_FALLBACK` | `true` | Allow CLI to reuse cached discovery/JWKS metadata when Authority is offline | -| `Authority.Resilience.OfflineCacheTolerance` | `STELLAOPS_AUTHORITY_OFFLINE_CACHE_TOLERANCE` | `00:10:00` | Additional tolerance window applied to cached metadata | - -Example bootstrap: - -```bash -export STELLAOPS_BACKEND_URL="http://localhost:5000" -export STELLAOPS_RESULTS_DIRECTORY="$HOME/.stellaops/results" -export STELLAOPS_AUTHORITY_URL="https://authority.local" -export STELLAOPS_AUTHORITY_CLIENT_ID="concelier-cli" -export STELLAOPS_AUTHORITY_CLIENT_SECRET="s3cr3t" -export STELLAOPS_AUTHORITY_SCOPE="concelier.jobs.trigger advisory:ingest advisory:read" -dotnet run --project src/Cli/StellaOps.Cli -- db merge - -# Acquire a bearer token and confirm cache state -dotnet run --project src/Cli/StellaOps.Cli -- auth login -dotnet run --project src/Cli/StellaOps.Cli -- auth status -dotnet run --project src/Cli/StellaOps.Cli -- auth whoami -``` - -Refer to `docs/dev/32_AUTH_CLIENT_GUIDE.md` for deeper guidance on tuning retry/offline settings and rollout checklists. - -To persist configuration, you can create `stellaops-cli.yaml` next to the binary or -rely on environment variables for ephemeral runners. - ---- - -## 3 · Operating Workflow - -1. **Trigger connector fetch stages** - - ```bash - dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage fetch - dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage parse - dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage map - ``` - - Use `--mode resume` when continuing from a previous window: - - ```bash - dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source redhat --stage fetch --mode resume - ``` - -2. **Merge canonical advisories** - - ```bash - dotnet run --project src/Cli/StellaOps.Cli -- db merge - ``` - -3. **Produce exports** - - ```bash - # JSON tree (vuln-list style) - dotnet run --project src/Cli/StellaOps.Cli -- db export --format json - - # Trivy DB (delta example) - dotnet run --project src/Cli/StellaOps.Cli -- db export --format trivy-db --delta - ``` - - Concelier always produces a deterministic OCI layout. The first run after a clean - bootstrap emits a **full** baseline; subsequent `--delta` runs reuse the previous - baseline’s blobs when only JSON manifests change. If the exporter detects that a - prior delta is still active (i.e., `LastDeltaDigest` is recorded) it automatically - upgrades the next run to a full export and resets the baseline so operators never - chain deltas indefinitely. The CLI exposes `--publish-full/--publish-delta` (for - ORAS pushes) and `--include-full/--include-delta` (for offline bundles) should you - need to override the defaults interactively. - - **Smoke-check delta reuse:** after the first baseline completes, run the export a - second time with `--delta` and verify that the new directory reports `mode=delta` - while reusing the previous layer blob. - - ```bash - export_root=${CONCELIER_EXPORT_ROOT:-exports/trivy} - base=$(ls -1d "$export_root"/* | sort | tail -n2 | head -n1) - delta=$(ls -1d "$export_root"/* | sort | tail -n1) - - jq -r '.mode,.baseExportId' "$delta/metadata.json" - - base_manifest=$(jq -r '.manifests[0].digest' "$base/index.json") - delta_manifest=$(jq -r '.manifests[0].digest' "$delta/index.json") - printf 'baseline manifest: %s\ndelta manifest: %s\n' "$base_manifest" "$delta_manifest" - - layer_digest=$(jq -r '.layers[0].digest' "$base/blobs/sha256/${base_manifest#sha256:}") - cmp "$base/blobs/sha256/${layer_digest#sha256:}" \ - "$delta/blobs/sha256/${layer_digest#sha256:}" - ``` - - `cmp` returning exit code `0` confirms the delta export reuses the baseline’s - `db.tar.gz` layer instead of rebuilding it. - -4. **Verify guard compliance** - - ```bash - export STELLA_TENANT="${STELLA_TENANT:-tenant-a}" - - dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \ - --since 24h \ - --format table \ - --tenant "$STELLA_TENANT" - - # Optional: capture JSON evidence for pipelines/audits - dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \ - --since 7d \ - --limit 100 \ - --format json \ - --export artifacts/aoc-verify.json \ - --tenant "$STELLA_TENANT" - ``` - - The CLI exits with `0` when no violations are detected. Guard failures map - to `ERR_AOC_00x` codes (`11…17`), while truncated results return `18`. Use - `--sources`/`--codes` to focus on noisy connectors and feed the exported JSON - into dashboards or evidence lockers for compliance reviews. - -5. **Pre-flight individual payloads** - - ```bash - stella sources ingest --dry-run \ - --source redhat \ - --input ./fixtures/redhat/RHSA-2025-9999.json \ - --tenant "$STELLA_TENANT" \ - --format json \ - --output artifacts/redhat-dry-run.json - ``` - - Exit code `0` confirms the candidate document is AOC compliant. Any guard - violation is emitted as deterministic `ERR_AOC_00x` exit codes (`11…17`); - reuse the exported JSON in PRs or incident timelines to show offending paths. - -6. **Manage scanners (optional)** - - ```bash - dotnet run --project src/Cli/StellaOps.Cli -- scanner download --channel stable - dotnet run --project src/Cli/StellaOps.Cli -- scan run --entry scanners/latest/Scanner.dll --target ./sboms - dotnet run --project src/Cli/StellaOps.Cli -- scan upload --file results/scan-001.json - ``` - -Add `--verbose` to any command for structured console logs. All commands honour -`Ctrl+C` cancellation and exit with non-zero status codes when the backend returns -a problem document. - ---- - -## 4 · Verification Checklist - -- Concelier `/health` returns `"status":"healthy"` and Storage bootstrap is marked - complete after startup. -- CLI commands return HTTP 202 with a `Location` header (job tracking URL) when - triggering Concelier jobs. -- Export artefacts are materialised under the configured output directories and - their manifests record digests. -- MongoDB contains the expected `document`, `dto`, `advisory`, and `export_state` - collections after a run. - ---- - -## 5 · Deployment Automation - -- Treat `etc/concelier.yaml.sample` as the canonical template. CI/CD should copy it to - the deployment artifact and replace placeholders (DSN, telemetry endpoints, cron - overrides) with environment-specific secrets. -- Keep secret material (Mongo credentials, OTLP tokens) outside of the repository; - inject them via secret stores or pipeline variables at stamp time. -- When building container images, include `trivy-db` (and `oras` if used) so air-gapped - clusters do not need outbound downloads at runtime. - ---- - -## 5 · Next Steps - -- Enable authority-backed authentication in non-production first. Set - `authority.enabled: true` while keeping `authority.allowAnonymousFallback: true` - to observe logs, then flip it to `false` before 2025-12-31 UTC to enforce tokens. -- Automate the workflow above via CI/CD (compose stack or Kubernetes CronJobs). -- Pair with the Concelier connector teams when enabling additional sources so their - module-specific requirements are pulled in safely. - ---- - -## 6 · Authority Integration - -- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0 - resource server flows. Populate the `authority` block in `concelier.yaml`: - - ```yaml - authority: - enabled: true - allowAnonymousFallback: false # keep true only during the staged rollout window - issuer: "https://authority.example.org" - audiences: - - "api://concelier" - requiredScopes: - - "concelier.jobs.trigger" - - "advisory:read" - - "advisory:ingest" - requiredTenants: - - "tenant-default" - clientId: "concelier-jobs" - clientSecretFile: "../secrets/concelier-jobs.secret" - clientScopes: - - "concelier.jobs.trigger" - - "advisory:read" - - "advisory:ingest" - bypassNetworks: - - "127.0.0.1/32" - - "::1/128" - ``` - -- Store the client secret outside of source control. Either provide it via - `authority.clientSecret` (environment variable `CONCELIER_AUTHORITY__CLIENTSECRET`) - or point `authority.clientSecretFile` to a file mounted at runtime. -- Cron jobs running on the same host can keep using the API thanks to the loopback - bypass mask. Add additional CIDR ranges as needed; every bypass is logged. -- Export the same configuration to Kubernetes or systemd by setting environment - variables such as: - - ```bash - export CONCELIER_AUTHORITY__ENABLED=true - export CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=false - export CONCELIER_AUTHORITY__ISSUER="https://authority.example.org" - export CONCELIER_AUTHORITY__CLIENTID="concelier-jobs" - export CONCELIER_AUTHORITY__CLIENTSECRETFILE="/var/run/secrets/concelier/authority-client" - export CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger" - export CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read" - export CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest" - export CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger" - export CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read" - export CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest" - export CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default" - ``` - -- CLI commands already pass `Authorization` headers when credentials are supplied. - Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`) - so that automation can obtain tokens with the same client credentials. Concelier - logs every job request with the client ID, subject (if present), scopes, and - a `bypass` flag so operators can audit cron traffic. -- **Rollout checklist.** - 1. Stage the integration with fallback enabled (`allowAnonymousFallback=true`) and confirm CLI/token issuance using `stella auth status`. - 2. Follow the rehearsal pattern (`allowAnonymousFallback=false`) while monitoring `Concelier.Authorization.Audit` and `web.jobs.triggered`/`web.jobs.trigger.failed` metrics. - 3. Lock in enforcement, review the audit runbook (`docs/modules/concelier/operations/authority-audit-runbook.md`), and document the bypass CIDR approvals in your change log. +# 10 · Concelier + CLI Quickstart + +This guide walks through configuring the Concelier web service and the `stellaops-cli` +tool so an operator can ingest advisories, merge them, and publish exports from a +single workstation. It focuses on deployment-facing surfaces only (configuration, +runtime wiring, CLI usage) and leaves connector/internal customization for later. + +--- + +## 0 · Prerequisites + +- .NET SDK **10.0.100-preview** (matches `global.json`) +- MongoDB instance reachable from the host (local Docker or managed) +- `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI) +- Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo) +- Optional: Docker/Podman runtime if you plan to run scanners locally + +> **Tip** – air-gapped installs should preload `trivy-db` and `oras` binaries into the +> runner image since Concelier never fetches them dynamically. + +--- + +## 1 · Configure Concelier + +1. Copy the sample config to the expected location (CI/CD pipelines can stamp values + into this file during deployment—see the “Deployment automation” note below): + + ```bash + mkdir -p etc + cp etc/concelier.yaml.sample etc/concelier.yaml + ``` + +2. Edit `etc/concelier.yaml` and update the MongoDB DSN (and optional database name). + The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/` + and disables remote telemetry exporters by default. + +3. (Optional) Override settings via environment variables. All keys are prefixed with + `CONCELIER_`. Example: + + ```bash + export CONCELIER_STORAGE__DSN="mongodb://user:pass@mongo:27017/concelier" + export CONCELIER_TELEMETRY__ENABLETRACING=false + ``` + +4. Start the web service from the repository root: + + ```bash + dotnet run --project src/Concelier/StellaOps.Concelier.WebService + ``` + + On startup Concelier validates the options, boots MongoDB indexes, loads plug-ins, + and exposes: + + - `GET /health` – returns service status and telemetry settings + - `GET /ready` – performs a MongoDB `ping` + - `GET /jobs` + `POST /jobs/{kind}` – inspect and trigger connector/export jobs + + > **Security note** – authentication now ships via StellaOps Authority. Keep + > `authority.allowAnonymousFallback: true` only during the staged rollout and + > disable it before **2025-12-31 UTC** so tokens become mandatory. + +Rollout checkpoints for the two Authority toggles: + +| Phase | `authority.enabled` | `authority.allowAnonymousFallback` | Goal | Observability focus | +| ----- | ------------------- | ---------------------------------- | ---- | ------------------- | +| **Validation (staging)** | `true` | `true` | Verify token issuance, CLI scopes, and audit log noise without breaking cron jobs. | Watch `Concelier.Authorization.Audit` for `bypass=True` events and scope gaps; confirm CLI `auth status` succeeds. | +| **Cutover rehearsal** | `true` | `false` | Exercise production-style enforcement before the deadline; ensure only approved maintenance ranges remain in `bypassNetworks`. | Expect some HTTP 401s; verify `web.jobs.triggered` metrics flatten for unauthenticated calls and audit logs highlight missing tokens. | +| **Enforced (steady state)** | `true` | `false` | Production baseline after the 2025-12-31 UTC cutoff. | Alert on new `bypass=True` entries and on repeated 401 bursts; correlate with Authority availability dashboards. | + +### Authority companion configuration (preview) + +1. Copy the Authority sample configuration: + + ```bash + cp etc/authority.yaml.sample etc/authority.yaml + ``` + +2. Update the issuer URL, token lifetimes, and plug-in descriptors to match your + environment. Authority expects per-plugin manifests in `etc/authority.plugins/`; + sample `standard.yaml` and `ldap.yaml` files are provided as starting points. + For air-gapped installs keep the default plug-in binary directory + (`../StellaOps.Authority.PluginBinaries`) so packaged plug-ins load without outbound access. + +3. Environment variables prefixed with `STELLAOPS_AUTHORITY_` override individual + fields. Example: + + ```bash + export STELLAOPS_AUTHORITY__ISSUER="https://authority.stella-ops.local" + export STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0="/srv/authority/plugins" + ``` + +--- + +## 2 · Configure the CLI + +The CLI reads configuration from JSON/YAML files *and* environment variables. The +defaults live in `src/Cli/StellaOps.Cli/appsettings.json` and expect overrides at runtime. + +| Setting | Environment variable | Default | Purpose | +| ------- | -------------------- | ------- | ------- | +| `BackendUrl` | `STELLAOPS_BACKEND_URL` | _empty_ | Base URL of the Concelier web service | +| `ApiKey` | `API_KEY` | _empty_ | Reserved for legacy key auth; leave empty when using Authority | +| `ScannerCacheDirectory` | `STELLAOPS_SCANNER_CACHE_DIRECTORY` | `scanners` | Local cache folder | +| `ResultsDirectory` | `STELLAOPS_RESULTS_DIRECTORY` | `results` | Where scan outputs are written | +| `Authority.Url` | `STELLAOPS_AUTHORITY_URL` | _empty_ | StellaOps Authority issuer/token endpoint | +| `Authority.ClientId` | `STELLAOPS_AUTHORITY_CLIENT_ID` | _empty_ | Client identifier for the CLI | +| `Authority.ClientSecret` | `STELLAOPS_AUTHORITY_CLIENT_SECRET` | _empty_ | Client secret (omit when using username/password grant) | +| `Authority.Username` | `STELLAOPS_AUTHORITY_USERNAME` | _empty_ | Username for password grant flows | +| `Authority.Password` | `STELLAOPS_AUTHORITY_PASSWORD` | _empty_ | Password for password grant flows | +| `Authority.Scope` | `STELLAOPS_AUTHORITY_SCOPE` | `concelier.jobs.trigger advisory:ingest` | Space-separated OAuth scopes requested for backend operations | +| `Authority.TokenCacheDirectory` | `STELLAOPS_AUTHORITY_TOKEN_CACHE_DIR` | `~/.stellaops/tokens` | Directory that persists cached tokens | +| `Authority.Resilience.EnableRetries` | `STELLAOPS_AUTHORITY_ENABLE_RETRIES` | `true` | Toggle Polly retry handler for Authority HTTP calls | +| `Authority.Resilience.RetryDelays` | `STELLAOPS_AUTHORITY_RETRY_DELAYS` | `1s,2s,5s` | Comma- or space-separated backoff delays (hh:mm:ss) | +| `Authority.Resilience.AllowOfflineCacheFallback` | `STELLAOPS_AUTHORITY_ALLOW_OFFLINE_CACHE_FALLBACK` | `true` | Allow CLI to reuse cached discovery/JWKS metadata when Authority is offline | +| `Authority.Resilience.OfflineCacheTolerance` | `STELLAOPS_AUTHORITY_OFFLINE_CACHE_TOLERANCE` | `00:10:00` | Additional tolerance window applied to cached metadata | + +Example bootstrap: + +```bash +export STELLAOPS_BACKEND_URL="http://localhost:5000" +export STELLAOPS_RESULTS_DIRECTORY="$HOME/.stellaops/results" +export STELLAOPS_AUTHORITY_URL="https://authority.local" +export STELLAOPS_AUTHORITY_CLIENT_ID="concelier-cli" +export STELLAOPS_AUTHORITY_CLIENT_SECRET="s3cr3t" +export STELLAOPS_AUTHORITY_SCOPE="concelier.jobs.trigger advisory:ingest advisory:read" +dotnet run --project src/Cli/StellaOps.Cli -- db merge + +# Acquire a bearer token and confirm cache state +dotnet run --project src/Cli/StellaOps.Cli -- auth login +dotnet run --project src/Cli/StellaOps.Cli -- auth status +dotnet run --project src/Cli/StellaOps.Cli -- auth whoami +``` + +Refer to `docs/dev/32_AUTH_CLIENT_GUIDE.md` for deeper guidance on tuning retry/offline settings and rollout checklists. + +To persist configuration, you can create `stellaops-cli.yaml` next to the binary or +rely on environment variables for ephemeral runners. + +--- + +## 3 · Operating Workflow + +1. **Trigger connector fetch stages** + + ```bash + dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage fetch + dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage parse + dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage map + ``` + + Use `--mode resume` when continuing from a previous window: + + ```bash + dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source redhat --stage fetch --mode resume + ``` + +2. **Merge canonical advisories** + + ```bash + dotnet run --project src/Cli/StellaOps.Cli -- db merge + ``` + +3. **Produce exports** + + ```bash + # JSON tree (vuln-list style) + dotnet run --project src/Cli/StellaOps.Cli -- db export --format json + + # Trivy DB (delta example) + dotnet run --project src/Cli/StellaOps.Cli -- db export --format trivy-db --delta + ``` + + Concelier always produces a deterministic OCI layout. The first run after a clean + bootstrap emits a **full** baseline; subsequent `--delta` runs reuse the previous + baseline’s blobs when only JSON manifests change. If the exporter detects that a + prior delta is still active (i.e., `LastDeltaDigest` is recorded) it automatically + upgrades the next run to a full export and resets the baseline so operators never + chain deltas indefinitely. The CLI exposes `--publish-full/--publish-delta` (for + ORAS pushes) and `--include-full/--include-delta` (for offline bundles) should you + need to override the defaults interactively. + + **Smoke-check delta reuse:** after the first baseline completes, run the export a + second time with `--delta` and verify that the new directory reports `mode=delta` + while reusing the previous layer blob. + + ```bash + export_root=${CONCELIER_EXPORT_ROOT:-exports/trivy} + base=$(ls -1d "$export_root"/* | sort | tail -n2 | head -n1) + delta=$(ls -1d "$export_root"/* | sort | tail -n1) + + jq -r '.mode,.baseExportId' "$delta/metadata.json" + + base_manifest=$(jq -r '.manifests[0].digest' "$base/index.json") + delta_manifest=$(jq -r '.manifests[0].digest' "$delta/index.json") + printf 'baseline manifest: %s\ndelta manifest: %s\n' "$base_manifest" "$delta_manifest" + + layer_digest=$(jq -r '.layers[0].digest' "$base/blobs/sha256/${base_manifest#sha256:}") + cmp "$base/blobs/sha256/${layer_digest#sha256:}" \ + "$delta/blobs/sha256/${layer_digest#sha256:}" + ``` + + `cmp` returning exit code `0` confirms the delta export reuses the baseline’s + `db.tar.gz` layer instead of rebuilding it. + +4. **Verify guard compliance** + + ```bash + export STELLA_TENANT="${STELLA_TENANT:-tenant-a}" + + dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \ + --since 24h \ + --format table \ + --tenant "$STELLA_TENANT" + + # Optional: capture JSON evidence for pipelines/audits + dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \ + --since 7d \ + --limit 100 \ + --format json \ + --export artifacts/aoc-verify.json \ + --tenant "$STELLA_TENANT" + ``` + + The CLI exits with `0` when no violations are detected. Guard failures map + to `ERR_AOC_00x` codes (`11…17`), while truncated results return `18`. Use + `--sources`/`--codes` to focus on noisy connectors and feed the exported JSON + into dashboards or evidence lockers for compliance reviews. + +5. **Pre-flight individual payloads** + + ```bash + stella sources ingest --dry-run \ + --source redhat \ + --input ./fixtures/redhat/RHSA-2025-9999.json \ + --tenant "$STELLA_TENANT" \ + --format json \ + --output artifacts/redhat-dry-run.json + ``` + + Exit code `0` confirms the candidate document is AOC compliant. Any guard + violation is emitted as deterministic `ERR_AOC_00x` exit codes (`11…17`); + reuse the exported JSON in PRs or incident timelines to show offending paths. + +6. **Manage scanners (optional)** + + ```bash + dotnet run --project src/Cli/StellaOps.Cli -- scanner download --channel stable + dotnet run --project src/Cli/StellaOps.Cli -- scan run --entry scanners/latest/Scanner.dll --target ./sboms + dotnet run --project src/Cli/StellaOps.Cli -- scan upload --file results/scan-001.json + ``` + +Add `--verbose` to any command for structured console logs. All commands honour +`Ctrl+C` cancellation and exit with non-zero status codes when the backend returns +a problem document. + +--- + +## 4 · Verification Checklist + +- Concelier `/health` returns `"status":"healthy"` and Storage bootstrap is marked + complete after startup. +- CLI commands return HTTP 202 with a `Location` header (job tracking URL) when + triggering Concelier jobs. +- Export artefacts are materialised under the configured output directories and + their manifests record digests. +- MongoDB contains the expected `document`, `dto`, `advisory`, and `export_state` + collections after a run. + +--- + +## 5 · Deployment Automation + +- Treat `etc/concelier.yaml.sample` as the canonical template. CI/CD should copy it to + the deployment artifact and replace placeholders (DSN, telemetry endpoints, cron + overrides) with environment-specific secrets. +- Keep secret material (Mongo credentials, OTLP tokens) outside of the repository; + inject them via secret stores or pipeline variables at stamp time. +- When building container images, include `trivy-db` (and `oras` if used) so air-gapped + clusters do not need outbound downloads at runtime. + +--- + +## 5 · Next Steps + +- Enable authority-backed authentication in non-production first. Set + `authority.enabled: true` while keeping `authority.allowAnonymousFallback: true` + to observe logs, then flip it to `false` before 2025-12-31 UTC to enforce tokens. +- Automate the workflow above via CI/CD (compose stack or Kubernetes CronJobs). +- Pair with the Concelier connector teams when enabling additional sources so their + module-specific requirements are pulled in safely. + +--- + +## 6 · Authority Integration + +- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0 + resource server flows. Populate the `authority` block in `concelier.yaml`: + + ```yaml + authority: + enabled: true + allowAnonymousFallback: false # keep true only during the staged rollout window + issuer: "https://authority.example.org" + audiences: + - "api://concelier" + requiredScopes: + - "concelier.jobs.trigger" + - "advisory:read" + - "advisory:ingest" + requiredTenants: + - "tenant-default" + clientId: "concelier-jobs" + clientSecretFile: "../secrets/concelier-jobs.secret" + clientScopes: + - "concelier.jobs.trigger" + - "advisory:read" + - "advisory:ingest" + bypassNetworks: + - "127.0.0.1/32" + - "::1/128" + ``` + +- Store the client secret outside of source control. Either provide it via + `authority.clientSecret` (environment variable `CONCELIER_AUTHORITY__CLIENTSECRET`) + or point `authority.clientSecretFile` to a file mounted at runtime. +- Cron jobs running on the same host can keep using the API thanks to the loopback + bypass mask. Add additional CIDR ranges as needed; every bypass is logged. +- Export the same configuration to Kubernetes or systemd by setting environment + variables such as: + + ```bash + export CONCELIER_AUTHORITY__ENABLED=true + export CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=false + export CONCELIER_AUTHORITY__ISSUER="https://authority.example.org" + export CONCELIER_AUTHORITY__CLIENTID="concelier-jobs" + export CONCELIER_AUTHORITY__CLIENTSECRETFILE="/var/run/secrets/concelier/authority-client" + export CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger" + export CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read" + export CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest" + export CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger" + export CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read" + export CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest" + export CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default" + ``` + +- CLI commands already pass `Authorization` headers when credentials are supplied. + Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`) + so that automation can obtain tokens with the same client credentials. Concelier + logs every job request with the client ID, subject (if present), scopes, and + a `bypass` flag so operators can audit cron traffic. +- **Rollout checklist.** + 1. Stage the integration with fallback enabled (`allowAnonymousFallback=true`) and confirm CLI/token issuance using `stella auth status`. + 2. Follow the rehearsal pattern (`allowAnonymousFallback=false`) while monitoring `Concelier.Authorization.Audit` and `web.jobs.triggered`/`web.jobs.trigger.failed` metrics. + 3. Lock in enforcement, review the audit runbook (`docs/modules/concelier/operations/authority-audit-runbook.md`), and document the bypass CIDR approvals in your change log. diff --git a/docs/11_DATA_SCHEMAS.md b/docs/11_DATA_SCHEMAS.md index d606689e..4e32cf4e 100755 --- a/docs/11_DATA_SCHEMAS.md +++ b/docs/11_DATA_SCHEMAS.md @@ -1,550 +1,550 @@ -# Data Schemas & Persistence Contracts - -*Audience* – backend developers, plug‑in authors, DB admins. -*Scope* – describes **Redis**, **MongoDB** (optional), and on‑disk blob shapes that power Stella Ops. - ---- - -## 0 Document Conventions - -* **CamelCase** for JSON. -* All timestamps are **RFC 3339 / ISO 8601** with `Z` (UTC). -* `⭑` = planned but *not* shipped yet (kept on Feature Matrix “To Do”). - ---- - -## 1 SBOM Wrapper Envelope - -Every SBOM blob (regardless of format) is stored on disk or in object storage with a *sidecar* JSON file that indexes it for the scanners. - -#### 1.1 JSON Shape - -```jsonc -{ - "id": "sha256:417f…", // digest of the SBOM *file* itself - "imageDigest": "sha256:e2b9…", // digest of the original container image - "created": "2025-07-14T07:02:13Z", - "format": "trivy-json-v2", // NEW enum: trivy-json-v2 | spdx-json | cyclonedx-json - "layers": [ - "sha256:d38b…", // layer digests (ordered) - "sha256:af45…" - ], - "partial": false, // true => delta SBOM (only some layers) - "provenanceId": "prov_0291" // ⭑ link to SLSA attestation (Q1‑2026) -} -``` - -*`format`* **NEW** – added to support **multiple SBOM formats**. -*`partial`* **NEW** – true when generated via the **delta SBOM** flow (§1.3). - -#### 1.2 File‑system Layout - -``` -blobs/ - ├─ 417f… # digest prefix - │   ├─ sbom.json # payload (any format) - │   └─ sbom.meta.json # wrapper (shape above) -``` - -> **Note** – blob storage can point at S3, MinIO, or plain disk; driver plug‑ins adapt. - -#### 1.3 Delta SBOM Extension - -When `partial: true`, *only* the missing layers have been scanned. -Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Redis. - ---- - -## 2 Redis Keyspace - -| Key pattern | Type | TTL | Purpose | -|-------------------------------------|---------|------|--------------------------------------------------| -| `scan:<digest>` | string | ∞ | Last scan JSON result (as returned by `/scan`) | -| `layers:<digest>` | set | 90d | Layers already possessing SBOMs (delta cache) | -| `policy:active` | string | ∞ | YAML **or** Rego ruleset | -| `quota:<token>` | string | *until next UTC midnight* | Per‑token scan counter for Free tier ({{ quota_token }} scans). | -| `policy:history` | list | ∞ | Change audit IDs (see Mongo) | -| `feed:nvd:json` | string | 24h | Normalised feed snapshot | -| `locator:<imageDigest>` | string | 30d | Maps image digest → sbomBlobId | -| `metrics:…` | various | — | Prom / OTLP runtime metrics | - -> **Delta SBOM** uses `layers:*` to skip work in <20 ms. -> **Quota enforcement** increments `quota:` atomically; when {{ quota_token }} the API returns **429**. - ---- - -## 3 MongoDB Collections (Optional) - -Only enabled when `MONGO_URI` is supplied (for long‑term audit). - -| Collection | Shape (summary) | Indexes | -|--------------------|------------------------------------------------------------|-------------------------------------| -| `sbom_history` | Wrapper JSON + `replaceTs` on overwrite | `{imageDigest}` `{created}` | -| `policy_versions` | `{_id, yaml, rego, authorId, created}` | `{created}` | -| `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `{imageDigest}` | -| `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `{userId}` `{ts}` | - -Schema detail for **policy_versions**: - -Samples live under `samples/api/scheduler/` (e.g., `schedule.json`, `run.json`, `impact-set.json`, `audit.json`) and mirror the canonical serializer output shown below. - -```jsonc -{ - "_id": "6619e90b8c5e1f76", - "yaml": "version: 1.0\nrules:\n - …", - "rego": null, // filled when Rego uploaded - "authorId": "u_1021", - "created": "2025-07-14T08:15:04Z", - "comment": "Imported via API" -} -``` - -### 3.1 Scheduler Sprints 16 Artifacts - -**Collections.** `schedules`, `runs`, `impact_snapshots`, `audit` (module‑local). All documents reuse the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic. - -#### 3.1.1 Schedule (`schedules`) - -```jsonc -{ - "_id": "sch_20251018a", - "tenantId": "tenant-alpha", - "name": "Nightly Prod", - "enabled": true, - "cronExpression": "0 2 * * *", - "timezone": "UTC", - "mode": "analysis-only", - "selection": { - "scope": "by-namespace", - "namespaces": ["team-a", "team-b"], - "repositories": ["app/service-api"], - "includeTags": ["canary", "prod"], - "labels": [{"key": "env", "values": ["prod", "staging"]}], - "resolvesTags": true - }, - "onlyIf": {"lastReportOlderThanDays": 7, "policyRevision": "policy@42"}, - "notify": {"onNewFindings": true, "minSeverity": "high", "includeKev": true}, - "limits": {"maxJobs": 1000, "ratePerSecond": 25, "parallelism": 4}, - "subscribers": ["notify.ops"], - "createdAt": "2025-10-18T22:00:00Z", - "createdBy": "svc_scheduler", - "updatedAt": "2025-10-18T22:00:00Z", - "updatedBy": "svc_scheduler" -} -``` - -*Constraints*: arrays are alphabetically sorted; `selection.tenantId` is optional but when present must match `tenantId`. Cron expressions are validated for newline/length, timezones are validated via `TimeZoneInfo`. - -#### 3.1.2 Run (`runs`) - -```jsonc -{ - "_id": "run_20251018_0001", - "tenantId": "tenant-alpha", - "scheduleId": "sch_20251018a", - "trigger": "feedser", - "state": "running", - "stats": { - "candidates": 1280, - "deduped": 910, - "queued": 624, - "completed": 310, - "deltas": 42, - "newCriticals": 7, - "newHigh": 11, - "newMedium": 18, - "newLow": 6 - }, - "reason": {"feedserExportId": "exp-20251018-03"}, - "createdAt": "2025-10-18T22:03:14Z", - "startedAt": "2025-10-18T22:03:20Z", - "finishedAt": null, - "error": null, - "deltas": [ - { - "imageDigest": "sha256:a1b2c3", - "newFindings": 3, - "newCriticals": 1, - "newHigh": 1, - "newMedium": 1, - "newLow": 0, - "kevHits": ["CVE-2025-0002"], - "topFindings": [ - { - "purl": "pkg:rpm/openssl@3.0.12-5.el9", - "vulnerabilityId": "CVE-2025-0002", - "severity": "critical", - "link": "https://ui.internal/scans/sha256:a1b2c3" - } - ], - "attestation": {"uuid": "rekor-314", "verified": true}, - "detectedAt": "2025-10-18T22:03:21Z" - } - ] -} -``` - -Counters are clamped to ≥0, timestamps are converted to UTC, and delta arrays are sorted (critical → info severity precedence, then vulnerability id). Missing `deltas` implies "no change" snapshots. - -#### 3.1.3 Impact Snapshot (`impact_snapshots`) - -```jsonc -{ - "selector": { - "scope": "all-images", - "tenantId": "tenant-alpha" - }, - "images": [ - { - "imageDigest": "sha256:f1e2d3", - "registry": "registry.internal", - "repository": "app/api", - "namespaces": ["team-a"], - "tags": ["prod"], - "usedByEntrypoint": true, - "labels": {"env": "prod"} - } - ], - "usageOnly": true, - "generatedAt": "2025-10-18T22:02:58Z", - "total": 412, - "snapshotId": "impact-20251018-1" -} -``` - -Images are deduplicated and sorted by digest. Label keys are normalised to lowercase to avoid case‑sensitive duplicates during reconciliation. `snapshotId` enables run planners to compare subsequent snapshots for drift. - -#### 3.1.4 Audit (`audit`) - -```jsonc -{ - "_id": "audit_169754", - "tenantId": "tenant-alpha", - "category": "scheduler", - "action": "pause", - "occurredAt": "2025-10-18T22:10:00Z", - "actor": {"actorId": "user_admin", "displayName": "Cluster Admin", "kind": "user"}, - "scheduleId": "sch_20251018a", - "correlationId": "corr-123", - "metadata": {"details": "schedule paused", "reason": "maintenance"}, - "message": "Paused via API" -} -``` - -Metadata keys are lowercased, first‑writer wins (duplicates with different casing are ignored), and optional IDs (`scheduleId`, `runId`) are trimmed when empty. Use the canonical serializer when emitting events so audit digests remain reproducible. - -#### 3.1.5 Run Summary (`run_summaries`) - -Materialized view powering the Scheduler UI dashboards. Stores the latest roll-up per schedule/tenant, enabling quick “last run” banners and sparkline counters without scanning the full `runs` collection. - -```jsonc -{ - "tenantId": "tenant-alpha", - "scheduleId": "sch_20251018a", - "updatedAt": "2025-10-18T22:10:10Z", - "lastRun": { - "runId": "run_20251018_0001", - "trigger": "feedser", - "state": "completed", - "createdAt": "2025-10-18T22:03:14Z", - "startedAt": "2025-10-18T22:03:20Z", - "finishedAt": "2025-10-18T22:08:45Z", - "stats": { - "candidates": 1280, - "deduped": 910, - "queued": 0, - "completed": 910, - "deltas": 42, - "newCriticals": 7, - "newHigh": 11, - "newMedium": 18, - "newLow": 6 - }, - "error": null - }, - "recent": [ - { - "runId": "run_20251018_0001", - "trigger": "feedser", - "state": "completed", - "createdAt": "2025-10-18T22:03:14Z", - "startedAt": "2025-10-18T22:03:20Z", - "finishedAt": "2025-10-18T22:08:45Z", - "stats": { - "candidates": 1280, - "deduped": 910, - "queued": 0, - "completed": 910, - "deltas": 42, - "newCriticals": 7, - "newHigh": 11, - "newMedium": 18, - "newLow": 6 - }, - "error": null - }, - { - "runId": "run_20251017_0003", - "trigger": "cron", - "state": "error", - "createdAt": "2025-10-17T22:01:02Z", - "startedAt": "2025-10-17T22:01:08Z", - "finishedAt": "2025-10-17T22:04:11Z", - "stats": { - "candidates": 1040, - "deduped": 812, - "queued": 0, - "completed": 640, - "deltas": 18, - "newCriticals": 2, - "newHigh": 4, - "newMedium": 7, - "newLow": 3 - }, - "error": "scanner timeout" - } - ], - "counters": { - "total": 3, - "planning": 0, - "queued": 0, - "running": 0, - "completed": 1, - "error": 1, - "cancelled": 1, - "totalDeltas": 60, - "totalNewCriticals": 9, - "totalNewHigh": 15, - "totalNewMedium": 25, - "totalNewLow": 9 - } -} -``` - -- `_id` combines `tenantId` and `scheduleId` (`tenant:schedule`). -- `recent` contains the 20 most recent runs ordered by `createdAt` (UTC). Updates replace the existing entry for a run to respect state transitions. -- `counters` aggregate over the retained window (20 runs) for quick trend indicators. Totals are recomputed after every update. -- Schedulers should call the projection service after every run state change so the cache mirrors planner/runner progress. - -Sample file: `samples/api/scheduler/run-summary.json`. - ---- - -## 4 Policy Schema (YAML v1.0) - -Minimal viable grammar (subset of OSV‑SCHEMA ideas). - -```yaml -version: "1.0" -rules: - - name: Block Critical - severity: [Critical] - action: block - - name: Ignore Low Dev - severity: [Low, None] - environments: [dev, staging] - action: ignore - expires: "2026-01-01" - - name: Escalate RegionalFeed High - sources: [NVD, CNNVD, CNVD, ENISA, JVN, BDU] - severity: [High, Critical] - action: escalate -``` - -Validation is performed by `policy:mapping.yaml` JSON‑Schema embedded in backend. - -Canonical schema source: `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-schema@1.json` (embedded into `StellaOps.Policy`). -`PolicyValidationCli` (see `src/Policy/__Libraries/StellaOps.Policy/PolicyValidationCli.cs`) provides the reusable command handler that the main CLI wires up; in the interim it can be invoked from a short host like: - -```csharp -await new PolicyValidationCli().RunAsync(new PolicyValidationCliOptions -{ - Inputs = new[] { "policies/root.yaml" }, - Strict = true, -}); -``` - -### 4.1 Rego Variant (Advanced – TODO) - -*Accepted but stored as‑is in `rego` field.* -Evaluated via internal **OPA** side‑car once feature graduates from TODO list. - -### 4.2 Policy Scoring Config (JSON) - -*Schema id.* `https://schemas.stella-ops.org/policy/policy-scoring-schema@1.json` -*Source.* `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-schema@1.json` (embedded in `StellaOps.Policy`), default fixture at `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-default.json`. - -```jsonc -{ - "version": "1.0", - "severityWeights": {"Critical": 90, "High": 75, "Unknown": 60, "...": 0}, - "quietPenalty": 45, - "warnPenalty": 15, - "ignorePenalty": 35, - "trustOverrides": {"vendor": 1.0, "distro": 0.85}, - "reachabilityBuckets": {"entrypoint": 1.0, "direct": 0.85, "runtime": 0.45, "unknown": 0.5}, - "unknownConfidence": { - "initial": 0.8, - "decayPerDay": 0.05, - "floor": 0.2, - "bands": [ - {"name": "high", "min": 0.65}, - {"name": "medium", "min": 0.35}, - {"name": "low", "min": 0.0} - ] - } -} -``` - -Validation occurs alongside policy binding (`PolicyScoringConfigBinder`), producing deterministic digests via `PolicyScoringConfigDigest`. Bands are ordered descending by `min` so consumers can resolve confidence tiers deterministically. Reachability buckets are case-insensitive keys (`entrypoint`, `direct`, `indirect`, `runtime`, `unreachable`, `unknown`) with numeric multipliers (default ≤1.0). - -**Runtime usage** -- `trustOverrides` are matched against `finding.tags` (`trust:`) first, then `finding.source`/`finding.vendor`; missing keys default to `1.0`. -- `reachabilityBuckets` consume `finding.tags` with prefix `reachability:` (fallback `usage:` or `unknown`). Missing buckets fall back to `unknown` weight when present, otherwise `1.0`. -- Policy verdicts expose scoring inputs (`severityWeight`, `trustWeight`, `reachabilityWeight`, `baseScore`, penalties) plus unknown-state metadata (`unknownConfidence`, `unknownAgeDays`, `confidenceBand`) for auditability. See `samples/policy/policy-preview-unknown.json` and `samples/policy/policy-report-unknown.json` for offline reference payloads validated against the published schemas below. - -Validate the samples locally with **Ajv** before publishing changes: - -```bash -# install once per checkout (offline-safe): -npm install --no-save ajv-cli@5 ajv-formats@2 - -npx ajv validate --spec=draft2020 -c ajv-formats \ - -s docs/schemas/policy-preview-sample@1.json \ - -d samples/policy/policy-preview-unknown.json - -npx ajv validate --spec=draft2020 -c ajv-formats \ - -s docs/schemas/policy-report-sample@1.json \ - -d samples/policy/policy-report-unknown.json -``` -- Unknown confidence derives from `unknown-age-days:` (preferred) or `unknown-since:` + `observed-at:` tags; with no hints the engine keeps `initial` confidence. Values decay by `decayPerDay` down to `floor`, then resolve to the first matching `bands[].name`. - ---- - -## 5 SLSA Attestation Schema ⭑ - -Planned for Q1‑2026 (kept here for early plug‑in authors). - -```jsonc -{ - "id": "prov_0291", - "imageDigest": "sha256:e2b9…", - "buildType": "https://slsa.dev/container/v1", - "builder": { - "id": "https://git.stella-ops.ru/ci/stella-runner@sha256:f7b7…" - }, - "metadata": { - "invocation": { - "parameters": {"GIT_SHA": "f6a1…"}, - "buildStart": "2025-07-14T06:59:17Z", - "buildEnd": "2025-07-14T07:01:22Z" - }, - "completeness": {"parameters": true} - }, - "materials": [ - {"uri": "git+https://git…", "digest": {"sha1": "f6a1…"}} - ], - "rekorLogIndex": 99817 // entry in local Rekor mirror -} -``` - ---- - -## 6 Notify Foundations (Rule · Channel · Event) - -*Sprint 15 target* – canonically describe the Notify data shapes that UI, workers, and storage consume. JSON Schemas live under `docs/modules/notify/resources/schemas/` and deterministic fixtures under `docs/modules/notify/resources/samples/`. - -| Artifact | Schema | Sample | -|----------|--------|--------| -| **Rule** (catalogued routing logic) | `docs/modules/notify/resources/schemas/notify-rule@1.json` | `docs/modules/notify/resources/samples/notify-rule@1.sample.json` | -| **Channel** (delivery endpoint definition) | `docs/modules/notify/resources/schemas/notify-channel@1.json` | `docs/modules/notify/resources/samples/notify-channel@1.sample.json` | -| **Template** (rendering payload) | `docs/modules/notify/resources/schemas/notify-template@1.json` | `docs/modules/notify/resources/samples/notify-template@1.sample.json` | -| **Event envelope** (Notify ingest surface) | `docs/modules/notify/resources/schemas/notify-event@1.json` | `docs/modules/notify/resources/samples/notify-event@1.sample.json` | - -### 6.1 Rule highlights (`notify-rule@1`) - -* Keys are lower‑cased camelCase. `schemaVersion` (`notify.rule@1`), `ruleId`, `tenantId`, `name`, `match`, `actions`, `createdAt`, and `updatedAt` are mandatory. -* `match.eventKinds`, `match.verdicts`, and other array selectors are pre‑sorted and case‑normalized (e.g. `scanner.report.ready`). -* `actions[].throttle` serialises as ISO 8601 duration (`PT5M`), mirroring worker backoff guardrails. -* `vex` gates let operators exclude accepted/not‑affected justifications; omit the block to inherit default behaviour. -* Use `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeRule(JsonNode)` when deserialising legacy payloads that might lack `schemaVersion` or retain older revisions. -* Soft deletions persist `deletedAt` in Mongo (and disable the rule); repository queries automatically filter them. - -### 6.2 Channel highlights (`notify-channel@1`) - -* `schemaVersion` is pinned to `notify.channel@1` and must accompany persisted documents. -* `type` matches plug‑in identifiers (`slack`, `teams`, `email`, `webhook`, `custom`). -* `config.secretRef` stores an external secret handle (Authority, Vault, K8s). Notify never persists raw credentials. -* Optional `config.limits.timeout` uses ISO 8601 durations identical to rule throttles; concurrency/RPM defaults apply when absent. -* `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeChannel(JsonNode)` backfills the schema version when older documents omit it. -* Channels share the same soft-delete marker (`deletedAt`) so operators can restore prior configuration without purging history. - -### 6.3 Event envelope (`notify-event@1`) - -* Aligns with the platform event contract—`eventId` UUID, RFC 3339 `ts`, tenant isolation enforced. -* Enumerated `kind` covers the initial Notify surface (`scanner.report.ready`, `scheduler.rescan.delta`, `zastava.admission`, etc.). -* `scope.labels`/`scope.attributes` and top-level `attributes` mirror the metadata dictionaries workers surface for templating and audits. -* Notify workers use the same migration helper to wrap event payloads before template rendering, so schema additions remain additive. - -### 6.4 Template highlights (`notify-template@1`) - -* Carries the presentation key (`channelType`, `key`, `locale`) and the raw template body; `schemaVersion` is fixed to `notify.template@1`. -* `renderMode` enumerates supported engines (`markdown`, `html`, `adaptiveCard`, `plainText`, `json`) aligning with `NotifyTemplateRenderMode`. -* `format` signals downstream connector expectations (`slack`, `teams`, `email`, `webhook`, `json`). -* Upgrade legacy definitions with `NotifySchemaMigration.UpgradeTemplate(JsonNode)` to auto-apply the new schema version and ordering. -* Templates also record soft deletes via `deletedAt`; UI/API skip them by default while retaining revision history. - -**Validation loop:** - -```bash -# Validate Notify schemas and samples (matches Docs CI) -for schema in docs/modules/notify/resources/schemas/*.json; do - npx ajv compile -c ajv-formats -s "$schema" -done - -for sample in docs/modules/notify/resources/samples/*.sample.json; do - schema="docs/modules/notify/resources/schemas/$(basename "${sample%.sample.json}").json" - npx ajv validate -c ajv-formats -s "$schema" -d "$sample" -done -``` - -Integration tests can embed the sample fixtures to guarantee deterministic serialisation from the `StellaOps.Notify.Models` DTOs introduced in Sprint 15. - ---- - -## 6 Validator Contracts - -* For SBOM wrapper – `ISbomValidator` (DLL plug‑in) must return *typed* error list. -* For YAML policies – JSON‑Schema at `/schemas/policy‑v1.json`. -* For Rego – OPA `opa eval --fail-defined` under the hood. -* For **Free‑tier quotas** – `IQuotaService` integration tests ensure `quota:` resets at UTC midnight and produces correct `Retry‑After` headers. - ---- - -## 7 Migration Notes - -1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`. -2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard). -3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled. -4. Prepare `attestations` collection (empty) – safe to create in advance. - ---- - -## 8 Open Questions / Future Work - -* How to de‑duplicate *identical* Rego policies differing only in whitespace? -* Embed *GOST 34.11‑2018* digests when users enable Russian crypto suite? -* Should enterprise tiers share the same Redis quota keys or switch to JWT claim `tier != Free` bypass? -* Evaluate sliding‑window quota instead of strict daily reset. -* Consider rate‑limit for `/layers/missing` to avoid brute‑force enumeration. - ---- - -## 9 Change Log - -| Date | Note | -|------------|--------------------------------------------------------------------------------| -| 2025‑07‑14 | **Added:** `format`, `partial`, delta cache keys, YAML policy schema v1.0. | -| 2025‑07‑12 | **Initial public draft** – SBOM wrapper, Redis keyspace, audit collections. | - ---- +# Data Schemas & Persistence Contracts + +*Audience* – backend developers, plug‑in authors, DB admins. +*Scope* – describes **Redis**, **MongoDB** (optional), and on‑disk blob shapes that power Stella Ops. + +--- + +## 0 Document Conventions + +* **CamelCase** for JSON. +* All timestamps are **RFC 3339 / ISO 8601** with `Z` (UTC). +* `⭑` = planned but *not* shipped yet (kept on Feature Matrix “To Do”). + +--- + +## 1 SBOM Wrapper Envelope + +Every SBOM blob (regardless of format) is stored on disk or in object storage with a *sidecar* JSON file that indexes it for the scanners. + +#### 1.1 JSON Shape + +```jsonc +{ + "id": "sha256:417f…", // digest of the SBOM *file* itself + "imageDigest": "sha256:e2b9…", // digest of the original container image + "created": "2025-07-14T07:02:13Z", + "format": "trivy-json-v2", // NEW enum: trivy-json-v2 | spdx-json | cyclonedx-json + "layers": [ + "sha256:d38b…", // layer digests (ordered) + "sha256:af45…" + ], + "partial": false, // true => delta SBOM (only some layers) + "provenanceId": "prov_0291" // ⭑ link to SLSA attestation (Q1‑2026) +} +``` + +*`format`* **NEW** – added to support **multiple SBOM formats**. +*`partial`* **NEW** – true when generated via the **delta SBOM** flow (§1.3). + +#### 1.2 File‑system Layout + +``` +blobs/ + ├─ 417f… # digest prefix + │   ├─ sbom.json # payload (any format) + │   └─ sbom.meta.json # wrapper (shape above) +``` + +> **Note** – blob storage can point at S3, MinIO, or plain disk; driver plug‑ins adapt. + +#### 1.3 Delta SBOM Extension + +When `partial: true`, *only* the missing layers have been scanned. +Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Redis. + +--- + +## 2 Redis Keyspace + +| Key pattern | Type | TTL | Purpose | +|-------------------------------------|---------|------|--------------------------------------------------| +| `scan:<digest>` | string | ∞ | Last scan JSON result (as returned by `/scan`) | +| `layers:<digest>` | set | 90d | Layers already possessing SBOMs (delta cache) | +| `policy:active` | string | ∞ | YAML **or** Rego ruleset | +| `quota:<token>` | string | *until next UTC midnight* | Per‑token scan counter for Free tier ({{ quota_token }} scans). | +| `policy:history` | list | ∞ | Change audit IDs (see Mongo) | +| `feed:nvd:json` | string | 24h | Normalised feed snapshot | +| `locator:<imageDigest>` | string | 30d | Maps image digest → sbomBlobId | +| `metrics:…` | various | — | Prom / OTLP runtime metrics | + +> **Delta SBOM** uses `layers:*` to skip work in <20 ms. +> **Quota enforcement** increments `quota:` atomically; when {{ quota_token }} the API returns **429**. + +--- + +## 3 MongoDB Collections (Optional) + +Only enabled when `MONGO_URI` is supplied (for long‑term audit). + +| Collection | Shape (summary) | Indexes | +|--------------------|------------------------------------------------------------|-------------------------------------| +| `sbom_history` | Wrapper JSON + `replaceTs` on overwrite | `{imageDigest}` `{created}` | +| `policy_versions` | `{_id, yaml, rego, authorId, created}` | `{created}` | +| `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `{imageDigest}` | +| `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `{userId}` `{ts}` | + +Schema detail for **policy_versions**: + +Samples live under `samples/api/scheduler/` (e.g., `schedule.json`, `run.json`, `impact-set.json`, `audit.json`) and mirror the canonical serializer output shown below. + +```jsonc +{ + "_id": "6619e90b8c5e1f76", + "yaml": "version: 1.0\nrules:\n - …", + "rego": null, // filled when Rego uploaded + "authorId": "u_1021", + "created": "2025-07-14T08:15:04Z", + "comment": "Imported via API" +} +``` + +### 3.1 Scheduler Sprints 16 Artifacts + +**Collections.** `schedules`, `runs`, `impact_snapshots`, `audit` (module‑local). All documents reuse the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic. + +#### 3.1.1 Schedule (`schedules`) + +```jsonc +{ + "_id": "sch_20251018a", + "tenantId": "tenant-alpha", + "name": "Nightly Prod", + "enabled": true, + "cronExpression": "0 2 * * *", + "timezone": "UTC", + "mode": "analysis-only", + "selection": { + "scope": "by-namespace", + "namespaces": ["team-a", "team-b"], + "repositories": ["app/service-api"], + "includeTags": ["canary", "prod"], + "labels": [{"key": "env", "values": ["prod", "staging"]}], + "resolvesTags": true + }, + "onlyIf": {"lastReportOlderThanDays": 7, "policyRevision": "policy@42"}, + "notify": {"onNewFindings": true, "minSeverity": "high", "includeKev": true}, + "limits": {"maxJobs": 1000, "ratePerSecond": 25, "parallelism": 4}, + "subscribers": ["notify.ops"], + "createdAt": "2025-10-18T22:00:00Z", + "createdBy": "svc_scheduler", + "updatedAt": "2025-10-18T22:00:00Z", + "updatedBy": "svc_scheduler" +} +``` + +*Constraints*: arrays are alphabetically sorted; `selection.tenantId` is optional but when present must match `tenantId`. Cron expressions are validated for newline/length, timezones are validated via `TimeZoneInfo`. + +#### 3.1.2 Run (`runs`) + +```jsonc +{ + "_id": "run_20251018_0001", + "tenantId": "tenant-alpha", + "scheduleId": "sch_20251018a", + "trigger": "feedser", + "state": "running", + "stats": { + "candidates": 1280, + "deduped": 910, + "queued": 624, + "completed": 310, + "deltas": 42, + "newCriticals": 7, + "newHigh": 11, + "newMedium": 18, + "newLow": 6 + }, + "reason": {"feedserExportId": "exp-20251018-03"}, + "createdAt": "2025-10-18T22:03:14Z", + "startedAt": "2025-10-18T22:03:20Z", + "finishedAt": null, + "error": null, + "deltas": [ + { + "imageDigest": "sha256:a1b2c3", + "newFindings": 3, + "newCriticals": 1, + "newHigh": 1, + "newMedium": 1, + "newLow": 0, + "kevHits": ["CVE-2025-0002"], + "topFindings": [ + { + "purl": "pkg:rpm/openssl@3.0.12-5.el9", + "vulnerabilityId": "CVE-2025-0002", + "severity": "critical", + "link": "https://ui.internal/scans/sha256:a1b2c3" + } + ], + "attestation": {"uuid": "rekor-314", "verified": true}, + "detectedAt": "2025-10-18T22:03:21Z" + } + ] +} +``` + +Counters are clamped to ≥0, timestamps are converted to UTC, and delta arrays are sorted (critical → info severity precedence, then vulnerability id). Missing `deltas` implies "no change" snapshots. + +#### 3.1.3 Impact Snapshot (`impact_snapshots`) + +```jsonc +{ + "selector": { + "scope": "all-images", + "tenantId": "tenant-alpha" + }, + "images": [ + { + "imageDigest": "sha256:f1e2d3", + "registry": "registry.internal", + "repository": "app/api", + "namespaces": ["team-a"], + "tags": ["prod"], + "usedByEntrypoint": true, + "labels": {"env": "prod"} + } + ], + "usageOnly": true, + "generatedAt": "2025-10-18T22:02:58Z", + "total": 412, + "snapshotId": "impact-20251018-1" +} +``` + +Images are deduplicated and sorted by digest. Label keys are normalised to lowercase to avoid case‑sensitive duplicates during reconciliation. `snapshotId` enables run planners to compare subsequent snapshots for drift. + +#### 3.1.4 Audit (`audit`) + +```jsonc +{ + "_id": "audit_169754", + "tenantId": "tenant-alpha", + "category": "scheduler", + "action": "pause", + "occurredAt": "2025-10-18T22:10:00Z", + "actor": {"actorId": "user_admin", "displayName": "Cluster Admin", "kind": "user"}, + "scheduleId": "sch_20251018a", + "correlationId": "corr-123", + "metadata": {"details": "schedule paused", "reason": "maintenance"}, + "message": "Paused via API" +} +``` + +Metadata keys are lowercased, first‑writer wins (duplicates with different casing are ignored), and optional IDs (`scheduleId`, `runId`) are trimmed when empty. Use the canonical serializer when emitting events so audit digests remain reproducible. + +#### 3.1.5 Run Summary (`run_summaries`) + +Materialized view powering the Scheduler UI dashboards. Stores the latest roll-up per schedule/tenant, enabling quick “last run” banners and sparkline counters without scanning the full `runs` collection. + +```jsonc +{ + "tenantId": "tenant-alpha", + "scheduleId": "sch_20251018a", + "updatedAt": "2025-10-18T22:10:10Z", + "lastRun": { + "runId": "run_20251018_0001", + "trigger": "feedser", + "state": "completed", + "createdAt": "2025-10-18T22:03:14Z", + "startedAt": "2025-10-18T22:03:20Z", + "finishedAt": "2025-10-18T22:08:45Z", + "stats": { + "candidates": 1280, + "deduped": 910, + "queued": 0, + "completed": 910, + "deltas": 42, + "newCriticals": 7, + "newHigh": 11, + "newMedium": 18, + "newLow": 6 + }, + "error": null + }, + "recent": [ + { + "runId": "run_20251018_0001", + "trigger": "feedser", + "state": "completed", + "createdAt": "2025-10-18T22:03:14Z", + "startedAt": "2025-10-18T22:03:20Z", + "finishedAt": "2025-10-18T22:08:45Z", + "stats": { + "candidates": 1280, + "deduped": 910, + "queued": 0, + "completed": 910, + "deltas": 42, + "newCriticals": 7, + "newHigh": 11, + "newMedium": 18, + "newLow": 6 + }, + "error": null + }, + { + "runId": "run_20251017_0003", + "trigger": "cron", + "state": "error", + "createdAt": "2025-10-17T22:01:02Z", + "startedAt": "2025-10-17T22:01:08Z", + "finishedAt": "2025-10-17T22:04:11Z", + "stats": { + "candidates": 1040, + "deduped": 812, + "queued": 0, + "completed": 640, + "deltas": 18, + "newCriticals": 2, + "newHigh": 4, + "newMedium": 7, + "newLow": 3 + }, + "error": "scanner timeout" + } + ], + "counters": { + "total": 3, + "planning": 0, + "queued": 0, + "running": 0, + "completed": 1, + "error": 1, + "cancelled": 1, + "totalDeltas": 60, + "totalNewCriticals": 9, + "totalNewHigh": 15, + "totalNewMedium": 25, + "totalNewLow": 9 + } +} +``` + +- `_id` combines `tenantId` and `scheduleId` (`tenant:schedule`). +- `recent` contains the 20 most recent runs ordered by `createdAt` (UTC). Updates replace the existing entry for a run to respect state transitions. +- `counters` aggregate over the retained window (20 runs) for quick trend indicators. Totals are recomputed after every update. +- Schedulers should call the projection service after every run state change so the cache mirrors planner/runner progress. + +Sample file: `samples/api/scheduler/run-summary.json`. + +--- + +## 4 Policy Schema (YAML v1.0) + +Minimal viable grammar (subset of OSV‑SCHEMA ideas). + +```yaml +version: "1.0" +rules: + - name: Block Critical + severity: [Critical] + action: block + - name: Ignore Low Dev + severity: [Low, None] + environments: [dev, staging] + action: ignore + expires: "2026-01-01" + - name: Escalate RegionalFeed High + sources: [NVD, CNNVD, CNVD, ENISA, JVN, BDU] + severity: [High, Critical] + action: escalate +``` + +Validation is performed by `policy:mapping.yaml` JSON‑Schema embedded in backend. + +Canonical schema source: `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-schema@1.json` (embedded into `StellaOps.Policy`). +`PolicyValidationCli` (see `src/Policy/__Libraries/StellaOps.Policy/PolicyValidationCli.cs`) provides the reusable command handler that the main CLI wires up; in the interim it can be invoked from a short host like: + +```csharp +await new PolicyValidationCli().RunAsync(new PolicyValidationCliOptions +{ + Inputs = new[] { "policies/root.yaml" }, + Strict = true, +}); +``` + +### 4.1 Rego Variant (Advanced – TODO) + +*Accepted but stored as‑is in `rego` field.* +Evaluated via internal **OPA** side‑car once feature graduates from TODO list. + +### 4.2 Policy Scoring Config (JSON) + +*Schema id.* `https://schemas.stella-ops.org/policy/policy-scoring-schema@1.json` +*Source.* `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-schema@1.json` (embedded in `StellaOps.Policy`), default fixture at `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-default.json`. + +```jsonc +{ + "version": "1.0", + "severityWeights": {"Critical": 90, "High": 75, "Unknown": 60, "...": 0}, + "quietPenalty": 45, + "warnPenalty": 15, + "ignorePenalty": 35, + "trustOverrides": {"vendor": 1.0, "distro": 0.85}, + "reachabilityBuckets": {"entrypoint": 1.0, "direct": 0.85, "runtime": 0.45, "unknown": 0.5}, + "unknownConfidence": { + "initial": 0.8, + "decayPerDay": 0.05, + "floor": 0.2, + "bands": [ + {"name": "high", "min": 0.65}, + {"name": "medium", "min": 0.35}, + {"name": "low", "min": 0.0} + ] + } +} +``` + +Validation occurs alongside policy binding (`PolicyScoringConfigBinder`), producing deterministic digests via `PolicyScoringConfigDigest`. Bands are ordered descending by `min` so consumers can resolve confidence tiers deterministically. Reachability buckets are case-insensitive keys (`entrypoint`, `direct`, `indirect`, `runtime`, `unreachable`, `unknown`) with numeric multipliers (default ≤1.0). + +**Runtime usage** +- `trustOverrides` are matched against `finding.tags` (`trust:`) first, then `finding.source`/`finding.vendor`; missing keys default to `1.0`. +- `reachabilityBuckets` consume `finding.tags` with prefix `reachability:` (fallback `usage:` or `unknown`). Missing buckets fall back to `unknown` weight when present, otherwise `1.0`. +- Policy verdicts expose scoring inputs (`severityWeight`, `trustWeight`, `reachabilityWeight`, `baseScore`, penalties) plus unknown-state metadata (`unknownConfidence`, `unknownAgeDays`, `confidenceBand`) for auditability. See `samples/policy/policy-preview-unknown.json` and `samples/policy/policy-report-unknown.json` for offline reference payloads validated against the published schemas below. + +Validate the samples locally with **Ajv** before publishing changes: + +```bash +# install once per checkout (offline-safe): +npm install --no-save ajv-cli@5 ajv-formats@2 + +npx ajv validate --spec=draft2020 -c ajv-formats \ + -s docs/schemas/policy-preview-sample@1.json \ + -d samples/policy/policy-preview-unknown.json + +npx ajv validate --spec=draft2020 -c ajv-formats \ + -s docs/schemas/policy-report-sample@1.json \ + -d samples/policy/policy-report-unknown.json +``` +- Unknown confidence derives from `unknown-age-days:` (preferred) or `unknown-since:` + `observed-at:` tags; with no hints the engine keeps `initial` confidence. Values decay by `decayPerDay` down to `floor`, then resolve to the first matching `bands[].name`. + +--- + +## 5 SLSA Attestation Schema ⭑ + +Planned for Q1‑2026 (kept here for early plug‑in authors). + +```jsonc +{ + "id": "prov_0291", + "imageDigest": "sha256:e2b9…", + "buildType": "https://slsa.dev/container/v1", + "builder": { + "id": "https://git.stella-ops.ru/ci/stella-runner@sha256:f7b7…" + }, + "metadata": { + "invocation": { + "parameters": {"GIT_SHA": "f6a1…"}, + "buildStart": "2025-07-14T06:59:17Z", + "buildEnd": "2025-07-14T07:01:22Z" + }, + "completeness": {"parameters": true} + }, + "materials": [ + {"uri": "git+https://git…", "digest": {"sha1": "f6a1…"}} + ], + "rekorLogIndex": 99817 // entry in local Rekor mirror +} +``` + +--- + +## 6 Notify Foundations (Rule · Channel · Event) + +*Sprint 15 target* – canonically describe the Notify data shapes that UI, workers, and storage consume. JSON Schemas live under `docs/modules/notify/resources/schemas/` and deterministic fixtures under `docs/modules/notify/resources/samples/`. + +| Artifact | Schema | Sample | +|----------|--------|--------| +| **Rule** (catalogued routing logic) | `docs/modules/notify/resources/schemas/notify-rule@1.json` | `docs/modules/notify/resources/samples/notify-rule@1.sample.json` | +| **Channel** (delivery endpoint definition) | `docs/modules/notify/resources/schemas/notify-channel@1.json` | `docs/modules/notify/resources/samples/notify-channel@1.sample.json` | +| **Template** (rendering payload) | `docs/modules/notify/resources/schemas/notify-template@1.json` | `docs/modules/notify/resources/samples/notify-template@1.sample.json` | +| **Event envelope** (Notify ingest surface) | `docs/modules/notify/resources/schemas/notify-event@1.json` | `docs/modules/notify/resources/samples/notify-event@1.sample.json` | + +### 6.1 Rule highlights (`notify-rule@1`) + +* Keys are lower‑cased camelCase. `schemaVersion` (`notify.rule@1`), `ruleId`, `tenantId`, `name`, `match`, `actions`, `createdAt`, and `updatedAt` are mandatory. +* `match.eventKinds`, `match.verdicts`, and other array selectors are pre‑sorted and case‑normalized (e.g. `scanner.report.ready`). +* `actions[].throttle` serialises as ISO 8601 duration (`PT5M`), mirroring worker backoff guardrails. +* `vex` gates let operators exclude accepted/not‑affected justifications; omit the block to inherit default behaviour. +* Use `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeRule(JsonNode)` when deserialising legacy payloads that might lack `schemaVersion` or retain older revisions. +* Soft deletions persist `deletedAt` in Mongo (and disable the rule); repository queries automatically filter them. + +### 6.2 Channel highlights (`notify-channel@1`) + +* `schemaVersion` is pinned to `notify.channel@1` and must accompany persisted documents. +* `type` matches plug‑in identifiers (`slack`, `teams`, `email`, `webhook`, `custom`). +* `config.secretRef` stores an external secret handle (Authority, Vault, K8s). Notify never persists raw credentials. +* Optional `config.limits.timeout` uses ISO 8601 durations identical to rule throttles; concurrency/RPM defaults apply when absent. +* `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeChannel(JsonNode)` backfills the schema version when older documents omit it. +* Channels share the same soft-delete marker (`deletedAt`) so operators can restore prior configuration without purging history. + +### 6.3 Event envelope (`notify-event@1`) + +* Aligns with the platform event contract—`eventId` UUID, RFC 3339 `ts`, tenant isolation enforced. +* Enumerated `kind` covers the initial Notify surface (`scanner.report.ready`, `scheduler.rescan.delta`, `zastava.admission`, etc.). +* `scope.labels`/`scope.attributes` and top-level `attributes` mirror the metadata dictionaries workers surface for templating and audits. +* Notify workers use the same migration helper to wrap event payloads before template rendering, so schema additions remain additive. + +### 6.4 Template highlights (`notify-template@1`) + +* Carries the presentation key (`channelType`, `key`, `locale`) and the raw template body; `schemaVersion` is fixed to `notify.template@1`. +* `renderMode` enumerates supported engines (`markdown`, `html`, `adaptiveCard`, `plainText`, `json`) aligning with `NotifyTemplateRenderMode`. +* `format` signals downstream connector expectations (`slack`, `teams`, `email`, `webhook`, `json`). +* Upgrade legacy definitions with `NotifySchemaMigration.UpgradeTemplate(JsonNode)` to auto-apply the new schema version and ordering. +* Templates also record soft deletes via `deletedAt`; UI/API skip them by default while retaining revision history. + +**Validation loop:** + +```bash +# Validate Notify schemas and samples (matches Docs CI) +for schema in docs/modules/notify/resources/schemas/*.json; do + npx ajv compile -c ajv-formats -s "$schema" +done + +for sample in docs/modules/notify/resources/samples/*.sample.json; do + schema="docs/modules/notify/resources/schemas/$(basename "${sample%.sample.json}").json" + npx ajv validate -c ajv-formats -s "$schema" -d "$sample" +done +``` + +Integration tests can embed the sample fixtures to guarantee deterministic serialisation from the `StellaOps.Notify.Models` DTOs introduced in Sprint 15. + +--- + +## 6 Validator Contracts + +* For SBOM wrapper – `ISbomValidator` (DLL plug‑in) must return *typed* error list. +* For YAML policies – JSON‑Schema at `/schemas/policy‑v1.json`. +* For Rego – OPA `opa eval --fail-defined` under the hood. +* For **Free‑tier quotas** – `IQuotaService` integration tests ensure `quota:` resets at UTC midnight and produces correct `Retry‑After` headers. + +--- + +## 7 Migration Notes + +1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`. +2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard). +3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled. +4. Prepare `attestations` collection (empty) – safe to create in advance. + +--- + +## 8 Open Questions / Future Work + +* How to de‑duplicate *identical* Rego policies differing only in whitespace? +* Embed *GOST 34.11‑2018* digests when users enable Russian crypto suite? +* Should enterprise tiers share the same Redis quota keys or switch to JWT claim `tier != Free` bypass? +* Evaluate sliding‑window quota instead of strict daily reset. +* Consider rate‑limit for `/layers/missing` to avoid brute‑force enumeration. + +--- + +## 9 Change Log + +| Date | Note | +|------------|--------------------------------------------------------------------------------| +| 2025‑07‑14 | **Added:** `format`, `partial`, delta cache keys, YAML policy schema v1.0. | +| 2025‑07‑12 | **Initial public draft** – SBOM wrapper, Redis keyspace, audit collections. | + +--- diff --git a/docs/12_PERFORMANCE_WORKBOOK.md b/docs/12_PERFORMANCE_WORKBOOK.md index 26a5ccc4..98499c62 100755 --- a/docs/12_PERFORMANCE_WORKBOOK.md +++ b/docs/12_PERFORMANCE_WORKBOOK.md @@ -1,170 +1,170 @@ -# 12 - Performance Workbook - -*Purpose* – define **repeatable, data‑driven** benchmarks that guard Stella Ops’ core pledge: -> *“P95 vulnerability feedback in ≤ 5 seconds.”* - ---- - -## 0 Benchmark Scope - -| Area | Included | Excluded | -|------------------|----------------------------------|---------------------------| -| SBOM‑first scan | Trivy engine w/ warmed DB | Full image unpack ≥ 300 MB | -| Delta SBOM ⭑ | Missing‑layer lookup & merge | Multi‑arch images | -| Policy eval ⭑ | YAML → JSON → rule match | Rego (until GA) | -| Feed merge | NVD JSON 2023–2025 | GHSA GraphQL (plugin) | -| Quota wait‑path | 5 s soft‑wait, 60 s hard‑wait behaviour | Paid tiers (unlimited) | -| API latency | REST `/scan`, `/layers/missing` | UI SPA calls | - -⭑ = new in July 2025. - ---- - -## 1 Hardware Baseline (Reference Rig) - -| Element | Spec | -|-------------|------------------------------------| -| CPU | 8 vCPU (Intel Ice‑Lake equiv.) | -| Memory | 16 GiB | -| Disk | NVMe SSD, 3 GB/s R/W | -| Network | 1 Gbit virt. switch | -| Container | Docker 25.0 + overlay2 | -| OS | Ubuntu 22.04 LTS (kernel 6.8) | - -*All P95 targets assume a **single‑node** deployment on this rig unless stated.* - ---- - -## 2 Phase Targets & Gates - -| Phase (ID) | Target P95 | Gate (CI) | Rationale | -|-----------------------|-----------:|-----------|----------------------------------------| -| **SBOM_FIRST** | ≤ 5 s | `hard` | Core UX promise. | -| **IMAGE_UNPACK** | ≤ 10 s | `soft` | Fallback path for legacy flows. | -| **DELTA_SBOM** ⭑ | ≤ 1 s | `hard` | Needed to stay sub‑5 s for big bases. | -| **POLICY_EVAL** ⭑ | ≤ 50 ms | `hard` | Keeps gate latency invisible to users. | -| **QUOTA_WAIT** ⭑ | *soft* ≤ 5 s
*hard* ≤ 60 s | `hard` | Ensures graceful Free‑tier throttling. | -| **SCHED_RESCAN** | ≤ 30 s | `soft` | Nightly batch – not user‑facing. | -| **FEED_MERGE** | ≤ 60 s | `soft` | Off‑peak cron @ 01:00. | -| **API_P95** | ≤ 200 ms | `hard` | UI snappiness. | - -*Gate* legend — `hard`: break CI if regression > 3 × target, -`soft`: raise warning & issue ticket. - ---- - -## 3 Test Harness - -* **Runner** – `perf/run.sh`, accepts `--phase` and `--samples`. -* **Language analyzers microbench** – `dotnet run --project src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out src/Bench/StellaOps.Bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded. -* **Metrics** – Prometheus + `jq` extracts; aggregated via `scripts/aggregate.ts`. -* **CI** – GitLab CI job *benchmark* publishes JSON to `bench‑artifacts/`. -* **Visualisation** – Grafana dashboard *Stella‑Perf* (provisioned JSON). - -> **Note** – harness mounts `/var/cache/trivy` tmpfs to avoid disk noise. - ---- - -## 4 Current Results (July 2025) - -| Phase | Samples | Mean (s) | P95 (s) | Target OK? | -|---------------|--------:|---------:|--------:|-----------:| -| SBOM_FIRST | 100 | 3.7 | 4.9 | ✅ | -| IMAGE_UNPACK | 50 | 6.4 | 9.2 | ✅ | -| **DELTA_SBOM**| 100 | 0.46 | 0.83 | ✅ | -| **POLICY_EVAL** | 1 000 | 0.021 | 0.041 | ✅ | -| **QUOTA_WAIT** | 80 | 4.0* | 4.9* | ✅ | -| SCHED_RESCAN | 10 | 18.3 | 24.9 | ✅ | -| FEED_MERGE | 3 | 38.1 | 41.0 | ✅ | -| API_P95 | 20 000 | 0.087 | 0.143 | ✅ | - -*Data files:* `bench-artifacts/2025‑07‑14/phase‑stats.json`. - ---- - -## 5 Δ‑SBOM Micro‑Benchmark Detail - -### 5.1 Scenario - -1. Base image `python:3.12-slim` already scanned (all layers cached). -2. Application layer (`COPY . /app`) triggers new digest. -3. `Stella CLI` lists **7** layers, backend replies *6 hit*, *1 miss*. -4. Builder scans **only 1 layer** (~9 MiB, 217 files) & uploads delta. - -### 5.2 Key Timings - -| Step | Time (ms) | -|---------------------|----------:| -| `/layers/missing` | 13 | -| Trivy single layer | 655 | -| Upload delta blob | 88 | -| Backend merge + CVE | 74 | -| **Total wall‑time** | **830 ms** | - ---- - -## 6 Quota Wait‑Path Benchmark Detail - -### 6.1 Scenario - -1. Free‑tier token reaches **scan #200** – dashboard shows yellow banner. - -### 6.2 Key Timings - -| Step | Time (ms) | -|------------------------------------|----------:| -| `/quota/check` Redis LUA INCR | 0.8 | -| Soft wait sleep (server) | 5 000 | -| Hard wait sleep (server) | 60 000 | -| End‑to‑end wall‑time (soft‑hit) | 5 003 | -| End‑to‑end wall‑time (hard‑hit) | 60 004 | - ---- -## 7 Policy Eval Bench - -### 7.1 Setup - -* Policy YAML: **28** rules, mix severity & package conditions. -* Input: scan result JSON with **1 026** findings. -* Evaluator: custom rules engine (Go structs → map look‑ups). - -### 7.2 Latency Histogram - -``` -0‑10 ms ▇▇▇▇▇▇▇▇▇▇ 38 % -10‑20 ms ▇▇▇▇▇▇▇▇▇▇ 42 % -20‑40 ms ▇▇▇▇▇▇ 17 % -40‑50 ms ▇ 3 % -``` - -P99 = 48 ms. Meets 50 ms gate. - ---- - -## 8 Trend Snapshot - +# 12 - Performance Workbook + +*Purpose* – define **repeatable, data‑driven** benchmarks that guard Stella Ops’ core pledge: +> *“P95 vulnerability feedback in ≤ 5 seconds.”* + +--- + +## 0 Benchmark Scope + +| Area | Included | Excluded | +|------------------|----------------------------------|---------------------------| +| SBOM‑first scan | Trivy engine w/ warmed DB | Full image unpack ≥ 300 MB | +| Delta SBOM ⭑ | Missing‑layer lookup & merge | Multi‑arch images | +| Policy eval ⭑ | YAML → JSON → rule match | Rego (until GA) | +| Feed merge | NVD JSON 2023–2025 | GHSA GraphQL (plugin) | +| Quota wait‑path | 5 s soft‑wait, 60 s hard‑wait behaviour | Paid tiers (unlimited) | +| API latency | REST `/scan`, `/layers/missing` | UI SPA calls | + +⭑ = new in July 2025. + +--- + +## 1 Hardware Baseline (Reference Rig) + +| Element | Spec | +|-------------|------------------------------------| +| CPU | 8 vCPU (Intel Ice‑Lake equiv.) | +| Memory | 16 GiB | +| Disk | NVMe SSD, 3 GB/s R/W | +| Network | 1 Gbit virt. switch | +| Container | Docker 25.0 + overlay2 | +| OS | Ubuntu 22.04 LTS (kernel 6.8) | + +*All P95 targets assume a **single‑node** deployment on this rig unless stated.* + +--- + +## 2 Phase Targets & Gates + +| Phase (ID) | Target P95 | Gate (CI) | Rationale | +|-----------------------|-----------:|-----------|----------------------------------------| +| **SBOM_FIRST** | ≤ 5 s | `hard` | Core UX promise. | +| **IMAGE_UNPACK** | ≤ 10 s | `soft` | Fallback path for legacy flows. | +| **DELTA_SBOM** ⭑ | ≤ 1 s | `hard` | Needed to stay sub‑5 s for big bases. | +| **POLICY_EVAL** ⭑ | ≤ 50 ms | `hard` | Keeps gate latency invisible to users. | +| **QUOTA_WAIT** ⭑ | *soft* ≤ 5 s
*hard* ≤ 60 s | `hard` | Ensures graceful Free‑tier throttling. | +| **SCHED_RESCAN** | ≤ 30 s | `soft` | Nightly batch – not user‑facing. | +| **FEED_MERGE** | ≤ 60 s | `soft` | Off‑peak cron @ 01:00. | +| **API_P95** | ≤ 200 ms | `hard` | UI snappiness. | + +*Gate* legend — `hard`: break CI if regression > 3 × target, +`soft`: raise warning & issue ticket. + +--- + +## 3 Test Harness + +* **Runner** – `perf/run.sh`, accepts `--phase` and `--samples`. +* **Language analyzers microbench** – `dotnet run --project src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out src/Bench/StellaOps.Bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded. +* **Metrics** – Prometheus + `jq` extracts; aggregated via `scripts/aggregate.ts`. +* **CI** – GitLab CI job *benchmark* publishes JSON to `bench‑artifacts/`. +* **Visualisation** – Grafana dashboard *Stella‑Perf* (provisioned JSON). + +> **Note** – harness mounts `/var/cache/trivy` tmpfs to avoid disk noise. + +--- + +## 4 Current Results (July 2025) + +| Phase | Samples | Mean (s) | P95 (s) | Target OK? | +|---------------|--------:|---------:|--------:|-----------:| +| SBOM_FIRST | 100 | 3.7 | 4.9 | ✅ | +| IMAGE_UNPACK | 50 | 6.4 | 9.2 | ✅ | +| **DELTA_SBOM**| 100 | 0.46 | 0.83 | ✅ | +| **POLICY_EVAL** | 1 000 | 0.021 | 0.041 | ✅ | +| **QUOTA_WAIT** | 80 | 4.0* | 4.9* | ✅ | +| SCHED_RESCAN | 10 | 18.3 | 24.9 | ✅ | +| FEED_MERGE | 3 | 38.1 | 41.0 | ✅ | +| API_P95 | 20 000 | 0.087 | 0.143 | ✅ | + +*Data files:* `bench-artifacts/2025‑07‑14/phase‑stats.json`. + +--- + +## 5 Δ‑SBOM Micro‑Benchmark Detail + +### 5.1 Scenario + +1. Base image `python:3.12-slim` already scanned (all layers cached). +2. Application layer (`COPY . /app`) triggers new digest. +3. `Stella CLI` lists **7** layers, backend replies *6 hit*, *1 miss*. +4. Builder scans **only 1 layer** (~9 MiB, 217 files) & uploads delta. + +### 5.2 Key Timings + +| Step | Time (ms) | +|---------------------|----------:| +| `/layers/missing` | 13 | +| Trivy single layer | 655 | +| Upload delta blob | 88 | +| Backend merge + CVE | 74 | +| **Total wall‑time** | **830 ms** | + +--- + +## 6 Quota Wait‑Path Benchmark Detail + +### 6.1 Scenario + +1. Free‑tier token reaches **scan #200** – dashboard shows yellow banner. + +### 6.2 Key Timings + +| Step | Time (ms) | +|------------------------------------|----------:| +| `/quota/check` Redis LUA INCR | 0.8 | +| Soft wait sleep (server) | 5 000 | +| Hard wait sleep (server) | 60 000 | +| End‑to‑end wall‑time (soft‑hit) | 5 003 | +| End‑to‑end wall‑time (hard‑hit) | 60 004 | + +--- +## 7 Policy Eval Bench + +### 7.1 Setup + +* Policy YAML: **28** rules, mix severity & package conditions. +* Input: scan result JSON with **1 026** findings. +* Evaluator: custom rules engine (Go structs → map look‑ups). + +### 7.2 Latency Histogram + +``` +0‑10 ms ▇▇▇▇▇▇▇▇▇▇ 38 % +10‑20 ms ▇▇▇▇▇▇▇▇▇▇ 42 % +20‑40 ms ▇▇▇▇▇▇ 17 % +40‑50 ms ▇ 3 % +``` + +P99 = 48 ms. Meets 50 ms gate. + +--- + +## 8 Trend Snapshot + > _Perf trend spark‑line screenshot pending upload._ - -> **Grafana/Alerting** – Import `docs/modules/scanner/operations/analyzers-grafana-dashboard.json` and point it at the Prometheus datasource storing `scanner_analyzer_bench_*` metrics. Configure an alert on `scanner_analyzer_bench_regression_ratio` ≥ 1.20 (default limit); the bundled Stat panel surfaces breached scenarios (non-zero values). On-call runbook: `docs/modules/scanner/operations/analyzers.md`. - -_Plot generated weekly by `scripts/update‑trend.py`; shows last 12 weeks P95 per phase._ - ---- - -## 9 Action Items - -1. **Image Unpack** – Evaluate zstd for layer decompress; aim to shave 1 s. -2. **Feed Merge** – Parallelise regional XML feed parse (plugin) once stable. -3. **Rego Support** – Prototype OPA side‑car; target ≤ 100 ms eval. -4. **Concurrency** – Stress‑test 100 rps on 4‑node Redis cluster (Q4‑2025). - ---- - -## 10 Change Log - -| Date | Note | -|------------|-------------------------------------------------------------------------| -| 2025‑07‑14 | Added Δ‑SBOM & Policy Eval phases; updated targets & current results. | -| 2025‑07‑12 | First public workbook (SBOM‑first, image‑unpack, feed merge). | - ---- + +> **Grafana/Alerting** – Import `docs/modules/scanner/operations/analyzers-grafana-dashboard.json` and point it at the Prometheus datasource storing `scanner_analyzer_bench_*` metrics. Configure an alert on `scanner_analyzer_bench_regression_ratio` ≥ 1.20 (default limit); the bundled Stat panel surfaces breached scenarios (non-zero values). On-call runbook: `docs/modules/scanner/operations/analyzers.md`. + +_Plot generated weekly by `scripts/update‑trend.py`; shows last 12 weeks P95 per phase._ + +--- + +## 9 Action Items + +1. **Image Unpack** – Evaluate zstd for layer decompress; aim to shave 1 s. +2. **Feed Merge** – Parallelise regional XML feed parse (plugin) once stable. +3. **Rego Support** – Prototype OPA side‑car; target ≤ 100 ms eval. +4. **Concurrency** – Stress‑test 100 rps on 4‑node Redis cluster (Q4‑2025). + +--- + +## 10 Change Log + +| Date | Note | +|------------|-------------------------------------------------------------------------| +| 2025‑07‑14 | Added Δ‑SBOM & Policy Eval phases; updated targets & current results. | +| 2025‑07‑12 | First public workbook (SBOM‑first, image‑unpack, feed merge). | + +--- diff --git a/docs/13_RELEASE_ENGINEERING_PLAYBOOK.md b/docs/13_RELEASE_ENGINEERING_PLAYBOOK.md index 1da8f496..37c18321 100755 --- a/docs/13_RELEASE_ENGINEERING_PLAYBOOK.md +++ b/docs/13_RELEASE_ENGINEERING_PLAYBOOK.md @@ -1,230 +1,230 @@ -# 13 · Release Engineering Playbook — Stella Ops - - -A concise, automation‑first guide describing **how source code on `main` becomes a verifiably signed, air‑gap‑friendly release**. -It is opinionated for offline use‑cases and supply‑chain security (SLSA ≥ level 2 today, aiming for level 3). - ---- - -## 0 Release Philosophy - -* **Fast but fearless** – every commit on `main` must be releasable; broken builds break the build, not the team. -* **Reproducible** – anyone can rebuild byte‑identical artefacts with a single `make release` offline. -* **Secure by default** – every artefact ships with a SBOM, Cosign signature and (future) Rekor log entry. -* **Offline‑first** – all dependencies are vendored or mirrored into the internal registry; no Internet required at runtime. - ---- - -## 1 Versioning & Branching - -| Branch | Purpose | Auto‑publish? | -| ------------- | ------------------------------ | --------------------------------------- | -| `main` | Always‑green development trunk | `nightly-*` images | -| `release/X.Y` | Stabilise a minor line | `stella:X.Y-rcN` | -| Tags | `X.Y.Z` = SemVer | `stella:X.Y.Z`, OUK tarball, Helm chart | - -* **SemVer** – MAJOR for breaking API/CLI changes, MINOR for features, PATCH for fixes. -* Release tags are **signed** (`git tag -s`) with the Stella Ops GPG key (`0x90C4…`). - ---- - -## 2 CI/CD Overview (GitLab CI + GitLab Runner) - -```mermaid -graph LR - A[push / MR] --> Lint - Lint --> Unit - Unit --> Build - Build --> Test-Container - Test-Container --> SBOM - SBOM --> Sign - Sign --> Publish - Publish --> E2E - Publish --> Notify -``` - -### Pipeline Stages - -| Stage | Key tasks | -| ------------------ | ------------------------------------------------------------------------------------------------ | -| **Lint** | ESLint, golangci‑lint, hadolint, markdown‑lint. | -| **Unit** | `dotnet test`, `go test`, Jest UI tests. | -| **Quota unit‑tests 🏷** | Validate QuotaService logic: reset at UTC, 5 s vs 60 s waits, header correctness. | -| **Build** | Multi‑arch container build (`linux/amd64`, `linux/arm64`) using **BuildKit** + `--provenance` 📌. | -| **Test‑Container** | Spin up compose file, run smoke APIs. | -| **SBOM** 📌 | Invoke **StellaOps.SBOMBuilder** to generate SPDX JSON + attach `.sbom` label to image. | -| **Sign** | Sign image with **Cosign** (`cosign sign --key cosign.key`). | -| **Publish** | Push to `registry.git.stella-ops.org`. | -| **E2E** | Kind‑based Kubernetes test incl. Zastava DaemonSet; verify sub‑5 s scan SLA. | -| **Notify** | Report to Mattermost & GitLab Slack app. | -| **OfflineToken** | Call `JwtIssuer.Generate(exp=30d)` → store `client.jwt` artefact → attach to OUK build context | - -*All stages run in parallel where possible; max wall‑time < 15 min.* - -**Implementation note.** `.gitea/workflows/release.yml` executes -`ops/devops/release/build_release.py` to build multi-arch images, attach -CycloneDX SBOMs and SLSA provenance with Cosign, and emit -`out/release/release.yaml` for downstream packaging (Helm, Compose, Offline Kit). -The `build-test-deploy` workflow also runs -`python ops/devops/release/test_verify_release.py` so release verifier -regressions fail fast during every CI pass. - ---- - -## 3 Container Image Strategy - -| Image | Registry Tag | Contents | -| ------------------------------ | --------------------------- | ---------------------------------------------------------------------- | -| **backend** | `stella/backend:{ver}` | ASP.NET API, plugin loader. | -| **ui** | `stella/ui:{ver}` | Pre‑built Angular SPA. | -| **runner-trivy** | `stella/runner-trivy:{ver}` | Trivy CLI + SPDX/CycloneDX 🛠. | -| **runner-grype** | `stella/runner-grype:{ver}` | Optional plug‑in scanner. | -| **🏷️ StellaOps.Registry** 📌 | `stella/registry:{ver}` | Scratch image embedding Docker Registry v2 + Cosign policy controller. | -| **🏷️ StellaOps.MutePolicies** 📌 | `stella/policies:{ver}` | Sidecar serving policy bundles. | -| **🏷️ StellaOps.Attestor** 📌 | `stella/attestor:{ver}` | SLSA provenance & Rekor signer (future). | - -*Images are **`--label org.opencontainers.image.source=git.stella-ops.ru`** and include SBOMs generated at build time.* - ---- - -## 4 📌 Offline Update Kit (OUK) Build & Distribution - -**Purpose** – deliver updated CVE feeds & Trivy DB to air‑gapped clusters. - -### 4.1 CLI Tool - -*Go binary `ouk` lives in `src/Tools/ouk/`.* - -```sh -ouk fetch \ - --nvd --osv \ - --trivy-db --date $(date -I) \ - --output ouk-$(date +%Y%m%d).tar.gz \ - --sign cosign.key -``` - -### 4.2 Pipeline Hook - -* Runs on **first Friday** each month (cron). -* Generates tarball, signs it, uploads to **GitLab Release asset**. -* SHA‑256 + signature published alongside. -* Release job must emit `out/release/debug/` with `debug-manifest.json` and `.sha256` so `ops/offline-kit/mirror_debug_store.py` can mirror symbols into the Offline Kit (see `DEVOPS-REL-17-004`). - -### 4.3 Activation Flow (runtime) - -1. Admin uploads `.tar.gz` via **UI → Settings → Offline Updates (OUK)**. -2. Backend verifies Cosign signature & digest. -3. Files extracted into `var/lib/stella/db`. -4. Redis caches invalidated; Dashboard “Feed Age” ticks green. -5. Audit event `ouk_update` stored. - -### 4.4 Token Detail - -client.jwt placed under /root/ inside the tarball. -CI job fails if token expiry < 29 days (guard against stale caches). - ---- - -## 5 Artifact Signing & Transparency - -| Artefact | Signer | Tool/Notes | -| ------------ | --------------- | ---------------------------------- | -| Git tags | GPG (`0x90C4…`) | `git tag -s` | -| Containers | Cosign key pair | `cosign sign` | -| Helm Charts | prov file | `helm package --sign` | -| OUK tarballs | Cosign | `cosign sign-blob` | -| Debug store | — | `debug/debug-manifest.json` hashed | - -**Rekor** integration is **TODO** – once the internal Rekor mirror is online (`StellaOpsAttestor`) a post‑publish job will submit transparency log entries. - ---- - -## 6 Release Checklist - -1. CI pipeline green. -2. Bump `VERSION` file. -3. Tag `git tag -s X.Y.Z -m "Release X.Y.Z"` & push. -4. GitLab CI auto‑publishes images & charts. -5. Draft GitLab **Release Notes** using `src/Tools/release-notes-gen`. -6. Verify SBOM attachment with `stella sbom verify stella/backend:X.Y.Z`. -7. Run the release verifier locally if CI isn’t available (mirrors the workflow step): - `python ops/devops/release/test_verify_release.py` -8. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest: - ```bash - ./ops/offline-kit/mirror_debug_store.py \ - --release-dir out/release \ - --offline-kit-dir out/offline-kit - jq '.artifacts | length' out/offline-kit/debug/debug-manifest.json - readelf -n /app/... | grep -i 'Build ID' - ``` - Validate that the hash from `readelf` matches the `.build-id//.debug` path created by the script. -9. Smoke-test OUK tarball in offline lab. -10. Announce in `#stella-release` Mattermost channel. - ---- - -## 7 Hot‑fix Procedure - -* Branch from latest tag → `hotfix/X.Y.Z+1-hf1`. -* Apply minimal patch, add regression test. -* CI pipeline (with reduced stages) must pass. -* Tag `X.Y.Z+1`. -* Publish only container + Helm chart; OUK not rebuilt. -* Cherry‑pick back to `main`. - ---- - -## 8 Deprecation & End‑of‑Life Policy - -| Feature | Deprecation notice | Removal earliest | -| ------------------------ | ------------------ | ---------------- | -| Legacy CSV policy import | 2025‑10‑01 | 2026‑04‑01 | -| Docker v1 Registry auth | 2025‑12‑01 | 2026‑06‑01 | -| In‑image Trivy DB | 2025‑12‑15 | 2026‑03‑15 | - -*At least 6 months notice; removal requires major version bump.* - ---- - -## 9 📌 Non‑Commercial Usage Rules (English canonical) - -1. **Free for internal security assessments** (company or personal). -2. **SaaS resale / re‑hosting prohibited** without prior written consent (AGPL §13). -3. If you distribute a fork with UI or backend modifications **you must**: - * Publish the complete modified source code. - * Retain the original Stella Ops attribution in UI footer and CLI `--version`. -4. All third‑party dependencies remain under their respective licences (MIT, Apache‑2.0, ISC, BSD). -5. Deployments in state‑regulated or classified environments must obey**applicable local regulations** governing cryptography and software distribution. - ---- - -## 10 Best Practices Snapshot 📌 - -* **SBOM‑per‑image** → attach at build time; store as OCI artifact for supply‑chain introspection. -* **Provenance flag** (`--provenance=true`) in BuildKit fulfils SLSA 2 requirement. -* Use **multi‑arch, reproducible builds** (`SOURCE_DATE_EPOCH` pins timestamps). -* All pipelines enforce **Signed‑off‑by (DCO)**; CI fails if trailer missing. -* `cosign policy` ensures only images signed by the project key run in production. - ---- - -## 11 Contributing to Release Engineering - -* Fork & create MR to `infra/release-*`. -* All infra changes require green **`integration-e2e-offline`** job. -* Discuss larger infra migrations in `#sig-release` Mattermost; decisions recorded in `ADR/` folder. - ---- - -## 12 Change Log (high‑level) - -| Version | Date | Note | -| ------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -| v2.1 | 2025‑07‑15 | Added OUK build/publish pipeline, internal registry image (`StellaOps.Registry`), non‑commercial usage rules extraction, SBOM stage, BuildKit provenance. | -| v2.0 | 2025‑07‑12 | Initial open‑sourcing of Release Engineering guide. | -| v1.1 | 2025‑07‑09 | Fixed inner fencing; added retention policy | -| v1.0 | 2025‑07‑09 | Initial playbook | - ---- - -*(End of Release Engineering Playbook v1.1)* +# 13 · Release Engineering Playbook — Stella Ops + + +A concise, automation‑first guide describing **how source code on `main` becomes a verifiably signed, air‑gap‑friendly release**. +It is opinionated for offline use‑cases and supply‑chain security (SLSA ≥ level 2 today, aiming for level 3). + +--- + +## 0 Release Philosophy + +* **Fast but fearless** – every commit on `main` must be releasable; broken builds break the build, not the team. +* **Reproducible** – anyone can rebuild byte‑identical artefacts with a single `make release` offline. +* **Secure by default** – every artefact ships with a SBOM, Cosign signature and (future) Rekor log entry. +* **Offline‑first** – all dependencies are vendored or mirrored into the internal registry; no Internet required at runtime. + +--- + +## 1 Versioning & Branching + +| Branch | Purpose | Auto‑publish? | +| ------------- | ------------------------------ | --------------------------------------- | +| `main` | Always‑green development trunk | `nightly-*` images | +| `release/X.Y` | Stabilise a minor line | `stella:X.Y-rcN` | +| Tags | `X.Y.Z` = SemVer | `stella:X.Y.Z`, OUK tarball, Helm chart | + +* **SemVer** – MAJOR for breaking API/CLI changes, MINOR for features, PATCH for fixes. +* Release tags are **signed** (`git tag -s`) with the Stella Ops GPG key (`0x90C4…`). + +--- + +## 2 CI/CD Overview (GitLab CI + GitLab Runner) + +```mermaid +graph LR + A[push / MR] --> Lint + Lint --> Unit + Unit --> Build + Build --> Test-Container + Test-Container --> SBOM + SBOM --> Sign + Sign --> Publish + Publish --> E2E + Publish --> Notify +``` + +### Pipeline Stages + +| Stage | Key tasks | +| ------------------ | ------------------------------------------------------------------------------------------------ | +| **Lint** | ESLint, golangci‑lint, hadolint, markdown‑lint. | +| **Unit** | `dotnet test`, `go test`, Jest UI tests. | +| **Quota unit‑tests 🏷** | Validate QuotaService logic: reset at UTC, 5 s vs 60 s waits, header correctness. | +| **Build** | Multi‑arch container build (`linux/amd64`, `linux/arm64`) using **BuildKit** + `--provenance` 📌. | +| **Test‑Container** | Spin up compose file, run smoke APIs. | +| **SBOM** 📌 | Invoke **StellaOps.SBOMBuilder** to generate SPDX JSON + attach `.sbom` label to image. | +| **Sign** | Sign image with **Cosign** (`cosign sign --key cosign.key`). | +| **Publish** | Push to `registry.git.stella-ops.org`. | +| **E2E** | Kind‑based Kubernetes test incl. Zastava DaemonSet; verify sub‑5 s scan SLA. | +| **Notify** | Report to Mattermost & GitLab Slack app. | +| **OfflineToken** | Call `JwtIssuer.Generate(exp=30d)` → store `client.jwt` artefact → attach to OUK build context | + +*All stages run in parallel where possible; max wall‑time < 15 min.* + +**Implementation note.** `.gitea/workflows/release.yml` executes +`ops/devops/release/build_release.py` to build multi-arch images, attach +CycloneDX SBOMs and SLSA provenance with Cosign, and emit +`out/release/release.yaml` for downstream packaging (Helm, Compose, Offline Kit). +The `build-test-deploy` workflow also runs +`python ops/devops/release/test_verify_release.py` so release verifier +regressions fail fast during every CI pass. + +--- + +## 3 Container Image Strategy + +| Image | Registry Tag | Contents | +| ------------------------------ | --------------------------- | ---------------------------------------------------------------------- | +| **backend** | `stella/backend:{ver}` | ASP.NET API, plugin loader. | +| **ui** | `stella/ui:{ver}` | Pre‑built Angular SPA. | +| **runner-trivy** | `stella/runner-trivy:{ver}` | Trivy CLI + SPDX/CycloneDX 🛠. | +| **runner-grype** | `stella/runner-grype:{ver}` | Optional plug‑in scanner. | +| **🏷️ StellaOps.Registry** 📌 | `stella/registry:{ver}` | Scratch image embedding Docker Registry v2 + Cosign policy controller. | +| **🏷️ StellaOps.MutePolicies** 📌 | `stella/policies:{ver}` | Sidecar serving policy bundles. | +| **🏷️ StellaOps.Attestor** 📌 | `stella/attestor:{ver}` | SLSA provenance & Rekor signer (future). | + +*Images are **`--label org.opencontainers.image.source=git.stella-ops.ru`** and include SBOMs generated at build time.* + +--- + +## 4 📌 Offline Update Kit (OUK) Build & Distribution + +**Purpose** – deliver updated CVE feeds & Trivy DB to air‑gapped clusters. + +### 4.1 CLI Tool + +*Go binary `ouk` lives in `src/Tools/ouk/`.* + +```sh +ouk fetch \ + --nvd --osv \ + --trivy-db --date $(date -I) \ + --output ouk-$(date +%Y%m%d).tar.gz \ + --sign cosign.key +``` + +### 4.2 Pipeline Hook + +* Runs on **first Friday** each month (cron). +* Generates tarball, signs it, uploads to **GitLab Release asset**. +* SHA‑256 + signature published alongside. +* Release job must emit `out/release/debug/` with `debug-manifest.json` and `.sha256` so `ops/offline-kit/mirror_debug_store.py` can mirror symbols into the Offline Kit (see `DEVOPS-REL-17-004`). + +### 4.3 Activation Flow (runtime) + +1. Admin uploads `.tar.gz` via **UI → Settings → Offline Updates (OUK)**. +2. Backend verifies Cosign signature & digest. +3. Files extracted into `var/lib/stella/db`. +4. Redis caches invalidated; Dashboard “Feed Age” ticks green. +5. Audit event `ouk_update` stored. + +### 4.4 Token Detail + +client.jwt placed under /root/ inside the tarball. +CI job fails if token expiry < 29 days (guard against stale caches). + +--- + +## 5 Artifact Signing & Transparency + +| Artefact | Signer | Tool/Notes | +| ------------ | --------------- | ---------------------------------- | +| Git tags | GPG (`0x90C4…`) | `git tag -s` | +| Containers | Cosign key pair | `cosign sign` | +| Helm Charts | prov file | `helm package --sign` | +| OUK tarballs | Cosign | `cosign sign-blob` | +| Debug store | — | `debug/debug-manifest.json` hashed | + +**Rekor** integration is **TODO** – once the internal Rekor mirror is online (`StellaOpsAttestor`) a post‑publish job will submit transparency log entries. + +--- + +## 6 Release Checklist + +1. CI pipeline green. +2. Bump `VERSION` file. +3. Tag `git tag -s X.Y.Z -m "Release X.Y.Z"` & push. +4. GitLab CI auto‑publishes images & charts. +5. Draft GitLab **Release Notes** using `src/Tools/release-notes-gen`. +6. Verify SBOM attachment with `stella sbom verify stella/backend:X.Y.Z`. +7. Run the release verifier locally if CI isn’t available (mirrors the workflow step): + `python ops/devops/release/test_verify_release.py` +8. Mirror the release debug store into the Offline Kit staging tree and re-check the manifest: + ```bash + ./ops/offline-kit/mirror_debug_store.py \ + --release-dir out/release \ + --offline-kit-dir out/offline-kit + jq '.artifacts | length' out/offline-kit/debug/debug-manifest.json + readelf -n /app/... | grep -i 'Build ID' + ``` + Validate that the hash from `readelf` matches the `.build-id//.debug` path created by the script. +9. Smoke-test OUK tarball in offline lab. +10. Announce in `#stella-release` Mattermost channel. + +--- + +## 7 Hot‑fix Procedure + +* Branch from latest tag → `hotfix/X.Y.Z+1-hf1`. +* Apply minimal patch, add regression test. +* CI pipeline (with reduced stages) must pass. +* Tag `X.Y.Z+1`. +* Publish only container + Helm chart; OUK not rebuilt. +* Cherry‑pick back to `main`. + +--- + +## 8 Deprecation & End‑of‑Life Policy + +| Feature | Deprecation notice | Removal earliest | +| ------------------------ | ------------------ | ---------------- | +| Legacy CSV policy import | 2025‑10‑01 | 2026‑04‑01 | +| Docker v1 Registry auth | 2025‑12‑01 | 2026‑06‑01 | +| In‑image Trivy DB | 2025‑12‑15 | 2026‑03‑15 | + +*At least 6 months notice; removal requires major version bump.* + +--- + +## 9 📌 Non‑Commercial Usage Rules (English canonical) + +1. **Free for internal security assessments** (company or personal). +2. **SaaS resale / re‑hosting prohibited** without prior written consent (AGPL §13). +3. If you distribute a fork with UI or backend modifications **you must**: + * Publish the complete modified source code. + * Retain the original Stella Ops attribution in UI footer and CLI `--version`. +4. All third‑party dependencies remain under their respective licences (MIT, Apache‑2.0, ISC, BSD). +5. Deployments in state‑regulated or classified environments must obey**applicable local regulations** governing cryptography and software distribution. + +--- + +## 10 Best Practices Snapshot 📌 + +* **SBOM‑per‑image** → attach at build time; store as OCI artifact for supply‑chain introspection. +* **Provenance flag** (`--provenance=true`) in BuildKit fulfils SLSA 2 requirement. +* Use **multi‑arch, reproducible builds** (`SOURCE_DATE_EPOCH` pins timestamps). +* All pipelines enforce **Signed‑off‑by (DCO)**; CI fails if trailer missing. +* `cosign policy` ensures only images signed by the project key run in production. + +--- + +## 11 Contributing to Release Engineering + +* Fork & create MR to `infra/release-*`. +* All infra changes require green **`integration-e2e-offline`** job. +* Discuss larger infra migrations in `#sig-release` Mattermost; decisions recorded in `ADR/` folder. + +--- + +## 12 Change Log (high‑level) + +| Version | Date | Note | +| ------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| v2.1 | 2025‑07‑15 | Added OUK build/publish pipeline, internal registry image (`StellaOps.Registry`), non‑commercial usage rules extraction, SBOM stage, BuildKit provenance. | +| v2.0 | 2025‑07‑12 | Initial open‑sourcing of Release Engineering guide. | +| v1.1 | 2025‑07‑09 | Fixed inner fencing; added retention policy | +| v1.0 | 2025‑07‑09 | Initial playbook | + +--- + +*(End of Release Engineering Playbook v1.1)* diff --git a/docs/17_SECURITY_HARDENING_GUIDE.md b/docs/17_SECURITY_HARDENING_GUIDE.md index 6eae1241..84ad7cfa 100755 --- a/docs/17_SECURITY_HARDENING_GUIDE.md +++ b/docs/17_SECURITY_HARDENING_GUIDE.md @@ -1,202 +1,202 @@ -#  17 · Security Hardening Guide — **Stella Ops** -*(v2.0 — 12 Jul 2025)* - -> **Audience** — Site‑reliability and platform teams deploying **the open‑source Core** in production or restricted networks. ---- - -##  0 Table of Contents - -1. Threat model (summary) -2. Host‑OS baseline -3. Container & runtime hardening -4. Network‑plane guidance -5. Secrets & key management -6. Image, SBOM & plug‑in supply‑chain controls -7. Logging, monitoring & audit -8. Update & patch strategy -9. Incident‑response workflow -10. Pen‑testing & continuous assurance -11. Contacts & vulnerability disclosure -12. Change log - ---- - -##  1 Threat model (summary) - -| Asset | Threats | Mitigations | -| -------------------- | --------------------- | ---------------------------------------------------------------------- | -| SBOMs & scan results | Disclosure, tamper | TLS‑in‑transit, read‑only Redis volume, RBAC, Cosign‑verified plug‑ins | -| Backend container | RCE, code‑injection | Distroless image, non‑root UID, read‑only FS, seccomp + `CAP_DROP:ALL` | -| Update artefacts | Supply‑chain attack | Cosign‑signed images & SBOMs, enforced by admission controller | -| Admin credentials | Phishing, brute force | OAuth 2.0 with 12‑h token TTL, optional mTLS | - ---- - -##  2 Host‑OS baseline checklist - -| Item | Recommended setting | -| ------------- | --------------------------------------------------------- | -| OS | Ubuntu 22.04 LTS (kernel ≥ 5.15) or Alma 9 | -| Patches | `unattended‑upgrades` or vendor‑equivalent enabled | -| Filesystem | `noexec,nosuid` on `/tmp`, `/var/tmp` | -| Docker Engine | v24.*, API socket root‑owned (`0660`) | -| Auditd | Watch `/etc/docker`, `/usr/bin/docker*` and Compose files | -| Time sync | `chrony` or `systemd‑timesyncd` | - ---- - -##  3 Container & runtime hardening - -###  3.1 Docker Compose reference (`compose-core.yml`) - -```yaml -services: - backend: - image: registry.stella-ops.org/stella-ops/stella-ops: - user: "101:101" # non‑root - read_only: true - security_opt: - - "no-new-privileges:true" - - "seccomp:./seccomp-backend.json" - cap_drop: [ALL] - tmpfs: - - /tmp:size=64m,exec,nosymlink - environment: - - ASPNETCORE_URLS=https://+:8080 - - TLSPROVIDER=OpenSslGost - depends_on: [redis] - networks: [core-net] - healthcheck: - test: ["CMD", "wget", "-qO-", "https://localhost:8080/health"] - interval: 30s - timeout: 5s - retries: 5 - - redis: - image: redis:7.2-alpine - command: ["redis-server", "--requirepass", "${REDIS_PASS}", "--rename-command", "FLUSHALL", ""] - user: "redis" - read_only: true - cap_drop: [ALL] - tmpfs: - - /data - networks: [core-net] - -networks: - core-net: - driver: bridge -``` - -No dedicated “Redis” or “Mongo” sub‑nets are declared; the single bridge network suffices for the default stack. - -###  3.2 Kubernetes deployment highlights - -Use a separate NetworkPolicy that only allows egress from backend to Redis :6379. -securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, drop all capabilities. -PodDisruptionBudget of minAvailable: 1. -Optionally add CosignVerified=true label enforced by an admission controller (e.g. Kyverno or Connaisseur). - -##  4 Network‑plane guidance - -| Plane | Recommendation | -| ------------------ | -------------------------------------------------------------------------- | -| North‑south | Terminate TLS 1.2+ (OpenSSL‑GOST default). Use LetsEncrypt or internal CA. | -| East‑west | Compose bridge or K8s ClusterIP only; no public Redis/Mongo ports. | -| Ingress controller | Limit methods to GET, POST, PATCH (no TRACE). | -| Rate‑limits | 40 rps default; tune ScannerPool.Workers and ingress limit‑req to match. | - -##  5 Secrets & key management - -| Secret | Storage | Rotation | -| --------------------------------- | ---------------------------------- | ----------------------------- | -| **Client‑JWT (offline)** | `/var/lib/stella/tokens/client.jwt` (root : 600) | **30 days** – provided by each OUK | -| REDIS_PASS | Docker/K8s secret | 90 days | -| OAuth signing key | /keys/jwt.pem (read‑only mount) | 180 days | -| Cosign public key | /keys/cosign.pub baked into image; | change on every major release | -| Trivy DB mirror token (if remote) | Secret + read‑only | 30 days | - -Never bake secrets into images; always inject at runtime. - -> **Operational tip:** schedule a cron reminding ops 5 days before -> `client.jwt` expiry. The backend also emits a Prometheus metric -> `stella_quota_token_days_remaining`. - -##  6 Image, SBOM & plug‑in supply‑chain controls - -* Images — Pull by digest not latest; verify: - -```bash -cosign verify ghcr.io/stellaops/backend@sha256: \ - --key https://stella-ops.org/keys/cosign.pub -``` - -* SBOM — Each release ships an SPDX file; store alongside images for audit. -* Third‑party plug‑ins — Place in /plugins/; backend will: -* Validate Cosign signature. -* Check [StellaPluginVersion("major.minor")]. -* Refuse to start if Security.DisablePluginUnsigned=false (default). - -##  7 Logging, monitoring & audit - -| Control | Implementation | -| ------------ | ----------------------------------------------------------------- | -| Log format | Serilog JSON; ship via Fluent‑Bit to ELK or Loki | -| Metrics | Prometheus /metrics endpoint; default Grafana dashboard in infra/ | -| Audit events | Redis stream audit; export daily to SIEM | -| Alert rules | Feed age  ≥ 48 h, P95 wall‑time > 5 s, Redis used memory > 75 % | - -###  7.1 Concelier authorization audits - -- Enable the Authority integration for Concelier (`authority.enabled=true`). Keep - `authority.allowAnonymousFallback` set to `true` only during migration and plan - to disable it before **2025-12-31 UTC** so the `/jobs*` surface always demands - a bearer token. -- Store the Authority client secret using Docker/Kubernetes secrets and point - `authority.clientSecretFile` at the mounted path; the value is read at startup - and never logged. -- Watch the `Concelier.Authorization.Audit` logger. Each entry contains the HTTP - status, subject, client ID, scopes, remote IP, and a boolean `bypass` flag - showing whether a network bypass CIDR allowed the request. Configure your SIEM - to alert when unauthenticated requests (`status=401`) appear with - `bypass=true`, or when unexpected scopes invoke job triggers. - Detailed monitoring and response guidance lives in `docs/modules/concelier/operations/authority-audit-runbook.md`. - -##  8 Update & patch strategy - -| Layer | Cadence | Method | -| -------------------- | -------------------------------------------------------- | ------------------------------ | -| Backend & CLI images | Monthly or CVE‑driven docker pull + docker compose up -d | -| Trivy DB | 24 h scheduler via Concelier (vulnerability ingest/merge/export service) | configurable via Concelier scheduler options | -| Docker Engine | vendor LTS | distro package manager | -| Host OS | security repos enabled | unattended‑upgrades | - -##  9 Incident‑response workflow - -* Detect — PagerDuty alert from Prometheus or SIEM. -* Contain — Stop affected Backend container; isolate Redis RDB snapshot. -* Eradicate — Pull verified images, redeploy, rotate secrets. -* Recover — Restore RDB, replay SBOMs if history lost. -* Review — Post‑mortem within 72 h; create follow‑up issues. -* Escalate P1 incidents to (24 × 7). - - -##  10 Pen‑testing & continuous assurance - -| Control | Frequency | Tool/Runner | -|----------------------|-----------------------|-------------------------------------------| -| OWASP ZAP baseline | Each merge to `main` | GitHub Action `zap-baseline-scan` | -| Dependency scanning | Per pull request | Trivy FS + Dependabot | -| External red‑team | Annual or pre‑GA | CREST‑accredited third‑party | - -##  11 Vulnerability disclosure & contact - -* Preferred channel: security@stella‑ops.org (GPG key on website). -* Coordinated disclosure reward: public credit and swag (no monetary bounty at this time). - -##  12 Change log - -| Version | Date | Notes | -| ------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------- | -| v2.0 | 2025‑07‑12 | Full overhaul: host‑OS baseline, supply‑chain signing, removal of unnecessary sub‑nets, role‑based contact e‑mail, K8s guidance. | -| v1.1 | 2025‑07‑09 | Minor fence fixes. | -| v1.0 | 2025‑07‑09 | Original draft. | +#  17 · Security Hardening Guide — **Stella Ops** +*(v2.0 — 12 Jul 2025)* + +> **Audience** — Site‑reliability and platform teams deploying **the open‑source Core** in production or restricted networks. +--- + +##  0 Table of Contents + +1. Threat model (summary) +2. Host‑OS baseline +3. Container & runtime hardening +4. Network‑plane guidance +5. Secrets & key management +6. Image, SBOM & plug‑in supply‑chain controls +7. Logging, monitoring & audit +8. Update & patch strategy +9. Incident‑response workflow +10. Pen‑testing & continuous assurance +11. Contacts & vulnerability disclosure +12. Change log + +--- + +##  1 Threat model (summary) + +| Asset | Threats | Mitigations | +| -------------------- | --------------------- | ---------------------------------------------------------------------- | +| SBOMs & scan results | Disclosure, tamper | TLS‑in‑transit, read‑only Redis volume, RBAC, Cosign‑verified plug‑ins | +| Backend container | RCE, code‑injection | Distroless image, non‑root UID, read‑only FS, seccomp + `CAP_DROP:ALL` | +| Update artefacts | Supply‑chain attack | Cosign‑signed images & SBOMs, enforced by admission controller | +| Admin credentials | Phishing, brute force | OAuth 2.0 with 12‑h token TTL, optional mTLS | + +--- + +##  2 Host‑OS baseline checklist + +| Item | Recommended setting | +| ------------- | --------------------------------------------------------- | +| OS | Ubuntu 22.04 LTS (kernel ≥ 5.15) or Alma 9 | +| Patches | `unattended‑upgrades` or vendor‑equivalent enabled | +| Filesystem | `noexec,nosuid` on `/tmp`, `/var/tmp` | +| Docker Engine | v24.*, API socket root‑owned (`0660`) | +| Auditd | Watch `/etc/docker`, `/usr/bin/docker*` and Compose files | +| Time sync | `chrony` or `systemd‑timesyncd` | + +--- + +##  3 Container & runtime hardening + +###  3.1 Docker Compose reference (`compose-core.yml`) + +```yaml +services: + backend: + image: registry.stella-ops.org/stella-ops/stella-ops: + user: "101:101" # non‑root + read_only: true + security_opt: + - "no-new-privileges:true" + - "seccomp:./seccomp-backend.json" + cap_drop: [ALL] + tmpfs: + - /tmp:size=64m,exec,nosymlink + environment: + - ASPNETCORE_URLS=https://+:8080 + - TLSPROVIDER=OpenSslGost + depends_on: [redis] + networks: [core-net] + healthcheck: + test: ["CMD", "wget", "-qO-", "https://localhost:8080/health"] + interval: 30s + timeout: 5s + retries: 5 + + redis: + image: redis:7.2-alpine + command: ["redis-server", "--requirepass", "${REDIS_PASS}", "--rename-command", "FLUSHALL", ""] + user: "redis" + read_only: true + cap_drop: [ALL] + tmpfs: + - /data + networks: [core-net] + +networks: + core-net: + driver: bridge +``` + +No dedicated “Redis” or “Mongo” sub‑nets are declared; the single bridge network suffices for the default stack. + +###  3.2 Kubernetes deployment highlights + +Use a separate NetworkPolicy that only allows egress from backend to Redis :6379. +securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, drop all capabilities. +PodDisruptionBudget of minAvailable: 1. +Optionally add CosignVerified=true label enforced by an admission controller (e.g. Kyverno or Connaisseur). + +##  4 Network‑plane guidance + +| Plane | Recommendation | +| ------------------ | -------------------------------------------------------------------------- | +| North‑south | Terminate TLS 1.2+ (OpenSSL‑GOST default). Use LetsEncrypt or internal CA. | +| East‑west | Compose bridge or K8s ClusterIP only; no public Redis/Mongo ports. | +| Ingress controller | Limit methods to GET, POST, PATCH (no TRACE). | +| Rate‑limits | 40 rps default; tune ScannerPool.Workers and ingress limit‑req to match. | + +##  5 Secrets & key management + +| Secret | Storage | Rotation | +| --------------------------------- | ---------------------------------- | ----------------------------- | +| **Client‑JWT (offline)** | `/var/lib/stella/tokens/client.jwt` (root : 600) | **30 days** – provided by each OUK | +| REDIS_PASS | Docker/K8s secret | 90 days | +| OAuth signing key | /keys/jwt.pem (read‑only mount) | 180 days | +| Cosign public key | /keys/cosign.pub baked into image; | change on every major release | +| Trivy DB mirror token (if remote) | Secret + read‑only | 30 days | + +Never bake secrets into images; always inject at runtime. + +> **Operational tip:** schedule a cron reminding ops 5 days before +> `client.jwt` expiry. The backend also emits a Prometheus metric +> `stella_quota_token_days_remaining`. + +##  6 Image, SBOM & plug‑in supply‑chain controls + +* Images — Pull by digest not latest; verify: + +```bash +cosign verify ghcr.io/stellaops/backend@sha256: \ + --key https://stella-ops.org/keys/cosign.pub +``` + +* SBOM — Each release ships an SPDX file; store alongside images for audit. +* Third‑party plug‑ins — Place in /plugins/; backend will: +* Validate Cosign signature. +* Check [StellaPluginVersion("major.minor")]. +* Refuse to start if Security.DisablePluginUnsigned=false (default). + +##  7 Logging, monitoring & audit + +| Control | Implementation | +| ------------ | ----------------------------------------------------------------- | +| Log format | Serilog JSON; ship via Fluent‑Bit to ELK or Loki | +| Metrics | Prometheus /metrics endpoint; default Grafana dashboard in infra/ | +| Audit events | Redis stream audit; export daily to SIEM | +| Alert rules | Feed age  ≥ 48 h, P95 wall‑time > 5 s, Redis used memory > 75 % | + +###  7.1 Concelier authorization audits + +- Enable the Authority integration for Concelier (`authority.enabled=true`). Keep + `authority.allowAnonymousFallback` set to `true` only during migration and plan + to disable it before **2025-12-31 UTC** so the `/jobs*` surface always demands + a bearer token. +- Store the Authority client secret using Docker/Kubernetes secrets and point + `authority.clientSecretFile` at the mounted path; the value is read at startup + and never logged. +- Watch the `Concelier.Authorization.Audit` logger. Each entry contains the HTTP + status, subject, client ID, scopes, remote IP, and a boolean `bypass` flag + showing whether a network bypass CIDR allowed the request. Configure your SIEM + to alert when unauthenticated requests (`status=401`) appear with + `bypass=true`, or when unexpected scopes invoke job triggers. + Detailed monitoring and response guidance lives in `docs/modules/concelier/operations/authority-audit-runbook.md`. + +##  8 Update & patch strategy + +| Layer | Cadence | Method | +| -------------------- | -------------------------------------------------------- | ------------------------------ | +| Backend & CLI images | Monthly or CVE‑driven docker pull + docker compose up -d | +| Trivy DB | 24 h scheduler via Concelier (vulnerability ingest/merge/export service) | configurable via Concelier scheduler options | +| Docker Engine | vendor LTS | distro package manager | +| Host OS | security repos enabled | unattended‑upgrades | + +##  9 Incident‑response workflow + +* Detect — PagerDuty alert from Prometheus or SIEM. +* Contain — Stop affected Backend container; isolate Redis RDB snapshot. +* Eradicate — Pull verified images, redeploy, rotate secrets. +* Recover — Restore RDB, replay SBOMs if history lost. +* Review — Post‑mortem within 72 h; create follow‑up issues. +* Escalate P1 incidents to (24 × 7). + + +##  10 Pen‑testing & continuous assurance + +| Control | Frequency | Tool/Runner | +|----------------------|-----------------------|-------------------------------------------| +| OWASP ZAP baseline | Each merge to `main` | GitHub Action `zap-baseline-scan` | +| Dependency scanning | Per pull request | Trivy FS + Dependabot | +| External red‑team | Annual or pre‑GA | CREST‑accredited third‑party | + +##  11 Vulnerability disclosure & contact + +* Preferred channel: security@stella‑ops.org (GPG key on website). +* Coordinated disclosure reward: public credit and swag (no monetary bounty at this time). + +##  12 Change log + +| Version | Date | Notes | +| ------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------- | +| v2.0 | 2025‑07‑12 | Full overhaul: host‑OS baseline, supply‑chain signing, removal of unnecessary sub‑nets, role‑based contact e‑mail, K8s guidance. | +| v1.1 | 2025‑07‑09 | Minor fence fixes. | +| v1.0 | 2025‑07‑09 | Original draft. | diff --git a/docs/21_INSTALL_GUIDE.md b/docs/21_INSTALL_GUIDE.md index 8f51204f..96d8ed85 100755 --- a/docs/21_INSTALL_GUIDE.md +++ b/docs/21_INSTALL_GUIDE.md @@ -1,190 +1,190 @@ -# Stella Ops — Installation Guide (Docker & Air‑Gap) - - - -> **Status — public α not yet published.** -> The commands below will work as soon as the first image is tagged -> `registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha` -> (target date: **late 2025**). Track progress on the -> [road‑map](/roadmap/). - ---- - -## 0 · Prerequisites - -| Item | Minimum | Notes | -|------|---------|-------| -| Linux | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 | -| CPU / RAM | 2 vCPU / 2 GiB | Laptop baseline | -| Disk | 10 GiB SSD | SBOM + vuln DB cache | -| Docker | **Engine 25 + Compose v2** | `docker -v` | -| TLS | OpenSSL 1.1 +  | Self‑signed cert generated at first run | - ---- - -## 1 · Connected‑host install (Docker Compose) - -```bash -# 1. Make a working directory -mkdir stella && cd stella - -# 2. Download the signed Compose bundle + example .env -curl -LO https://get.stella-ops.org/releases/latest/.env.example -curl -LO https://get.stella-ops.org/releases/latest/.env.example.sig -curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml -curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml.sig -curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml -curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml.sig - -# 3. Verify provenance (Cosign public key is stable) -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature .env.example.sig \ - .env.example - -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature docker-compose.infrastructure.yml.sig \ - docker-compose.infrastructure.yml - -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature docker-compose.stella-ops.yml.sig \ - docker-compose.stella-ops.yml - -# 4. Copy .env.example → .env and edit secrets -cp .env.example .env -$EDITOR .env - -# 5. Launch databases (MongoDB + Redis) -docker compose --env-file .env -f docker-compose.infrastructure.yml up -d - -# 6. Launch Stella Ops (first run pulls ~50 MB merged vuln DB) -docker compose --env-file .env -f docker-compose.stella-ops.yml up -d -```` - -*Default login:* `admin / changeme` -UI: [https://\<host\>:8443](https://<host>:8443) (self‑signed certificate) - -> **Pinning best‑practice** – in production environments replace -> `stella-ops:latest` with the immutable digest printed by -> `docker images --digests`. - -> **Repo bundles** – Development, staging, and air‑gapped Compose profiles live -> under `deploy/compose/`, already tied to the release manifests in -> `deploy/releases/`. Helm users can pull the same channel overlays from -> `deploy/helm/stellaops/values-*.yaml` and validate everything with -> `deploy/tools/validate-profiles.sh`. - -### 1.1 · Concelier authority configuration - -The Concelier container reads configuration from `etc/concelier.yaml` plus -`CONCELIER_` environment variables. To enable the new Authority integration: - -1. Add the following keys to `.env` (replace values for your environment): - - ```bash - CONCELIER_AUTHORITY__ENABLED=true - CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true # temporary rollout only - CONCELIER_AUTHORITY__ISSUER="https://authority.internal" - CONCELIER_AUTHORITY__AUDIENCES__0="api://concelier" - CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger" - CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read" - CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest" - CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default" - CONCELIER_AUTHORITY__CLIENTID="concelier-jobs" - CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger" - CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read" - CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest" - CONCELIER_AUTHORITY__CLIENTSECRETFILE="/run/secrets/concelier_authority_client" - CONCELIER_AUTHORITY__BYPASSNETWORKS__0="127.0.0.1/32" - CONCELIER_AUTHORITY__BYPASSNETWORKS__1="::1/128" - CONCELIER_AUTHORITY__RESILIENCE__ENABLERETRIES=true - CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__0="00:00:01" - CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__1="00:00:02" - CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__2="00:00:05" - CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK=true - CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE="00:10:00" - ``` - - Store the client secret outside source control (Docker secrets, mounted file, - or Kubernetes Secret). Concelier loads the secret during post-configuration, so - the value never needs to appear in the YAML template. - - Connected sites can keep the retry ladder short (1 s, 2 s, 5 s) so job triggers fail fast when Authority is down. For air‑gapped or intermittently connected deployments, extend `RESILIENCE__OFFLINECACHETOLERANCE` (e.g. `00:30:00`) so cached discovery/JWKS data remains valid while the Offline Kit synchronises upstream changes. - -2. Redeploy Concelier: - - ```bash - docker compose --env-file .env -f docker-compose.stella-ops.yml up -d concelier - ``` - -3. Tail the logs: `docker compose logs -f concelier`. Successful `/jobs*` calls now - emit `Concelier.Authorization.Audit` entries with `route`, `status`, `subject`, - `clientId`, `scopes`, `bypass`, and `remote` fields. 401 denials keep the same - shape—watch for `bypass=True`, which indicates a bypass CIDR accepted an anonymous - call. See `docs/modules/concelier/operations/authority-audit-runbook.md` for a full audit/alerting checklist. - -> **Enforcement deadline** – keep `CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true` -> only while validating the rollout. Set it to `false` (and restart Concelier) -> before **2025-12-31 UTC** to require tokens in production. - ---- - -## 2 · Optional: request a free quota token - -Anonymous installs allow **{{ quota\_anon }} scans per UTC day**. -Email `token@stella-ops.org` to receive a signed JWT that raises the limit to -**{{ quota\_token }} scans/day**. Insert it into `.env`: - -```bash -STELLA_JWT="paste‑token‑here" -docker compose --env-file .env -f docker-compose.stella-ops.yml \ - exec stella-ops stella set-jwt "$STELLA_JWT" -``` - ->  The UI shows a reminder at 200 scans and throttles above the limit but will ->  **never block** your pipeline. - ---- - -## 3 · Air‑gapped install (Offline Update Kit) - -When running on an isolated network use the **Offline Update Kit (OUK)**: - -```bash -# Download & verify on a connected host -curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz -curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz.sig - -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature stella-ops-offline-kit-v0.1a.tgz.sig \ - stella-ops-offline-kit-v0.1a.tgz - -# Transfer → air‑gap → import -docker compose --env-file .env -f docker-compose.stella-ops.yml \ - exec stella admin import-offline-usage-kit stella-ops-offline-kit-v0.1a.tgz -``` - -*Import is atomic; no service downtime.* - -For details see the dedicated [Offline Kit guide](/offline/). - ---- - -## 4 · Next steps - -* **5‑min Quick‑Start:** `/quickstart/` -* **CI recipes:** `docs/ci/20_CI_RECIPES.md` -* **Plug‑in SDK:** `/plugins/` - ---- - -*Generated {{ "now" | date: "%Y‑%m‑%d" }} — build tags inserted at render time.* +# Stella Ops — Installation Guide (Docker & Air‑Gap) + + + +> **Status — public α not yet published.** +> The commands below will work as soon as the first image is tagged +> `registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha` +> (target date: **late 2025**). Track progress on the +> [road‑map](/roadmap/). + +--- + +## 0 · Prerequisites + +| Item | Minimum | Notes | +|------|---------|-------| +| Linux | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 | +| CPU / RAM | 2 vCPU / 2 GiB | Laptop baseline | +| Disk | 10 GiB SSD | SBOM + vuln DB cache | +| Docker | **Engine 25 + Compose v2** | `docker -v` | +| TLS | OpenSSL 1.1 +  | Self‑signed cert generated at first run | + +--- + +## 1 · Connected‑host install (Docker Compose) + +```bash +# 1. Make a working directory +mkdir stella && cd stella + +# 2. Download the signed Compose bundle + example .env +curl -LO https://get.stella-ops.org/releases/latest/.env.example +curl -LO https://get.stella-ops.org/releases/latest/.env.example.sig +curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml +curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml.sig +curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml +curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml.sig + +# 3. Verify provenance (Cosign public key is stable) +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature .env.example.sig \ + .env.example + +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature docker-compose.infrastructure.yml.sig \ + docker-compose.infrastructure.yml + +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature docker-compose.stella-ops.yml.sig \ + docker-compose.stella-ops.yml + +# 4. Copy .env.example → .env and edit secrets +cp .env.example .env +$EDITOR .env + +# 5. Launch databases (MongoDB + Redis) +docker compose --env-file .env -f docker-compose.infrastructure.yml up -d + +# 6. Launch Stella Ops (first run pulls ~50 MB merged vuln DB) +docker compose --env-file .env -f docker-compose.stella-ops.yml up -d +```` + +*Default login:* `admin / changeme` +UI: [https://\<host\>:8443](https://<host>:8443) (self‑signed certificate) + +> **Pinning best‑practice** – in production environments replace +> `stella-ops:latest` with the immutable digest printed by +> `docker images --digests`. + +> **Repo bundles** – Development, staging, and air‑gapped Compose profiles live +> under `deploy/compose/`, already tied to the release manifests in +> `deploy/releases/`. Helm users can pull the same channel overlays from +> `deploy/helm/stellaops/values-*.yaml` and validate everything with +> `deploy/tools/validate-profiles.sh`. + +### 1.1 · Concelier authority configuration + +The Concelier container reads configuration from `etc/concelier.yaml` plus +`CONCELIER_` environment variables. To enable the new Authority integration: + +1. Add the following keys to `.env` (replace values for your environment): + + ```bash + CONCELIER_AUTHORITY__ENABLED=true + CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true # temporary rollout only + CONCELIER_AUTHORITY__ISSUER="https://authority.internal" + CONCELIER_AUTHORITY__AUDIENCES__0="api://concelier" + CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger" + CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read" + CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest" + CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default" + CONCELIER_AUTHORITY__CLIENTID="concelier-jobs" + CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger" + CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read" + CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest" + CONCELIER_AUTHORITY__CLIENTSECRETFILE="/run/secrets/concelier_authority_client" + CONCELIER_AUTHORITY__BYPASSNETWORKS__0="127.0.0.1/32" + CONCELIER_AUTHORITY__BYPASSNETWORKS__1="::1/128" + CONCELIER_AUTHORITY__RESILIENCE__ENABLERETRIES=true + CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__0="00:00:01" + CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__1="00:00:02" + CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__2="00:00:05" + CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK=true + CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE="00:10:00" + ``` + + Store the client secret outside source control (Docker secrets, mounted file, + or Kubernetes Secret). Concelier loads the secret during post-configuration, so + the value never needs to appear in the YAML template. + + Connected sites can keep the retry ladder short (1 s, 2 s, 5 s) so job triggers fail fast when Authority is down. For air‑gapped or intermittently connected deployments, extend `RESILIENCE__OFFLINECACHETOLERANCE` (e.g. `00:30:00`) so cached discovery/JWKS data remains valid while the Offline Kit synchronises upstream changes. + +2. Redeploy Concelier: + + ```bash + docker compose --env-file .env -f docker-compose.stella-ops.yml up -d concelier + ``` + +3. Tail the logs: `docker compose logs -f concelier`. Successful `/jobs*` calls now + emit `Concelier.Authorization.Audit` entries with `route`, `status`, `subject`, + `clientId`, `scopes`, `bypass`, and `remote` fields. 401 denials keep the same + shape—watch for `bypass=True`, which indicates a bypass CIDR accepted an anonymous + call. See `docs/modules/concelier/operations/authority-audit-runbook.md` for a full audit/alerting checklist. + +> **Enforcement deadline** – keep `CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true` +> only while validating the rollout. Set it to `false` (and restart Concelier) +> before **2025-12-31 UTC** to require tokens in production. + +--- + +## 2 · Optional: request a free quota token + +Anonymous installs allow **{{ quota\_anon }} scans per UTC day**. +Email `token@stella-ops.org` to receive a signed JWT that raises the limit to +**{{ quota\_token }} scans/day**. Insert it into `.env`: + +```bash +STELLA_JWT="paste‑token‑here" +docker compose --env-file .env -f docker-compose.stella-ops.yml \ + exec stella-ops stella set-jwt "$STELLA_JWT" +``` + +>  The UI shows a reminder at 200 scans and throttles above the limit but will +>  **never block** your pipeline. + +--- + +## 3 · Air‑gapped install (Offline Update Kit) + +When running on an isolated network use the **Offline Update Kit (OUK)**: + +```bash +# Download & verify on a connected host +curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz +curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz.sig + +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature stella-ops-offline-kit-v0.1a.tgz.sig \ + stella-ops-offline-kit-v0.1a.tgz + +# Transfer → air‑gap → import +docker compose --env-file .env -f docker-compose.stella-ops.yml \ + exec stella admin import-offline-usage-kit stella-ops-offline-kit-v0.1a.tgz +``` + +*Import is atomic; no service downtime.* + +For details see the dedicated [Offline Kit guide](/offline/). + +--- + +## 4 · Next steps + +* **5‑min Quick‑Start:** `/quickstart/` +* **CI recipes:** `docs/ci/20_CI_RECIPES.md` +* **Plug‑in SDK:** `/plugins/` + +--- + +*Generated {{ "now" | date: "%Y‑%m‑%d" }} — build tags inserted at render time.* diff --git a/docs/24_OFFLINE_KIT.md b/docs/24_OFFLINE_KIT.md index b34fbaf1..3c913f65 100755 --- a/docs/24_OFFLINE_KIT.md +++ b/docs/24_OFFLINE_KIT.md @@ -1,286 +1,286 @@ -# Offline Update Kit (OUK) — Air‑Gap Bundle - - - -The **Offline Update Kit** packages everything Stella Ops needs to run on a -completely isolated network: - -| Component | Contents | -|-----------|----------| -| **Merged vulnerability feeds** | OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU | -| **Container images** | `stella-ops`, *Zastava* sidecar (x86‑64 & arm64) | -| **Provenance** | Cosign signature, SPDX 2.3 SBOM, in‑toto SLSA attestation | -| **Attested manifest** | `offline-manifest.json` + detached JWS covering bundle metadata, signed during export. | -| **Delta patches** | Daily diff bundles keep size \< 350 MB | -| **Scanner plug-ins** | OS analyzers plus the Node.js, Go, .NET, and Python language analyzers packaged under `plugins/scanner/analyzers/**` with manifests so Workers load deterministically offline. | -| **Debug store** | `.debug` artefacts laid out under `debug/.build-id//.debug` with `debug/debug-manifest.json` mapping build-ids to originating images for symbol retrieval. | -| **Telemetry collector bundle** | `telemetry/telemetry-offline-bundle.tar.gz` plus `.sha256`, containing OTLP collector config, Helm/Compose overlays, and operator instructions. | - -**RU BDU note:** ship the official Russian Trusted Root/Sub CA bundle (`certificates/russian_trusted_bundle.pem`) inside the kit so `concelier:httpClients:source.bdu:trustedRootPaths` can resolve it when the service runs in an air‑gapped network. Drop the most recent `vulxml.zip` alongside the kit if operators need a cold-start cache. - -**Language analyzers:** the kit now carries the restart-only Node.js, Go, .NET, and Python analyzer plug-ins (`plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Node/`, `...Lang.Go/`, `...Lang.DotNet/`, `...Lang.Python/`). Drop the directories alongside Worker binaries so the unified plug-in catalog can load them without outbound fetches; Rust remains on the Wave 4 roadmap. - -*Scanner core:* C# 12 on **.NET {{ dotnet }}**. -*Imports are idempotent and atomic — no service downtime.* - -## 0 · Prepare the debug store - -Before packaging the Offline Kit, mirror the release debug artefacts (GNU build-id `.debug` files and the associated manifest) into the staging directory: - -```bash -./ops/offline-kit/mirror_debug_store.py \ - --release-dir out/release \ - --offline-kit-dir out/offline-kit -``` - -The helper copies `debug/.build-id/**`, validates `debug/debug-manifest.json` against its recorded SHA-256, and writes `out/offline-kit/metadata/debug-store.json` with a short summary (platforms, artefact counts, sample build-ids). The command exits non-zero if an artefact referenced by the manifest is missing or has the wrong digest, so run it as part of every kit build. - ---- - -## 0.1 · Automated packaging - -The packaging workflow is scripted via `ops/offline-kit/build_offline_kit.py`. -It verifies the release artefacts, runs the Python analyzer smoke suite, mirrors the debug store, and emits a deterministic tarball + manifest set. - -```bash -python ops/offline-kit/build_offline_kit.py \ - --version 2025.10.0 \ - --channel edge \ - --release-dir out/release \ - --staging-dir out/offline-kit/staging \ - --output-dir out/offline-kit/dist - -# Optional: regenerate the telemetry collector bundle prior to packaging. -python ops/devops/telemetry/package_offline_bundle.py --output out/telemetry/telemetry-offline-bundle.tar.gz -``` - -Outputs: - -- `stella-ops-offline-kit--.tar.gz` — bundle (mtime/uid/gid forced to zero for reproducibility) -- `stella-ops-offline-kit--.tar.gz.sha256` — bundle digest -- `manifest/offline-manifest.json` + `.sha256` — inventories every file in the bundle -- `.metadata.json` — descriptor consumed by the CLI/Console import tooling -- `telemetry/telemetry-offline-bundle.tar.gz` + `.sha256` — packaged OTLP collector assets for environments without upstream access -- `plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/*.sig` (+ `.sha256`) — Cosign signatures for the Python analyzer DLL and manifest - -### Policy Gateway configuration bundle - -- Copy `etc/policy-gateway.yaml` (or the `*.sample` template if you expect operators to override values) into `config/policy-gateway/policy-gateway.yaml` within the staging tree. -- Include the gateway DPoP private key under `secrets/policy-gateway/policy-gateway-dpop.pem` and reference the location inside the manifest notes. Set the permissions explicitly (`chmod 600 secrets/policy-gateway/policy-gateway-dpop.pem`) so only the kit importer can read it; the importer will refuse keys that are broader. -- Document the gateway base URL and activation verification steps in `docs/policy/gateway.md` (bundled alongside the kit). Operators can use those curl snippets to smoke-test pack CRUD once the Offline Kit is imported. -- Ensure the Prometheus snapshot captured during packaging contains `policy_gateway_activation_requests_total` so auditors can reconcile activation attempts performed via the gateway during the validation window. - -Provide `--cosign-key` / `--cosign-identity-token` (and optional `--cosign-password`) to generate Cosign signatures for both the tarball and manifest. - ---- - -## 1 · Download & verify - -```bash -curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-.tgz -curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-.tgz.sig -curl -LO https://get.stella-ops.org/ouk/offline-manifest-.json -curl -LO https://get.stella-ops.org/ouk/offline-manifest-.json.jws - -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature stella-ops-offline-kit-.tgz.sig \ - stella-ops-offline-kit-.tgz -```` - -**CLI shortcut.** `stellaops-cli offline kit pull --destination ./offline-kit` downloads the bundle, manifest, and detached signatures in one step, resumes partial transfers, and writes a `.metadata.json` summary for later import. - -Verification prints **OK** and the SHA‑256 digest; cross‑check against the -[changelog](https://git.stella-ops.org/stella-ops/offline-kit/-/releases). - -Validate the attested manifest before distribution: - -```bash -cosign verify-blob \ - --key https://stella-ops.org/keys/cosign.pub \ - --signature offline-manifest-.json.jws \ - offline-manifest-.json - -jq '.artifacts[] | {name, sha256, size, capturedAt}' offline-manifest-.json -``` - -The manifest enumerates every artefact (`name`, `sha256`, `size`, `capturedAt`) and is signed with the same key registry as Authority revocation bundles. Operators can ship the manifest alongside the tarball so downstream mirrors can re-verify without unpacking the kit. - -Example excerpt (2025-10-23 kit) showing the Go and .NET analyzer plug-in payloads: - -```json -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.dll", - "sha256": "a6dc850fc51151c8967ef46a3c4730f08b549667e041079431f39a8a72d0b641", - "size": 33792, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.pdb", - "sha256": "6cbdabf155282f458b89edf267e7f6bb2441a93029aad7aad45c8a9ec58b1b3b", - "size": 32152, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/manifest.json", - "sha256": "c19bfca2fcbb7cb18f1082b5d0d5a8f15fc799c648b50e95fce8d8b109ce48c9", - "size": 622, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.dll", - "sha256": "0734d23e33277ce2ccb596782d2d42cfe394b3d372dc34da9cb28b59df9b9d22", - "size": 70144, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.pdb", - "sha256": "b853c1ff4b196715f5bd1447e1a13edeb4940917527ec9bf153b5048da49abaf", - "size": 40400, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/manifest.json", - "sha256": "5d483885f825f01bfd9943dcf2889ec2e0beba38ede92ecfe67d4f506cf14e37", - "size": 647, - "capturedAt": "2025-10-23T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.dll", - "sha256": "a4f558f363394096e3dd6263f35b180b93b4112f9cf616c05872da8a8657d518", - "size": 47104, - "capturedAt": "2025-10-26T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.pdb", - "sha256": "ef2ad78bc2cd1d7e99bae000b92357aa9a9c32938501899e9033d001096196d0", - "size": 31896, - "capturedAt": "2025-10-26T00:00:00Z" -} -{ - "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/manifest.json", - "sha256": "668ad9a1a35485628677b639db4d996d1e25f62021680a81a22482483800e557", - "size": 648, - "capturedAt": "2025-10-26T00:00:00Z" -} -``` - ---- - -## 2 · Import on the air‑gapped host - -```bash -docker compose --env-file .env \ - -f docker-compose.stella-ops.yml \ - exec stella-ops \ - stella admin import-offline-usage-kit stella-ops-offline-kit-.tgz -``` - -Alternatively, run - -```bash -stellaops-cli offline kit import stella-ops-offline-kit-.tgz \ - --manifest offline-manifest-.json \ - --bundle-signature stella-ops-offline-kit-.tgz.sig \ - --manifest-signature offline-manifest-.json.jws -``` - -The CLI validates recorded digests (when `.metadata.json` is present) before streaming the multipart payload to `/api/offline-kit/import`. - -* The CLI validates the Cosign signature **before** activation. -* Old feeds are kept until the new bundle is fully verified. -* Import time on a SATA SSD: ≈ 25 s for a 300 MB kit. - -### 2.1 Validator + idempotency enablement (air-gap) - -The Offline Kit carries the same helper scripts under `scripts/`: - -1. **Duplicate audit:** run - ```bash - mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;' - ``` - to verify no `(vendor, upstream_id, content_hash, tenant)` conflicts remain before enabling the idempotency index. -2. **Apply validators:** execute `mongo concelier ops/devops/scripts/apply-aoc-validators.js` (and the Excititor equivalent) with `validationLevel: "moderate"` in maintenance mode. -3. **Restart Concelier** so migrations `20251028_advisory_raw_idempotency_index` and `20251028_advisory_supersedes_backfill` run automatically. After the restart: - - Confirm `db.advisory` resolves to a view on `advisory_backup_20251028`. - - Spot-check a few `advisory_raw` entries to ensure `supersedes` chains are populated deterministically. -4. **Smoke test:** run `stella sources ingest --dry-run --fixture advisory` (bundled fixtures) to confirm ingestion succeeds post-guard and the CLI reports zero violations. - -### Authority scope sanity check - -Offline installs rely on the bundled `etc/authority.yaml.sample`. Before promoting the kit, confirm the sample clients keep the Aggregation-Only guardrails: - -- `aoc-verifier` requests `aoc:verify`, `advisory:read`, and `vex:read`. -- `signals-uploader` requests `signals:write`, `signals:read`, and `aoc:verify`. - -Authority now rejects tokens that request `advisory:read`, `vex:read`, or any `signals:*` scope without `aoc:verify`; the sample has been updated to match. If you maintain tenant-specific overlays, mirror the same pairing so air-gapped automation fails deterministically with `invalid_scope` when misconfigured. - -**Quick smoke test:** before import, verify the tarball carries the Go analyzer plug-in: - -```bash -tar -tzf stella-ops-offline-kit-.tgz 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/*' 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/*' 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/*' -``` - -The manifest lookup above and this `tar` listing should both surface the Go analyzer DLL, PDB, and manifest entries before the kit is promoted. - -> **Release guardrail.** The automated release pipeline now publishes the Python plug-in from source and executes `dotnet run --project src/Tools/LanguageAnalyzerSmoke --configuration Release -- --repo-root ` to validate manifest integrity and cold/warm determinism within the < 30 s / < 5 s budgets (differences versus repository goldens are logged for triage). Run `ops/offline-kit/run-python-analyzer-smoke.sh` locally before shipping a refreshed kit if you rebuild artefacts outside CI or when preparing the air-gap bundle. - -### Debug store mirror - -Offline symbols (`debug/.build-id/**`) must accompany every Offline Kit to keep symbol lookup deterministic. The release workflow is expected to emit `out/release/debug/` containing the build-id tree plus `debug-manifest.json` and its `.sha256` companion. After a release completes: - -```bash -python ops/offline-kit/mirror_debug_store.py \ - --release-dir out/release \ - --offline-dir out/offline-kit \ - --summary out/offline-kit/metadata/debug-store.json -``` - -The script mirrors the debug tree into the Offline Kit staging directory, verifies SHA-256 values against the manifest, and writes a summary under `metadata/debug-store.json` for audit logs. If the release pipeline does not populate `out/release/debug`, the tooling now logs a warning (`DEVOPS-REL-17-004`)—treat it as a build failure and re-run the release once symbol extraction is enabled. - ---- - -## 3 · Delta patch workflow - -1. **Connected site** fetches `stella-ouk-YYYY‑MM‑DD.delta.tgz`. -2. Transfer via any medium (USB, portable disk). -3. `stella admin import-offline-usage-kit ` applies only changed CVE rows & images. - -Daily deltas are **< 30 MB**; weekly roll‑up produces a fresh full kit. - ---- - -## 4 · Quota behaviour offline - -The scanner enforces the same fair‑use limits offline: - -* **Anonymous:** {{ quota\_anon }} scans per UTC day -* **Free JWT:** {{ quota\_token }} scans per UTC day - -Soft reminder at 200 scans; throttle above the ceiling but **never block**. -See the detailed rules in -[`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md). - ---- - -## 5 · Troubleshooting - -| Symptom | Explanation | Fix | -| -------------------------------------- | ---------------------------------------- | ------------------------------------- | -| `could not verify SBOM hash` | Bundle corrupted in transit | Re‑download / re‑copy | -| Import hangs at `Applying feeds…` | Low disk space in `/var/lib/stella` | Free ≥ 2 GiB before retry | -| `quota exceeded` same day after import | Import resets counters at UTC 00:00 only | Wait until next UTC day or load a JWT | - ---- - -## 6 · Related documentation - -* **Install guide:** `/install/#air-gapped` -* **Sovereign mode rationale:** `/sovereign/` -* **Security policy:** `/security/#reporting-a-vulnerability` -* **CERT-Bund snapshots:** `python src/Tools/certbund_offline_snapshot.py --help` (see `docs/modules/concelier/operations/connectors/certbund.md`) +# Offline Update Kit (OUK) — Air‑Gap Bundle + + + +The **Offline Update Kit** packages everything Stella Ops needs to run on a +completely isolated network: + +| Component | Contents | +|-----------|----------| +| **Merged vulnerability feeds** | OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU | +| **Container images** | `stella-ops`, *Zastava* sidecar (x86‑64 & arm64) | +| **Provenance** | Cosign signature, SPDX 2.3 SBOM, in‑toto SLSA attestation | +| **Attested manifest** | `offline-manifest.json` + detached JWS covering bundle metadata, signed during export. | +| **Delta patches** | Daily diff bundles keep size \< 350 MB | +| **Scanner plug-ins** | OS analyzers plus the Node.js, Go, .NET, and Python language analyzers packaged under `plugins/scanner/analyzers/**` with manifests so Workers load deterministically offline. | +| **Debug store** | `.debug` artefacts laid out under `debug/.build-id//.debug` with `debug/debug-manifest.json` mapping build-ids to originating images for symbol retrieval. | +| **Telemetry collector bundle** | `telemetry/telemetry-offline-bundle.tar.gz` plus `.sha256`, containing OTLP collector config, Helm/Compose overlays, and operator instructions. | + +**RU BDU note:** ship the official Russian Trusted Root/Sub CA bundle (`certificates/russian_trusted_bundle.pem`) inside the kit so `concelier:httpClients:source.bdu:trustedRootPaths` can resolve it when the service runs in an air‑gapped network. Drop the most recent `vulxml.zip` alongside the kit if operators need a cold-start cache. + +**Language analyzers:** the kit now carries the restart-only Node.js, Go, .NET, and Python analyzer plug-ins (`plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Node/`, `...Lang.Go/`, `...Lang.DotNet/`, `...Lang.Python/`). Drop the directories alongside Worker binaries so the unified plug-in catalog can load them without outbound fetches; Rust remains on the Wave 4 roadmap. + +*Scanner core:* C# 12 on **.NET {{ dotnet }}**. +*Imports are idempotent and atomic — no service downtime.* + +## 0 · Prepare the debug store + +Before packaging the Offline Kit, mirror the release debug artefacts (GNU build-id `.debug` files and the associated manifest) into the staging directory: + +```bash +./ops/offline-kit/mirror_debug_store.py \ + --release-dir out/release \ + --offline-kit-dir out/offline-kit +``` + +The helper copies `debug/.build-id/**`, validates `debug/debug-manifest.json` against its recorded SHA-256, and writes `out/offline-kit/metadata/debug-store.json` with a short summary (platforms, artefact counts, sample build-ids). The command exits non-zero if an artefact referenced by the manifest is missing or has the wrong digest, so run it as part of every kit build. + +--- + +## 0.1 · Automated packaging + +The packaging workflow is scripted via `ops/offline-kit/build_offline_kit.py`. +It verifies the release artefacts, runs the Python analyzer smoke suite, mirrors the debug store, and emits a deterministic tarball + manifest set. + +```bash +python ops/offline-kit/build_offline_kit.py \ + --version 2025.10.0 \ + --channel edge \ + --release-dir out/release \ + --staging-dir out/offline-kit/staging \ + --output-dir out/offline-kit/dist + +# Optional: regenerate the telemetry collector bundle prior to packaging. +python ops/devops/telemetry/package_offline_bundle.py --output out/telemetry/telemetry-offline-bundle.tar.gz +``` + +Outputs: + +- `stella-ops-offline-kit--.tar.gz` — bundle (mtime/uid/gid forced to zero for reproducibility) +- `stella-ops-offline-kit--.tar.gz.sha256` — bundle digest +- `manifest/offline-manifest.json` + `.sha256` — inventories every file in the bundle +- `.metadata.json` — descriptor consumed by the CLI/Console import tooling +- `telemetry/telemetry-offline-bundle.tar.gz` + `.sha256` — packaged OTLP collector assets for environments without upstream access +- `plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/*.sig` (+ `.sha256`) — Cosign signatures for the Python analyzer DLL and manifest + +### Policy Gateway configuration bundle + +- Copy `etc/policy-gateway.yaml` (or the `*.sample` template if you expect operators to override values) into `config/policy-gateway/policy-gateway.yaml` within the staging tree. +- Include the gateway DPoP private key under `secrets/policy-gateway/policy-gateway-dpop.pem` and reference the location inside the manifest notes. Set the permissions explicitly (`chmod 600 secrets/policy-gateway/policy-gateway-dpop.pem`) so only the kit importer can read it; the importer will refuse keys that are broader. +- Document the gateway base URL and activation verification steps in `docs/policy/gateway.md` (bundled alongside the kit). Operators can use those curl snippets to smoke-test pack CRUD once the Offline Kit is imported. +- Ensure the Prometheus snapshot captured during packaging contains `policy_gateway_activation_requests_total` so auditors can reconcile activation attempts performed via the gateway during the validation window. + +Provide `--cosign-key` / `--cosign-identity-token` (and optional `--cosign-password`) to generate Cosign signatures for both the tarball and manifest. + +--- + +## 1 · Download & verify + +```bash +curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-.tgz +curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-.tgz.sig +curl -LO https://get.stella-ops.org/ouk/offline-manifest-.json +curl -LO https://get.stella-ops.org/ouk/offline-manifest-.json.jws + +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature stella-ops-offline-kit-.tgz.sig \ + stella-ops-offline-kit-.tgz +```` + +**CLI shortcut.** `stellaops-cli offline kit pull --destination ./offline-kit` downloads the bundle, manifest, and detached signatures in one step, resumes partial transfers, and writes a `.metadata.json` summary for later import. + +Verification prints **OK** and the SHA‑256 digest; cross‑check against the +[changelog](https://git.stella-ops.org/stella-ops/offline-kit/-/releases). + +Validate the attested manifest before distribution: + +```bash +cosign verify-blob \ + --key https://stella-ops.org/keys/cosign.pub \ + --signature offline-manifest-.json.jws \ + offline-manifest-.json + +jq '.artifacts[] | {name, sha256, size, capturedAt}' offline-manifest-.json +``` + +The manifest enumerates every artefact (`name`, `sha256`, `size`, `capturedAt`) and is signed with the same key registry as Authority revocation bundles. Operators can ship the manifest alongside the tarball so downstream mirrors can re-verify without unpacking the kit. + +Example excerpt (2025-10-23 kit) showing the Go and .NET analyzer plug-in payloads: + +```json +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.dll", + "sha256": "a6dc850fc51151c8967ef46a3c4730f08b549667e041079431f39a8a72d0b641", + "size": 33792, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.pdb", + "sha256": "6cbdabf155282f458b89edf267e7f6bb2441a93029aad7aad45c8a9ec58b1b3b", + "size": 32152, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/manifest.json", + "sha256": "c19bfca2fcbb7cb18f1082b5d0d5a8f15fc799c648b50e95fce8d8b109ce48c9", + "size": 622, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.dll", + "sha256": "0734d23e33277ce2ccb596782d2d42cfe394b3d372dc34da9cb28b59df9b9d22", + "size": 70144, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.pdb", + "sha256": "b853c1ff4b196715f5bd1447e1a13edeb4940917527ec9bf153b5048da49abaf", + "size": 40400, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/manifest.json", + "sha256": "5d483885f825f01bfd9943dcf2889ec2e0beba38ede92ecfe67d4f506cf14e37", + "size": 647, + "capturedAt": "2025-10-23T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.dll", + "sha256": "a4f558f363394096e3dd6263f35b180b93b4112f9cf616c05872da8a8657d518", + "size": 47104, + "capturedAt": "2025-10-26T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.pdb", + "sha256": "ef2ad78bc2cd1d7e99bae000b92357aa9a9c32938501899e9033d001096196d0", + "size": 31896, + "capturedAt": "2025-10-26T00:00:00Z" +} +{ + "name": "plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/manifest.json", + "sha256": "668ad9a1a35485628677b639db4d996d1e25f62021680a81a22482483800e557", + "size": 648, + "capturedAt": "2025-10-26T00:00:00Z" +} +``` + +--- + +## 2 · Import on the air‑gapped host + +```bash +docker compose --env-file .env \ + -f docker-compose.stella-ops.yml \ + exec stella-ops \ + stella admin import-offline-usage-kit stella-ops-offline-kit-.tgz +``` + +Alternatively, run + +```bash +stellaops-cli offline kit import stella-ops-offline-kit-.tgz \ + --manifest offline-manifest-.json \ + --bundle-signature stella-ops-offline-kit-.tgz.sig \ + --manifest-signature offline-manifest-.json.jws +``` + +The CLI validates recorded digests (when `.metadata.json` is present) before streaming the multipart payload to `/api/offline-kit/import`. + +* The CLI validates the Cosign signature **before** activation. +* Old feeds are kept until the new bundle is fully verified. +* Import time on a SATA SSD: ≈ 25 s for a 300 MB kit. + +### 2.1 Validator + idempotency enablement (air-gap) + +The Offline Kit carries the same helper scripts under `scripts/`: + +1. **Duplicate audit:** run + ```bash + mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;' + ``` + to verify no `(vendor, upstream_id, content_hash, tenant)` conflicts remain before enabling the idempotency index. +2. **Apply validators:** execute `mongo concelier ops/devops/scripts/apply-aoc-validators.js` (and the Excititor equivalent) with `validationLevel: "moderate"` in maintenance mode. +3. **Restart Concelier** so migrations `20251028_advisory_raw_idempotency_index` and `20251028_advisory_supersedes_backfill` run automatically. After the restart: + - Confirm `db.advisory` resolves to a view on `advisory_backup_20251028`. + - Spot-check a few `advisory_raw` entries to ensure `supersedes` chains are populated deterministically. +4. **Smoke test:** run `stella sources ingest --dry-run --fixture advisory` (bundled fixtures) to confirm ingestion succeeds post-guard and the CLI reports zero violations. + +### Authority scope sanity check + +Offline installs rely on the bundled `etc/authority.yaml.sample`. Before promoting the kit, confirm the sample clients keep the Aggregation-Only guardrails: + +- `aoc-verifier` requests `aoc:verify`, `advisory:read`, and `vex:read`. +- `signals-uploader` requests `signals:write`, `signals:read`, and `aoc:verify`. + +Authority now rejects tokens that request `advisory:read`, `vex:read`, or any `signals:*` scope without `aoc:verify`; the sample has been updated to match. If you maintain tenant-specific overlays, mirror the same pairing so air-gapped automation fails deterministically with `invalid_scope` when misconfigured. + +**Quick smoke test:** before import, verify the tarball carries the Go analyzer plug-in: + +```bash +tar -tzf stella-ops-offline-kit-.tgz 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Go/*' 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.DotNet/*' 'plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/*' +``` + +The manifest lookup above and this `tar` listing should both surface the Go analyzer DLL, PDB, and manifest entries before the kit is promoted. + +> **Release guardrail.** The automated release pipeline now publishes the Python plug-in from source and executes `dotnet run --project src/Tools/LanguageAnalyzerSmoke --configuration Release -- --repo-root ` to validate manifest integrity and cold/warm determinism within the < 30 s / < 5 s budgets (differences versus repository goldens are logged for triage). Run `ops/offline-kit/run-python-analyzer-smoke.sh` locally before shipping a refreshed kit if you rebuild artefacts outside CI or when preparing the air-gap bundle. + +### Debug store mirror + +Offline symbols (`debug/.build-id/**`) must accompany every Offline Kit to keep symbol lookup deterministic. The release workflow is expected to emit `out/release/debug/` containing the build-id tree plus `debug-manifest.json` and its `.sha256` companion. After a release completes: + +```bash +python ops/offline-kit/mirror_debug_store.py \ + --release-dir out/release \ + --offline-dir out/offline-kit \ + --summary out/offline-kit/metadata/debug-store.json +``` + +The script mirrors the debug tree into the Offline Kit staging directory, verifies SHA-256 values against the manifest, and writes a summary under `metadata/debug-store.json` for audit logs. If the release pipeline does not populate `out/release/debug`, the tooling now logs a warning (`DEVOPS-REL-17-004`)—treat it as a build failure and re-run the release once symbol extraction is enabled. + +--- + +## 3 · Delta patch workflow + +1. **Connected site** fetches `stella-ouk-YYYY‑MM‑DD.delta.tgz`. +2. Transfer via any medium (USB, portable disk). +3. `stella admin import-offline-usage-kit ` applies only changed CVE rows & images. + +Daily deltas are **< 30 MB**; weekly roll‑up produces a fresh full kit. + +--- + +## 4 · Quota behaviour offline + +The scanner enforces the same fair‑use limits offline: + +* **Anonymous:** {{ quota\_anon }} scans per UTC day +* **Free JWT:** {{ quota\_token }} scans per UTC day + +Soft reminder at 200 scans; throttle above the ceiling but **never block**. +See the detailed rules in +[`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md). + +--- + +## 5 · Troubleshooting + +| Symptom | Explanation | Fix | +| -------------------------------------- | ---------------------------------------- | ------------------------------------- | +| `could not verify SBOM hash` | Bundle corrupted in transit | Re‑download / re‑copy | +| Import hangs at `Applying feeds…` | Low disk space in `/var/lib/stella` | Free ≥ 2 GiB before retry | +| `quota exceeded` same day after import | Import resets counters at UTC 00:00 only | Wait until next UTC day or load a JWT | + +--- + +## 6 · Related documentation + +* **Install guide:** `/install/#air-gapped` +* **Sovereign mode rationale:** `/sovereign/` +* **Security policy:** `/security/#reporting-a-vulnerability` +* **CERT-Bund snapshots:** `python src/Tools/certbund_offline_snapshot.py --help` (see `docs/modules/concelier/operations/connectors/certbund.md`) diff --git a/docs/AGENTS.md b/docs/AGENTS.md index efe4242a..333d45a1 100644 --- a/docs/AGENTS.md +++ b/docs/AGENTS.md @@ -1,20 +1,20 @@ -# Docs & Enablement Guild - -## Mission -Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding. - -## Scope Highlights -- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`). -- Concelier quickstarts, CLI guides, Offline Kit manuals. -- Release notes and migration playbooks. - -## Operating Principles -- Keep guides deterministic and in sync with shipped configuration samples. -- Prefer tables/checklists for operator steps; flag security-sensitive actions. -- When work involves a specific `StellaOps.` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules//architecture.md` before drafting or editing content. -- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED). - -## Coordination -- Authority Core & Plugin teams for auth-related changes. -- Security Guild for threat-model outputs and mitigations. -- DevEx for tooling diagrams and documentation pipeline. +# Docs & Enablement Guild + +## Mission +Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding. + +## Scope Highlights +- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`). +- Concelier quickstarts, CLI guides, Offline Kit manuals. +- Release notes and migration playbooks. + +## Operating Principles +- Keep guides deterministic and in sync with shipped configuration samples. +- Prefer tables/checklists for operator steps; flag security-sensitive actions. +- When work involves a specific `StellaOps.` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules//architecture.md` before drafting or editing content. +- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED). + +## Coordination +- Authority Core & Plugin teams for auth-related changes. +- Security Guild for threat-model outputs and mitigations. +- DevEx for tooling diagrams and documentation pipeline. diff --git a/docs/accessibility.md b/docs/accessibility.md index 08013614..aec14fae 100644 --- a/docs/accessibility.md +++ b/docs/accessibility.md @@ -1,131 +1,131 @@ -# StellaOps Console Accessibility Guide - -> **Audience:** Accessibility Guild, Console Guild, Docs Guild, QA. -> **Scope:** Keyboard interaction model, screen-reader behaviour, colour & focus tokens, testing workflows, offline considerations, and compliance checklist for the StellaOps Console (Sprint 23). - -The console targets **WCAG 2.2 AA** across all supported browsers (Chromium, Firefox ESR) and honours StellaOps’ sovereign/offline constraints. Every build must keep keyboard-only users, screen-reader users, and high-contrast operators productive without relying on third-party services. - ---- - -## 1 · Accessibility Principles - -1. **Deterministic navigation** – Focus order, shortcuts, and announcements remain stable across releases; URLs encode state for deep links. -2. **Keyboard-first design** – Every actionable element is reachable via keyboard; shortcuts provide accelerators, and remapping is available via *Settings → Accessibility → Keyboard shortcuts*. -3. **Assistive technology parity** – ARIA roles and live regions mirror visual affordances (status banners, SSE tickers, progress drawers). Screen readers receive polite/atomic updates to avoid chatter. -4. **Colour & contrast tokens** – All palettes derive from design tokens that achieve ≥ 4.5:1 contrast (text) and ≥ 3:1 for graphical indicators; tokens pass automated contrast linting. -5. **Offline equivalence** – Accessibility features (shortcuts, offline banners, focus restoration) behave the same in sealed environments, with guidance when actions require online authority. - ---- - -## 2 · Keyboard Interaction Map - -### 2.1 Global shortcuts - -| Action | Macs | Windows/Linux | Notes | -|--------|------|---------------|-------| -| Command palette | `⌘ K` | `Ctrl K` | Focuses palette search; respects tenant scope. | -| Tenant picker | `⌘ T` | `Ctrl T` | Opens modal; `Enter` confirms, `Esc` cancels. | -| Filter tray toggle | `⇧ F` | `Shift F` | Focus lands on first filter; `Tab` cycles filters before returning to page. | -| Saved view presets | `⌘ 1-9` | `Ctrl 1-9` | Bound per tenant; missing preset triggers tooltip. | -| Keyboard reference | `?` | `?` | Opens overlay listing context-specific shortcuts; `Esc` closes. | -| Global search (context) | `/` | `/` | When the filter tray is closed, focuses inline search field. | - -### 2.2 Module-specific shortcuts - -| Module | Action | Macs | Windows/Linux | Notes | -|--------|--------|------|---------------|-------| -| Findings | Explain search | `⌘ /` | `Ctrl /` | Only when Explain drawer open; announces results via live region. | -| SBOM Explorer | Toggle overlays | `⌘ G` | `Ctrl G` | Persists per session (see `/docs/ui/sbom-explorer.md`). | -| Advisories & VEX | Provider filter | `⌘ ⌥ F` | `Ctrl Alt F` | Moves focus to provider chip row. | -| Runs | Refresh snapshot | `⌘ R` | `Ctrl R` | Soft refresh of SSE state; no full page reload. | -| Policies | Save draft | `⌘ S` | `Ctrl S` | Requires edit scope; exposes toast + status live update. | -| Downloads | Copy CLI command | `⇧ D` | `Shift D` | Copies manifest or export command; toast announces scope hints. | - -All shortcuts are remappable. Remaps persist in IndexedDB (per tenant) and export as part of profile bundles so operators can restore preferences offline. - ---- - -## 3 · Screen Reader & Focus Behaviour - -- **Skip navigation** – Each route exposes a “Skip to content” link revealed on keyboard focus. Focus order: global header → page breadcrumb → action shelf → data grid/list → drawers/dialogs. -- **Live regions** – Status ticker and SSE progress bars use `aria-live="polite"` with throttling to avoid flooding AT. Error toasts use `aria-live="assertive"` and auto-focus dismiss buttons. -- **Drawers & modals** – Dialog components trap focus, support `Esc` to close, and restore focus to the launching control. Screen readers announce title + purpose. -- **Tables & grids** – Large tables (Findings, SBOM inventory) switch to virtualised rows but retain ARIA grid semantics (`aria-rowcount`, `aria-colindex`). Column headers include sorting state via `aria-sort`. -- **Tenancy context** – Tenant badge exposes `aria-describedby` linking to context summary (environment, offline snapshot). Switching tenant queues a polite announcement summarising new scope. -- **Command palette** – Uses `role="dialog"` with search input labelled. Keyboard navigation within results uses `Up/Down`; screen readers announce result category + command. -- **Offline banner** – When offline, a dismissible banner announces reason and includes instructions for CLI fallback. The banner has `role="status"` so it announces once without stealing focus. - ---- - -## 4 · Colour & Focus Tokens - -Console consumes design tokens published by the Console Guild (tracked via CONSOLE-FEAT-23-102). Tokens live in the design system bundle (`ui/design/tokens/colors.json`, mirrored at build time). Key tokens: - -| Token | Purpose | Contrast target | -|-------|---------|-----------------| -| `so-color-surface-base` | Primary surface/background | ≥ 4.5:1 against `so-color-text-primary`. | -| `so-color-surface-raised` | Cards, drawers, modals | ≥ 3:1 against surrounding surfaces. | -| `so-color-text-primary` | Default text colour | ≥ 4.5:1 against base surfaces. | -| `so-color-text-inverted` | Text on accent buttons | ≥ 4.5:1 against accent fills. | -| `so-color-accent-primary` | Action buttons, focus headings | ≥ 3:1 against surface. | -| `so-color-status-critical` | Error toasts, violation chips | ≥ 4.5:1 for text; `critical-bg` provides >3:1 on neutral surface. | -| `so-color-status-warning` | Warning banners | Meets 3:1 on surface and 4.5:1 for text overlays. | -| `so-color-status-success` | Success toasts, pass badges | ≥ 3:1 for iconography; text uses `text-primary`. | -| `so-focus-ring` | 2 px outline used across focusable elements | 3:1 against both light/dark surfaces. | - -Colour tokens undergo automated linting (**axe-core contrast checks** + custom luminance script) during build. Any new token must include dark/light variants and pass the token contract tests. - ---- - -## 5 · Testing Workflow - -| Layer | Tooling | Frequency | Notes | -|-------|---------|-----------|-------| -| Component a11y | Storybook + axe-core addon | On PR (story CI) | Fails when axe detects violations. | -| Route regression | Playwright a11y sweep (`pnpm test:a11y`) | Nightly & release pipeline | Executes keyboard navigation, checks focus trap, runs Axe on key routes (Dashboard, Findings, SBOM, Admin). | -| Colour contrast lint | Token validator (`src/Tools/a11y/check-contrast.ts`) | On token change | Guards design token updates. | -| CI parity | Pending `scripts/check-console-cli-parity.sh` (CONSOLE-DOC-23-502) | Release CI | Ensures CLI commands documented for parity features. | -| Screen-reader spot checks | Manual NVDA + VoiceOver scripts | Pre-release checklist | Scenarios: tenant switch, explain drawer, downloads parity copy. | -| Offline smoke | `stella offline kit import` + Playwright sealed-mode run | Prior to Offline Kit cut | Validates offline banners, disabled actions, keyboard flows without Authority. | - -Accessibility QA (CONSOLE-QA-23-402) tracks failing scenarios via Playwright snapshots and publishes reports in the Downloads parity channel (`kind = "parity.report"` placeholder until CLI parity CI lands). - ---- - -## 6 · Offline & Internationalisation Considerations - -- Offline mode surfaces staleness badges and disables remote-only palette entries; keyboard focus skips disabled controls. -- Saved shortcuts, presets, and remaps serialise into Offline Kit bundles so operators can restore preferences post-import. -- Locale switching (future feature flag) will load translations at runtime; ensure ARIA labels use i18n tokens rather than hard-coded strings. -- For sealed installs, guidance panels include CLI equivalents (`stella auth fresh-auth`, `stella runs export`) to unblock tasks when Authority is unavailable. - ---- - -## 7 · Compliance Checklist - -- [ ] Keyboard shortcut matrix validated (default + remapped) and documented. -- [ ] Screen-reader pass recorded for tenant switch, Explain drawer, Downloads copy-to-clipboard. -- [ ] Colour tokens audited; contrast reports stored with release artifacts. -- [ ] Automated a11y pipelines (Storybook axe, Playwright a11y) green; failures feed the `#console-qa` channel. -- [ ] Offline kit a11y smoke executed before publishing each bundle. -- [ ] CLI parity gaps logged in `/docs/cli-vs-ui-parity.md`; UI callouts reference fallback commands until parity closes. -- [ ] Accessibility Guild sign-off captured in sprint log and release notes reference this guide. -- [ ] References cross-checked (`/docs/ui/navigation.md`, `/docs/ui/downloads.md`, `/docs/security/console-security.md`, `/docs/observability/ui-telemetry.md`). - ---- - -## 8 · References - -- `/docs/ui/navigation.md` – shortcut definitions, URL schema. -- `/docs/ui/downloads.md` – CLI parity and offline copy workflows. -- `/docs/ui/console-overview.md` – tenant model, filter behaviours. -- `/docs/security/console-security.md` – security metrics and DPoP/fresh-auth requirements. -- `/docs/observability/ui-telemetry.md` – telemetry metrics mapped to accessibility features. -- `/docs/cli-vs-ui-parity.md` – parity status per console feature. -- `CONSOLE-QA-23-402` – Accessibility QA backlog (Playwright + manual checks). -- `CONSOLE-FEAT-23-102` – Design tokens & theming delivery. - ---- - -*Last updated: 2025-10-28 (Sprint 23).* - +# StellaOps Console Accessibility Guide + +> **Audience:** Accessibility Guild, Console Guild, Docs Guild, QA. +> **Scope:** Keyboard interaction model, screen-reader behaviour, colour & focus tokens, testing workflows, offline considerations, and compliance checklist for the StellaOps Console (Sprint 23). + +The console targets **WCAG 2.2 AA** across all supported browsers (Chromium, Firefox ESR) and honours StellaOps’ sovereign/offline constraints. Every build must keep keyboard-only users, screen-reader users, and high-contrast operators productive without relying on third-party services. + +--- + +## 1 · Accessibility Principles + +1. **Deterministic navigation** – Focus order, shortcuts, and announcements remain stable across releases; URLs encode state for deep links. +2. **Keyboard-first design** – Every actionable element is reachable via keyboard; shortcuts provide accelerators, and remapping is available via *Settings → Accessibility → Keyboard shortcuts*. +3. **Assistive technology parity** – ARIA roles and live regions mirror visual affordances (status banners, SSE tickers, progress drawers). Screen readers receive polite/atomic updates to avoid chatter. +4. **Colour & contrast tokens** – All palettes derive from design tokens that achieve ≥ 4.5:1 contrast (text) and ≥ 3:1 for graphical indicators; tokens pass automated contrast linting. +5. **Offline equivalence** – Accessibility features (shortcuts, offline banners, focus restoration) behave the same in sealed environments, with guidance when actions require online authority. + +--- + +## 2 · Keyboard Interaction Map + +### 2.1 Global shortcuts + +| Action | Macs | Windows/Linux | Notes | +|--------|------|---------------|-------| +| Command palette | `⌘ K` | `Ctrl K` | Focuses palette search; respects tenant scope. | +| Tenant picker | `⌘ T` | `Ctrl T` | Opens modal; `Enter` confirms, `Esc` cancels. | +| Filter tray toggle | `⇧ F` | `Shift F` | Focus lands on first filter; `Tab` cycles filters before returning to page. | +| Saved view presets | `⌘ 1-9` | `Ctrl 1-9` | Bound per tenant; missing preset triggers tooltip. | +| Keyboard reference | `?` | `?` | Opens overlay listing context-specific shortcuts; `Esc` closes. | +| Global search (context) | `/` | `/` | When the filter tray is closed, focuses inline search field. | + +### 2.2 Module-specific shortcuts + +| Module | Action | Macs | Windows/Linux | Notes | +|--------|--------|------|---------------|-------| +| Findings | Explain search | `⌘ /` | `Ctrl /` | Only when Explain drawer open; announces results via live region. | +| SBOM Explorer | Toggle overlays | `⌘ G` | `Ctrl G` | Persists per session (see `/docs/ui/sbom-explorer.md`). | +| Advisories & VEX | Provider filter | `⌘ ⌥ F` | `Ctrl Alt F` | Moves focus to provider chip row. | +| Runs | Refresh snapshot | `⌘ R` | `Ctrl R` | Soft refresh of SSE state; no full page reload. | +| Policies | Save draft | `⌘ S` | `Ctrl S` | Requires edit scope; exposes toast + status live update. | +| Downloads | Copy CLI command | `⇧ D` | `Shift D` | Copies manifest or export command; toast announces scope hints. | + +All shortcuts are remappable. Remaps persist in IndexedDB (per tenant) and export as part of profile bundles so operators can restore preferences offline. + +--- + +## 3 · Screen Reader & Focus Behaviour + +- **Skip navigation** – Each route exposes a “Skip to content” link revealed on keyboard focus. Focus order: global header → page breadcrumb → action shelf → data grid/list → drawers/dialogs. +- **Live regions** – Status ticker and SSE progress bars use `aria-live="polite"` with throttling to avoid flooding AT. Error toasts use `aria-live="assertive"` and auto-focus dismiss buttons. +- **Drawers & modals** – Dialog components trap focus, support `Esc` to close, and restore focus to the launching control. Screen readers announce title + purpose. +- **Tables & grids** – Large tables (Findings, SBOM inventory) switch to virtualised rows but retain ARIA grid semantics (`aria-rowcount`, `aria-colindex`). Column headers include sorting state via `aria-sort`. +- **Tenancy context** – Tenant badge exposes `aria-describedby` linking to context summary (environment, offline snapshot). Switching tenant queues a polite announcement summarising new scope. +- **Command palette** – Uses `role="dialog"` with search input labelled. Keyboard navigation within results uses `Up/Down`; screen readers announce result category + command. +- **Offline banner** – When offline, a dismissible banner announces reason and includes instructions for CLI fallback. The banner has `role="status"` so it announces once without stealing focus. + +--- + +## 4 · Colour & Focus Tokens + +Console consumes design tokens published by the Console Guild (tracked via CONSOLE-FEAT-23-102). Tokens live in the design system bundle (`ui/design/tokens/colors.json`, mirrored at build time). Key tokens: + +| Token | Purpose | Contrast target | +|-------|---------|-----------------| +| `so-color-surface-base` | Primary surface/background | ≥ 4.5:1 against `so-color-text-primary`. | +| `so-color-surface-raised` | Cards, drawers, modals | ≥ 3:1 against surrounding surfaces. | +| `so-color-text-primary` | Default text colour | ≥ 4.5:1 against base surfaces. | +| `so-color-text-inverted` | Text on accent buttons | ≥ 4.5:1 against accent fills. | +| `so-color-accent-primary` | Action buttons, focus headings | ≥ 3:1 against surface. | +| `so-color-status-critical` | Error toasts, violation chips | ≥ 4.5:1 for text; `critical-bg` provides >3:1 on neutral surface. | +| `so-color-status-warning` | Warning banners | Meets 3:1 on surface and 4.5:1 for text overlays. | +| `so-color-status-success` | Success toasts, pass badges | ≥ 3:1 for iconography; text uses `text-primary`. | +| `so-focus-ring` | 2 px outline used across focusable elements | 3:1 against both light/dark surfaces. | + +Colour tokens undergo automated linting (**axe-core contrast checks** + custom luminance script) during build. Any new token must include dark/light variants and pass the token contract tests. + +--- + +## 5 · Testing Workflow + +| Layer | Tooling | Frequency | Notes | +|-------|---------|-----------|-------| +| Component a11y | Storybook + axe-core addon | On PR (story CI) | Fails when axe detects violations. | +| Route regression | Playwright a11y sweep (`pnpm test:a11y`) | Nightly & release pipeline | Executes keyboard navigation, checks focus trap, runs Axe on key routes (Dashboard, Findings, SBOM, Admin). | +| Colour contrast lint | Token validator (`src/Tools/a11y/check-contrast.ts`) | On token change | Guards design token updates. | +| CI parity | Pending `scripts/check-console-cli-parity.sh` (CONSOLE-DOC-23-502) | Release CI | Ensures CLI commands documented for parity features. | +| Screen-reader spot checks | Manual NVDA + VoiceOver scripts | Pre-release checklist | Scenarios: tenant switch, explain drawer, downloads parity copy. | +| Offline smoke | `stella offline kit import` + Playwright sealed-mode run | Prior to Offline Kit cut | Validates offline banners, disabled actions, keyboard flows without Authority. | + +Accessibility QA (CONSOLE-QA-23-402) tracks failing scenarios via Playwright snapshots and publishes reports in the Downloads parity channel (`kind = "parity.report"` placeholder until CLI parity CI lands). + +--- + +## 6 · Offline & Internationalisation Considerations + +- Offline mode surfaces staleness badges and disables remote-only palette entries; keyboard focus skips disabled controls. +- Saved shortcuts, presets, and remaps serialise into Offline Kit bundles so operators can restore preferences post-import. +- Locale switching (future feature flag) will load translations at runtime; ensure ARIA labels use i18n tokens rather than hard-coded strings. +- For sealed installs, guidance panels include CLI equivalents (`stella auth fresh-auth`, `stella runs export`) to unblock tasks when Authority is unavailable. + +--- + +## 7 · Compliance Checklist + +- [ ] Keyboard shortcut matrix validated (default + remapped) and documented. +- [ ] Screen-reader pass recorded for tenant switch, Explain drawer, Downloads copy-to-clipboard. +- [ ] Colour tokens audited; contrast reports stored with release artifacts. +- [ ] Automated a11y pipelines (Storybook axe, Playwright a11y) green; failures feed the `#console-qa` channel. +- [ ] Offline kit a11y smoke executed before publishing each bundle. +- [ ] CLI parity gaps logged in `/docs/cli-vs-ui-parity.md`; UI callouts reference fallback commands until parity closes. +- [ ] Accessibility Guild sign-off captured in sprint log and release notes reference this guide. +- [ ] References cross-checked (`/docs/ui/navigation.md`, `/docs/ui/downloads.md`, `/docs/security/console-security.md`, `/docs/observability/ui-telemetry.md`). + +--- + +## 8 · References + +- `/docs/ui/navigation.md` – shortcut definitions, URL schema. +- `/docs/ui/downloads.md` – CLI parity and offline copy workflows. +- `/docs/ui/console-overview.md` – tenant model, filter behaviours. +- `/docs/security/console-security.md` – security metrics and DPoP/fresh-auth requirements. +- `/docs/observability/ui-telemetry.md` – telemetry metrics mapped to accessibility features. +- `/docs/cli-vs-ui-parity.md` – parity status per console feature. +- `CONSOLE-QA-23-402` – Accessibility QA backlog (Playwright + manual checks). +- `CONSOLE-FEAT-23-102` – Design tokens & theming delivery. + +--- + +*Last updated: 2025-10-28 (Sprint 23).* + diff --git a/docs/airgap/airgap-mode.md b/docs/airgap/airgap-mode.md index 909f125d..97161042 100644 --- a/docs/airgap/airgap-mode.md +++ b/docs/airgap/airgap-mode.md @@ -1,71 +1,71 @@ -# Air-Gapped Mode Playbook - -> Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. - -## Overview - -Air-Gapped Mode is the supported operating profile for deployments with **zero external egress**. All inputs arrive via signed mirror bundles, and every surface (CLI, Console, APIs, schedulers, scanners) operates under sealed-network constraints while preserving Aggregation-Only Contract invariants. - -- **Primary components:** Web Services API, Console, CLI, Orchestrator, Task Runner, Conseiller (Feedser), Excitator (VEXer), Policy Engine, Findings Ledger, Export Center, Authority & Tenancy, Notifications, Observability & Forensics. -- **Surfaces:** offline bootstrap, mirror ingestion, deterministic jobs, offline advisories/VEX/policy packs/notifications, evidence exports. -- **Dependencies:** Export Center, Containerized Distribution, Authority-backed scopes & tenancy, Observability & Forensics, Policy Studio. - -## Guiding principles - -1. **Zero egress:** all outbound network calls are disabled unless explicitly allowed. Any feature requiring online data must degrade gracefully with clear UX messaging. -2. **Deterministic inputs:** the platform accepts only signed Mirror Bundles (advisories, VEX, policy packs, vendor feeds, images, dashboards). Bundles carry provenance attestations and chain-of-custody manifests. -3. **Auditable exchange:** every import/export records provenance, signatures, and operator identity. Evidence bundles and reports remain verifiable offline. -4. **Aggregation-Only Contract compliance:** Conseiller and Excitator continue to aggregate without mutating source records, even when ingesting mirrored feeds. -5. **Operator ergonomics:** offline bootstrap, upgrade, and verification steps are reproducible and scripted. - -## Lifecycle & modes - -| Mode | Description | Tooling | -| --- | --- | --- | -| Connected | Standard deployment with online feeds. Operators use Export Center to build mirror bundles for offline environments. | `stella export bundle create --profile mirror:full` | -| Staging mirror | Sealed host that fetches upstream feeds, runs validation, and signs mirror bundles. | Export Center, cosign, bundle validation scripts | -| Air-gapped | Production cluster with egress sealed, consuming validated bundles, issuing provenance for inward/outward transfers. | Mirror import CLI, sealed-mode runtime flags | - -### Installation & bootstrap - -1. Prepare mirror bundles (images, charts, advisories/VEX, policy packs, dashboards, telemetry configs). -2. Transfer bundles via approved media and validate signatures (`cosign verify`, bundle manifest hash). -3. Deploy platform using offline artefacts (`helm install --set airgap.enabled=true`), referencing local registry/object storage. - -### Updates - -1. Staging host generates incremental bundles (mirror delta) with provenance. -2. Offline site imports bundles via the CLI (`stella airgap import --bundle`) and records chain-of-custody. -3. Scheduler triggers replay jobs with deterministic timelines; results remain reproducible across imports. - -## Component responsibilities - -| Component | Offline duties | -| --- | --- | -| Export Center | Produce full/delta mirror bundles, signed manifests, provenance attestations. | -| Authority & Tenancy | Provide offline scope enforcement, short-lived tokens, revocation via local CRLs. | -| Conseiller / Excitator | Ingest mirrored advisories/VEX, enforce AOC, versioned observations. | -| Policy Engine & Findings Ledger | Replay evaluations using offline feeds, emit explain traces, support sealed-mode hints. | -| Notifications | Deliver locally via approved channels (email relay, webhook proxies) or queue for manual export. | -| Observability | Collect metrics/logs/traces locally, generate forensic bundles for external analysis. | - -## Operational guardrails - -- **Network policy:** enforce allowlists (`airgap.egressAllowlist=[]`). Any unexpected outbound request raises an alert. -- **Bundle validation:** double-sign manifests (bundle signer + site-specific cosign key); reject on mismatch. -- **Time synchronization:** rely on local NTP or manual clock audits; many signatures require monotonic time. -- **Key rotation:** plan for offline key ceremonies; Export Center and Authority document rotation playbooks. -- **Incident response:** maintain scripts for replaying imports, regenerating manifests, and exporting forensic data without egress. - -## Testing & verification - -- Integration tests mimic offline installs by running with `AIRGAP_ENABLED=true` in CI. -- Mirror bundles include validation scripts to compare hash manifests across staging and production. -- Sealed-mode smoke tests ensure services fail closed when attempting egress. - -## References - -- Export workflows: `docs/modules/export-center/overview.md` -- Policy sealed-mode hints: `docs/policy/overview.md` -- Observability forensic bundles: `docs/modules/telemetry/architecture.md` -- Runtime posture enforcement: `docs/modules/zastava/operations/runtime.md` +# Air-Gapped Mode Playbook + +> Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +## Overview + +Air-Gapped Mode is the supported operating profile for deployments with **zero external egress**. All inputs arrive via signed mirror bundles, and every surface (CLI, Console, APIs, schedulers, scanners) operates under sealed-network constraints while preserving Aggregation-Only Contract invariants. + +- **Primary components:** Web Services API, Console, CLI, Orchestrator, Task Runner, Conseiller (Feedser), Excitator (VEXer), Policy Engine, Findings Ledger, Export Center, Authority & Tenancy, Notifications, Observability & Forensics. +- **Surfaces:** offline bootstrap, mirror ingestion, deterministic jobs, offline advisories/VEX/policy packs/notifications, evidence exports. +- **Dependencies:** Export Center, Containerized Distribution, Authority-backed scopes & tenancy, Observability & Forensics, Policy Studio. + +## Guiding principles + +1. **Zero egress:** all outbound network calls are disabled unless explicitly allowed. Any feature requiring online data must degrade gracefully with clear UX messaging. +2. **Deterministic inputs:** the platform accepts only signed Mirror Bundles (advisories, VEX, policy packs, vendor feeds, images, dashboards). Bundles carry provenance attestations and chain-of-custody manifests. +3. **Auditable exchange:** every import/export records provenance, signatures, and operator identity. Evidence bundles and reports remain verifiable offline. +4. **Aggregation-Only Contract compliance:** Conseiller and Excitator continue to aggregate without mutating source records, even when ingesting mirrored feeds. +5. **Operator ergonomics:** offline bootstrap, upgrade, and verification steps are reproducible and scripted. + +## Lifecycle & modes + +| Mode | Description | Tooling | +| --- | --- | --- | +| Connected | Standard deployment with online feeds. Operators use Export Center to build mirror bundles for offline environments. | `stella export bundle create --profile mirror:full` | +| Staging mirror | Sealed host that fetches upstream feeds, runs validation, and signs mirror bundles. | Export Center, cosign, bundle validation scripts | +| Air-gapped | Production cluster with egress sealed, consuming validated bundles, issuing provenance for inward/outward transfers. | Mirror import CLI, sealed-mode runtime flags | + +### Installation & bootstrap + +1. Prepare mirror bundles (images, charts, advisories/VEX, policy packs, dashboards, telemetry configs). +2. Transfer bundles via approved media and validate signatures (`cosign verify`, bundle manifest hash). +3. Deploy platform using offline artefacts (`helm install --set airgap.enabled=true`), referencing local registry/object storage. + +### Updates + +1. Staging host generates incremental bundles (mirror delta) with provenance. +2. Offline site imports bundles via the CLI (`stella airgap import --bundle`) and records chain-of-custody. +3. Scheduler triggers replay jobs with deterministic timelines; results remain reproducible across imports. + +## Component responsibilities + +| Component | Offline duties | +| --- | --- | +| Export Center | Produce full/delta mirror bundles, signed manifests, provenance attestations. | +| Authority & Tenancy | Provide offline scope enforcement, short-lived tokens, revocation via local CRLs. | +| Conseiller / Excitator | Ingest mirrored advisories/VEX, enforce AOC, versioned observations. | +| Policy Engine & Findings Ledger | Replay evaluations using offline feeds, emit explain traces, support sealed-mode hints. | +| Notifications | Deliver locally via approved channels (email relay, webhook proxies) or queue for manual export. | +| Observability | Collect metrics/logs/traces locally, generate forensic bundles for external analysis. | + +## Operational guardrails + +- **Network policy:** enforce allowlists (`airgap.egressAllowlist=[]`). Any unexpected outbound request raises an alert. +- **Bundle validation:** double-sign manifests (bundle signer + site-specific cosign key); reject on mismatch. +- **Time synchronization:** rely on local NTP or manual clock audits; many signatures require monotonic time. +- **Key rotation:** plan for offline key ceremonies; Export Center and Authority document rotation playbooks. +- **Incident response:** maintain scripts for replaying imports, regenerating manifests, and exporting forensic data without egress. + +## Testing & verification + +- Integration tests mimic offline installs by running with `AIRGAP_ENABLED=true` in CI. +- Mirror bundles include validation scripts to compare hash manifests across staging and production. +- Sealed-mode smoke tests ensure services fail closed when attempting egress. + +## References + +- Export workflows: `docs/modules/export-center/overview.md` +- Policy sealed-mode hints: `docs/policy/overview.md` +- Observability forensic bundles: `docs/modules/telemetry/architecture.md` +- Runtime posture enforcement: `docs/modules/zastava/operations/runtime.md` diff --git a/docs/aoc/aoc-guardrails.md b/docs/aoc/aoc-guardrails.md index 3654d60b..ab7654ec 100644 --- a/docs/aoc/aoc-guardrails.md +++ b/docs/aoc/aoc-guardrails.md @@ -1,13 +1,13 @@ -# Aggregation-Only Contract (AOC) Guardrails - -The Aggregation-Only Contract keeps ingestion services deterministic and policy-neutral. Use these checkpoints whenever you add or modify backlog items: - -1. **Ingestion writes raw facts only.** Concelier and Excititor append immutable observations/linksets. No precedence, severity, suppression, or "safe fix" hints may be computed at ingest time. -2. **Derived semantics live elsewhere.** Policy Engine overlays, Vuln Explorer composition, and downstream reporting layers attach severity, precedence, policy verdicts, and UI hints. -3. **Provenance is mandatory.** Every ingestion write must include original source metadata, digests, and signing/provenance evidence when available. Reject writes lacking provenance. -4. **Deterministic outputs.** Given the same inputs, ingestion must produce identical documents, hashes, and event payloads across reruns. -5. **Guardrails everywhere.** Roslyn analyzers, schema validators, and CI smoke tests should fail builds that attempt forbidden writes. - -For detailed roles and ownership boundaries, see `AGENTS.md` at the repo root and the module-specific dossiers under `docs/modules//architecture.md`. - -Need the full contract? Read the [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) for schemas, error codes, and migration guidance. +# Aggregation-Only Contract (AOC) Guardrails + +The Aggregation-Only Contract keeps ingestion services deterministic and policy-neutral. Use these checkpoints whenever you add or modify backlog items: + +1. **Ingestion writes raw facts only.** Concelier and Excititor append immutable observations/linksets. No precedence, severity, suppression, or "safe fix" hints may be computed at ingest time. +2. **Derived semantics live elsewhere.** Policy Engine overlays, Vuln Explorer composition, and downstream reporting layers attach severity, precedence, policy verdicts, and UI hints. +3. **Provenance is mandatory.** Every ingestion write must include original source metadata, digests, and signing/provenance evidence when available. Reject writes lacking provenance. +4. **Deterministic outputs.** Given the same inputs, ingestion must produce identical documents, hashes, and event payloads across reruns. +5. **Guardrails everywhere.** Roslyn analyzers, schema validators, and CI smoke tests should fail builds that attempt forbidden writes. + +For detailed roles and ownership boundaries, see `AGENTS.md` at the repo root and the module-specific dossiers under `docs/modules//architecture.md`. + +Need the full contract? Read the [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) for schemas, error codes, and migration guidance. diff --git a/docs/api/sdk-openapi-program.md b/docs/api/sdk-openapi-program.md index 66d87d3c..bf8e016b 100644 --- a/docs/api/sdk-openapi-program.md +++ b/docs/api/sdk-openapi-program.md @@ -1,51 +1,51 @@ -# SDK & OpenAPI Program - -> Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. - -## Overview - -The SDK & OpenAPI program delivers canonical OpenAPI 3.1 contracts for every Stella Ops surface, plus officially supported SDKs (TypeScript/Node, Python, Go, Java, C#). It ensures backwards-compatible evolution, documentation, and offline availability. - -- **Primary components:** API Gateway, Web Services, Policy Engine, Conseiller, Excitator, Orchestrator, Findings Ledger, Export Center, Authority & Tenancy, Console, CLI. -- **Surfaces:** OpenAPI specs, language SDKs, developer portal, examples, mock server, conformance tests, changelog feeds, deprecation notices. -- **Dependencies:** Authority scopes/tenancy, CLI parity, Export Center, Notifications, Air-Gapped Mode, Observability. - -## Program pillars - -1. **Contract-first:** treat OpenAPI specs as the source of truth. CI validates schemas, compatibility, and documentation generation. -2. **SDK parity:** language SDKs cover the same surfaces with deterministic clients, pagination helpers, and typed models mirroring Aggregation-Only Contract semantics. -3. **Version discipline:** semantic versioning for specs and SDKs, release notes, deprecation windows, and automated change alerts via Notifications. -4. **Offline readiness:** specs and SDK bundles ship in Mirror Bundles for air-gapped environments; examples include smoke tests. -5. **Observability:** telemetry around SDK usage, spec download metrics, and error reporting funnels back into product decisions. - -## Deliverables - -| Workstream | Deliverable | -| --- | --- | -| Spec authoring | Unified OpenAPI 3.1 documents per service plus aggregate spec; lint rules; schema registries. | -| SDK generation | Language-specific clients with idiomatic ergonomics, retries, pagination, long-running operation helpers, unit + integration tests. | -| Dev portal | Consolidated documentation, guides, changelog, copy/paste examples, quickstart scripts. | -| Testing | Contract tests against staging, mock server for integration tests, compatibility verification per release. | -| Release ops | Automated CI pipelines, version bump workflows, release notes, deprecation policies. | - -## Guardrails - -- **Aggregation-Only Contract compliance:** SDKs expose raw advisory/VEX objects without hidden merges; all derived fields require explicit Policy Engine calls. -- **Security:** enforce scopes via SDK configuration; redact secrets; support DPoP/mTLS and offline token provisioning. -- **Compatibility:** maintain backwards-compatible paths for at least two minor releases; log warnings on deprecated endpoints. -- **Documentation:** publish examples for common workflows (scan, policy evaluate, export, attestation) with language parity. - -## Roadmap checkpoints - -1. Baseline OpenAPI specs extracted from gateway, validated, and published. -2. TypeScript/Node SDK as pilot, followed by Python and Go. -3. Developer portal launch with SDK docs, quickstarts, and mock server. -4. Offline kit integration (mirror bundles include specs + SDK tarballs). -5. Runtime alerting for breaking changes and dependency vulnerabilities. - -## References - -- API gateway integration: `docs/modules/platform/architecture-overview.md` -- Policy/Findings models: `docs/modules/policy/architecture.md`, `docs/modules/vuln-explorer/architecture.md` -- Export bundle distribution: `docs/modules/export-center/overview.md` -- Offline workflows: `docs/airgap/airgap-mode.md` +# SDK & OpenAPI Program + +> Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +## Overview + +The SDK & OpenAPI program delivers canonical OpenAPI 3.1 contracts for every Stella Ops surface, plus officially supported SDKs (TypeScript/Node, Python, Go, Java, C#). It ensures backwards-compatible evolution, documentation, and offline availability. + +- **Primary components:** API Gateway, Web Services, Policy Engine, Conseiller, Excitator, Orchestrator, Findings Ledger, Export Center, Authority & Tenancy, Console, CLI. +- **Surfaces:** OpenAPI specs, language SDKs, developer portal, examples, mock server, conformance tests, changelog feeds, deprecation notices. +- **Dependencies:** Authority scopes/tenancy, CLI parity, Export Center, Notifications, Air-Gapped Mode, Observability. + +## Program pillars + +1. **Contract-first:** treat OpenAPI specs as the source of truth. CI validates schemas, compatibility, and documentation generation. +2. **SDK parity:** language SDKs cover the same surfaces with deterministic clients, pagination helpers, and typed models mirroring Aggregation-Only Contract semantics. +3. **Version discipline:** semantic versioning for specs and SDKs, release notes, deprecation windows, and automated change alerts via Notifications. +4. **Offline readiness:** specs and SDK bundles ship in Mirror Bundles for air-gapped environments; examples include smoke tests. +5. **Observability:** telemetry around SDK usage, spec download metrics, and error reporting funnels back into product decisions. + +## Deliverables + +| Workstream | Deliverable | +| --- | --- | +| Spec authoring | Unified OpenAPI 3.1 documents per service plus aggregate spec; lint rules; schema registries. | +| SDK generation | Language-specific clients with idiomatic ergonomics, retries, pagination, long-running operation helpers, unit + integration tests. | +| Dev portal | Consolidated documentation, guides, changelog, copy/paste examples, quickstart scripts. | +| Testing | Contract tests against staging, mock server for integration tests, compatibility verification per release. | +| Release ops | Automated CI pipelines, version bump workflows, release notes, deprecation policies. | + +## Guardrails + +- **Aggregation-Only Contract compliance:** SDKs expose raw advisory/VEX objects without hidden merges; all derived fields require explicit Policy Engine calls. +- **Security:** enforce scopes via SDK configuration; redact secrets; support DPoP/mTLS and offline token provisioning. +- **Compatibility:** maintain backwards-compatible paths for at least two minor releases; log warnings on deprecated endpoints. +- **Documentation:** publish examples for common workflows (scan, policy evaluate, export, attestation) with language parity. + +## Roadmap checkpoints + +1. Baseline OpenAPI specs extracted from gateway, validated, and published. +2. TypeScript/Node SDK as pilot, followed by Python and Go. +3. Developer portal launch with SDK docs, quickstarts, and mock server. +4. Offline kit integration (mirror bundles include specs + SDK tarballs). +5. Runtime alerting for breaking changes and dependency vulnerabilities. + +## References + +- API gateway integration: `docs/modules/platform/architecture-overview.md` +- Policy/Findings models: `docs/modules/policy/architecture.md`, `docs/modules/vuln-explorer/architecture.md` +- Export bundle distribution: `docs/modules/export-center/overview.md` +- Offline workflows: `docs/airgap/airgap-mode.md` diff --git a/docs/cli-vs-ui-parity.md b/docs/cli-vs-ui-parity.md index 5cc259c2..c3b79f8f 100644 --- a/docs/cli-vs-ui-parity.md +++ b/docs/cli-vs-ui-parity.md @@ -1,155 +1,155 @@ -# Console CLI ↔ UI Parity Matrix - -> **Audience:** Docs Guild, Console Guild, CLI Guild, DevOps automation. -> **Scope:** Track feature-level parity between the StellaOps Console and the `stella` CLI, surface pending work, and describe the parity CI check owned by CONSOLE-DOC-23-502. - -Status key: - -- **✅ Available** – command exists in `StellaOps.Cli` and is documented. -- **🟡 In progress** – command implemented but still under active delivery (task status `DOING`). -- **🟩 Planned** – command spec’d but not yet implemented (task `TODO`). -- **⚪ UI-only** – no CLI equivalent required. -- **🔴 Gap** – CLI feature missing with no active task; file a task before sprint exit. - ---- - -## 1 · Navigation & Tenancy - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Login / token cache status (`/console/profile`) | `stella auth login`, `stella auth status`, `stella auth whoami` | ✅ Available | Command definitions in `CommandFactory.BuildAuthCommand`. | -| Fresh-auth challenge for sensitive actions | `stella auth fresh-auth` | ✅ Available | Referenced in `/docs/ui/admin.md`. | -| Tenant switcher (UI shell) | `--tenant` flag across CLI commands | ✅ Available | All multi-tenant commands require explicit `--tenant`. | -| Tenant creation / suspension | *(pending CLI)* | 🟩 Planned | No `stella auth tenant *` commands yet – track via `CLI-TEN-47-001` (scopes & tenancy). | - ---- - -## 2 · Policies & Findings - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Policy simulation diff, explain | `stella policy simulate` | 🟡 In progress | Implementation present; task `CLI-POLICY-20-002` marked DOING. | -| Promote / activate policy | `stella policy promote`, `stella policy activate` | 🟩 Planned | Spec tracked under `CLI-POLICY-23-005`. | -| History & explain trees | `stella policy history`, `stella policy explain` | 🟩 Planned | `CLI-POLICY-23-006`. | -| Findings explorer export | `stella findings get`, `stella findings export` | 🟩 Planned | Part of `CLI-POLICY-20-003`. | -| Explain drawer JSON | `stella policy simulate --format json` | 🟡 In progress | Same command; JSON output flagged for CLI tests. | - ---- - -## 3 · Runs & Evidence - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Run retry / cancel | `stella runs retry`, `stella runs cancel` | 🟩 Planned | Included in export suite task `CLI-EXPORT-35-001`. | -| Manual run submit / preview | `stella runs submit`, `stella runs preview` | 🟩 Planned | `CLI-EXPORT-35-001`. | -| Evidence bundle export | `stella runs export --run --bundle` | 🟩 Planned | `CLI-EXPORT-35-001`. | -| Run status polling | `stella runs status` | 🟩 Planned | Same task. | - ---- - -## 4 · Advisories, VEX, SBOM - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Advisory observations search | `stella vuln observations` | ✅ Available | Implemented via `BuildVulnCommand`. | -| Advisory linkset export | `stella advisory linkset show/export` | 🟩 Planned | `CLI-LNM-22-001`. | -| VEX observations / linksets | `stella vex obs get/linkset show` | 🟩 Planned | `CLI-LNM-22-002`. | -| SBOM overlay export | `stella sbom overlay apply/export` | 🟩 Planned | Scoped to upcoming SBOM CLI sprint (`SBOM-CONSOLE-23-001/002` + CLI backlog). | - ---- - -## 5 · Downloads & Offline Kit - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Manifest lookup (Console Downloads) | `stella downloads manifest show --artifact ` | 🟩 Planned | Delivered with `CONSOLE-DOC-23-502` + CLI parity commands. | -| Mirror digest to OCI archive | `stella downloads mirror --artifact --to ` | 🟩 Planned | Same task bundle (`CONSOLE-DOC-23-502`). | -| Console health check | `stella console status --endpoint ` | 🟩 Planned | Tracked in `CONSOLE-DOC-23-502`; interim use `curl` as documented. | -| Offline kit import/export | `stella offline kit import`, `stella offline kit export` | ✅ Available | Implemented (see `CommandHandlers.HandleOfflineKitImportAsync/HandleOfflineKitPullAsync`). | - ---- - -## 6 · Admin & Security - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Client creation / rotation | `stella auth client create` *(planned)* | 🟩 Planned | Pending tenancy backlog `CLI-TEN-47-001`. | -| Token revoke | `stella auth revoke export/verify` | ✅ Available | Already implemented. | -| Audit export | `stella auth audit export` | 🟩 Planned | Needs CLI work item (Authority guild). | -| Signing key rotation | `stella auth signing rotate` | 🟩 Planned | To be added with AUTH-CONSOLE-23-003 follow-up. | - ---- - -## 7 · Telemetry & Observability - -| UI capability | CLI command(s) | Status | Notes / Tasks | -|---------------|----------------|--------|---------------| -| Telemetry dashboard parity | `stella obs top`, `stella obs trace`, `stella obs logs` | 🟩 Planned | CLI observability epic (`CLI-OBS-51-001`, `CLI-OBS-52-001`). | -| Incident mode toggle | `stella obs incident-mode enable|disable|status` | 🟩 Planned | CLI task `CLI-OBS-55-001`. | -| Verify console telemetry health | `stella console status --telemetry` | 🟩 Planned | Part of `CONSOLE-DOC-23-502`. | - ---- - -## 8 · Parity Gaps & Follow-up - -- **Tenant and client lifecycle CLI**: create/suspend tenants, manage clients. Coordinate with Authority CLI epic (`CLI-TEN-47-001`, `CLI-TEN-49-001`). -- **Downloads parity commands**: blocked on `CONSOLE-DOC-23-502` and DevOps pipeline `DOWNLOADS-CONSOLE-23-001`. -- **Policy promotion/history**: requires completion of CLI policy epic (`CLI-POLICY-23-005`/`23-006`). -- **Runs/evidence exports**: waiting on `CLI-EXPORT-35-001`. -- **Observability tooling**: deliver `stella obs` commands before enabling parity CI checks for telemetry. - -Document updates should occur whenever a row changes status. When promoting a command from Planned → Available, ensure: - -1. CLI command merged with help text. -2. Relevant UI doc references updated to remove “pending” callouts. -3. This matrix row status updated to ✅ and task IDs moved to release notes. - ---- - -## 9 · Parity CI Check (CONSOLE-DOC-23-502) - -- **Owner:** Docs Guild + DevEx/CLI Guild. -- **Artefact:** Planned `.gitea/workflows/cli-parity-console.yml`. -- **What it does:** Runs `scripts/check-console-cli-parity.sh` (to be committed with the workflow) which: - 1. Parses this matrix (YAML view exported from Markdown) to identify rows marked ✅. - 2. Executes `stella --help` to confirm listed commands exist. - 3. Optionally triggers smoke commands in sandbox mode (e.g., `stella policy simulate --help`). -- **Failure action:** Workflow fails when a listed command is missing or when a row marked ✅ still contains “pending” notes. Update the matrix or fix CLI implementation before merging. - -Until the workflow lands, run the checker locally: - -```bash -# Pending CONSOLE-DOC-23-502 – placeholder command -./scripts/check-console-cli-parity.sh -``` - -The script should emit a parity report that feeds into the Downloads workspace (`kind = "parity.report"`). - ---- - -## 10 · Compliance checklist - -- [ ] Matrix reflects latest command availability (statuses accurate, task IDs linked). -- [ ] Notes include owning backlog items for every 🟩 / 🟡 row. -- [ ] CLI commands marked ✅ have corresponding entries in `/docs/modules/cli/guides/*.md` or module-specific docs. -- [ ] CI parity workflow description kept in sync with CONSOLE-DOC-23-502 implementation. -- [ ] Downloads workspace links to latest parity report. -- [ ] Install / observability guides reference this matrix for pending CLI parity. -- [ ] Offline workflows capture CLI fallbacks when commands are pending. -- [ ] Docs Guild review recorded in sprint log once parity CI lands. - ---- - -## 11 · References - -- `/docs/ui/*.md` – per-surface UI parity callouts. -- `/docs/install/docker.md` – CLI parity section for deployments. -- `/docs/observability/ui-telemetry.md` – telemetry metrics referencing CLI checks. -- `/docs/security/console-security.md` – security metrics & CLI parity expectations. -- `src/Cli/StellaOps.Cli/TASKS.md` – authoritative status for CLI backlog. -- `/docs/updates/2025-10-28-docs-guild.md` – coordination note for Authority/Security follow-up. - ---- - -*Last updated: 2025-10-28 (Sprint 23).* - +# Console CLI ↔ UI Parity Matrix + +> **Audience:** Docs Guild, Console Guild, CLI Guild, DevOps automation. +> **Scope:** Track feature-level parity between the StellaOps Console and the `stella` CLI, surface pending work, and describe the parity CI check owned by CONSOLE-DOC-23-502. + +Status key: + +- **✅ Available** – command exists in `StellaOps.Cli` and is documented. +- **🟡 In progress** – command implemented but still under active delivery (task status `DOING`). +- **🟩 Planned** – command spec’d but not yet implemented (task `TODO`). +- **⚪ UI-only** – no CLI equivalent required. +- **🔴 Gap** – CLI feature missing with no active task; file a task before sprint exit. + +--- + +## 1 · Navigation & Tenancy + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Login / token cache status (`/console/profile`) | `stella auth login`, `stella auth status`, `stella auth whoami` | ✅ Available | Command definitions in `CommandFactory.BuildAuthCommand`. | +| Fresh-auth challenge for sensitive actions | `stella auth fresh-auth` | ✅ Available | Referenced in `/docs/ui/admin.md`. | +| Tenant switcher (UI shell) | `--tenant` flag across CLI commands | ✅ Available | All multi-tenant commands require explicit `--tenant`. | +| Tenant creation / suspension | *(pending CLI)* | 🟩 Planned | No `stella auth tenant *` commands yet – track via `CLI-TEN-47-001` (scopes & tenancy). | + +--- + +## 2 · Policies & Findings + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Policy simulation diff, explain | `stella policy simulate` | 🟡 In progress | Implementation present; task `CLI-POLICY-20-002` marked DOING. | +| Promote / activate policy | `stella policy promote`, `stella policy activate` | 🟩 Planned | Spec tracked under `CLI-POLICY-23-005`. | +| History & explain trees | `stella policy history`, `stella policy explain` | 🟩 Planned | `CLI-POLICY-23-006`. | +| Findings explorer export | `stella findings get`, `stella findings export` | 🟩 Planned | Part of `CLI-POLICY-20-003`. | +| Explain drawer JSON | `stella policy simulate --format json` | 🟡 In progress | Same command; JSON output flagged for CLI tests. | + +--- + +## 3 · Runs & Evidence + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Run retry / cancel | `stella runs retry`, `stella runs cancel` | 🟩 Planned | Included in export suite task `CLI-EXPORT-35-001`. | +| Manual run submit / preview | `stella runs submit`, `stella runs preview` | 🟩 Planned | `CLI-EXPORT-35-001`. | +| Evidence bundle export | `stella runs export --run --bundle` | 🟩 Planned | `CLI-EXPORT-35-001`. | +| Run status polling | `stella runs status` | 🟩 Planned | Same task. | + +--- + +## 4 · Advisories, VEX, SBOM + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Advisory observations search | `stella vuln observations` | ✅ Available | Implemented via `BuildVulnCommand`. | +| Advisory linkset export | `stella advisory linkset show/export` | 🟩 Planned | `CLI-LNM-22-001`. | +| VEX observations / linksets | `stella vex obs get/linkset show` | 🟩 Planned | `CLI-LNM-22-002`. | +| SBOM overlay export | `stella sbom overlay apply/export` | 🟩 Planned | Scoped to upcoming SBOM CLI sprint (`SBOM-CONSOLE-23-001/002` + CLI backlog). | + +--- + +## 5 · Downloads & Offline Kit + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Manifest lookup (Console Downloads) | `stella downloads manifest show --artifact ` | 🟩 Planned | Delivered with `CONSOLE-DOC-23-502` + CLI parity commands. | +| Mirror digest to OCI archive | `stella downloads mirror --artifact --to ` | 🟩 Planned | Same task bundle (`CONSOLE-DOC-23-502`). | +| Console health check | `stella console status --endpoint ` | 🟩 Planned | Tracked in `CONSOLE-DOC-23-502`; interim use `curl` as documented. | +| Offline kit import/export | `stella offline kit import`, `stella offline kit export` | ✅ Available | Implemented (see `CommandHandlers.HandleOfflineKitImportAsync/HandleOfflineKitPullAsync`). | + +--- + +## 6 · Admin & Security + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Client creation / rotation | `stella auth client create` *(planned)* | 🟩 Planned | Pending tenancy backlog `CLI-TEN-47-001`. | +| Token revoke | `stella auth revoke export/verify` | ✅ Available | Already implemented. | +| Audit export | `stella auth audit export` | 🟩 Planned | Needs CLI work item (Authority guild). | +| Signing key rotation | `stella auth signing rotate` | 🟩 Planned | To be added with AUTH-CONSOLE-23-003 follow-up. | + +--- + +## 7 · Telemetry & Observability + +| UI capability | CLI command(s) | Status | Notes / Tasks | +|---------------|----------------|--------|---------------| +| Telemetry dashboard parity | `stella obs top`, `stella obs trace`, `stella obs logs` | 🟩 Planned | CLI observability epic (`CLI-OBS-51-001`, `CLI-OBS-52-001`). | +| Incident mode toggle | `stella obs incident-mode enable|disable|status` | 🟩 Planned | CLI task `CLI-OBS-55-001`. | +| Verify console telemetry health | `stella console status --telemetry` | 🟩 Planned | Part of `CONSOLE-DOC-23-502`. | + +--- + +## 8 · Parity Gaps & Follow-up + +- **Tenant and client lifecycle CLI**: create/suspend tenants, manage clients. Coordinate with Authority CLI epic (`CLI-TEN-47-001`, `CLI-TEN-49-001`). +- **Downloads parity commands**: blocked on `CONSOLE-DOC-23-502` and DevOps pipeline `DOWNLOADS-CONSOLE-23-001`. +- **Policy promotion/history**: requires completion of CLI policy epic (`CLI-POLICY-23-005`/`23-006`). +- **Runs/evidence exports**: waiting on `CLI-EXPORT-35-001`. +- **Observability tooling**: deliver `stella obs` commands before enabling parity CI checks for telemetry. + +Document updates should occur whenever a row changes status. When promoting a command from Planned → Available, ensure: + +1. CLI command merged with help text. +2. Relevant UI doc references updated to remove “pending” callouts. +3. This matrix row status updated to ✅ and task IDs moved to release notes. + +--- + +## 9 · Parity CI Check (CONSOLE-DOC-23-502) + +- **Owner:** Docs Guild + DevEx/CLI Guild. +- **Artefact:** Planned `.gitea/workflows/cli-parity-console.yml`. +- **What it does:** Runs `scripts/check-console-cli-parity.sh` (to be committed with the workflow) which: + 1. Parses this matrix (YAML view exported from Markdown) to identify rows marked ✅. + 2. Executes `stella --help` to confirm listed commands exist. + 3. Optionally triggers smoke commands in sandbox mode (e.g., `stella policy simulate --help`). +- **Failure action:** Workflow fails when a listed command is missing or when a row marked ✅ still contains “pending” notes. Update the matrix or fix CLI implementation before merging. + +Until the workflow lands, run the checker locally: + +```bash +# Pending CONSOLE-DOC-23-502 – placeholder command +./scripts/check-console-cli-parity.sh +``` + +The script should emit a parity report that feeds into the Downloads workspace (`kind = "parity.report"`). + +--- + +## 10 · Compliance checklist + +- [ ] Matrix reflects latest command availability (statuses accurate, task IDs linked). +- [ ] Notes include owning backlog items for every 🟩 / 🟡 row. +- [ ] CLI commands marked ✅ have corresponding entries in `/docs/modules/cli/guides/*.md` or module-specific docs. +- [ ] CI parity workflow description kept in sync with CONSOLE-DOC-23-502 implementation. +- [ ] Downloads workspace links to latest parity report. +- [ ] Install / observability guides reference this matrix for pending CLI parity. +- [ ] Offline workflows capture CLI fallbacks when commands are pending. +- [ ] Docs Guild review recorded in sprint log once parity CI lands. + +--- + +## 11 · References + +- `/docs/ui/*.md` – per-surface UI parity callouts. +- `/docs/install/docker.md` – CLI parity section for deployments. +- `/docs/observability/ui-telemetry.md` – telemetry metrics referencing CLI checks. +- `/docs/security/console-security.md` – security metrics & CLI parity expectations. +- `src/Cli/StellaOps.Cli/TASKS.md` – authoritative status for CLI backlog. +- `/docs/updates/2025-10-28-docs-guild.md` – coordination note for Authority/Security follow-up. + +--- + +*Last updated: 2025-10-28 (Sprint 23).* + diff --git a/docs/concelier-connector-research-20251011.md b/docs/concelier-connector-research-20251011.md index 15bf2a9a..d1478d01 100644 --- a/docs/concelier-connector-research-20251011.md +++ b/docs/concelier-connector-research-20251011.md @@ -1,43 +1,43 @@ -# Concelier Connector Research – 2025-10-11 - -Snapshot of direct network checks performed on 2025-10-11 (UTC) for the national/vendor connectors in scope. Use alongside each module’s `TASKS.md` notes. - -## ACSC (Australia) -- Enumerated feed slugs `/acsc/view-all-content/{alerts,advisories,news,publications,threats}/rss`; every endpoint negotiates HTTP/2 then aborts with `INTERNAL_ERROR` (curl exit 92). Forcing HTTP/1.1 hangs >600 s and sitemap/HTML fetches fail the same way. -- Next actions: prototype `SocketsHttpHandler` settings (`RequestVersionOrLower`, allow fallback to relay), capture successful headers from partner vantage (need retention + cache semantics), and keep `FEEDCONN-SHARED-HTTP2-001` open for downgrade work. - -## CCCS (Canada) -- JSON endpoint (`https://www.cyber.gc.ca/api/cccs/threats/v1/get?lang=&content_type=cccs_threat`) returns ~5 100 records per language; `page=` still works for segmented pulls and the earliest `date_created` seen is 2018‑06‑08 (EN) / 2018‑06‑08 (FR). Use an explicit `User-Agent` to avoid 403 responses. -- Follow-up: telemetry, sanitiser coverage, and backfill procedures are documented in `docs/modules/concelier/operations/connectors/cccs.md` (2025‑10‑15). Adjust `maxEntriesPerFetch` when performing historical sweeps so cursor state remains responsive. - -## CERT-Bund (Germany) -- `https://wid.cert-bund.de/content/public/securityAdvisory/rss` responds 200 without cookies (≈250-item window, German taxonomy). Detail links load an Angular SPA that fetches JSON behind the bootstrap session. -- Confirmed `GET https://wid.cert-bund.de/portal/api/securityadvisory?name=` returns JSON once the portal cookie container is primed; payload includes severity, CVEs, products, and references used by the connector fixtures. -- Historical advisories accessible through the SPA search/export endpoints once the `XSRF-TOKEN` cookie (exposed via `GET /portal/api/security/csrf`) is supplied with the `X-XSRF-TOKEN` header: - - `POST /portal/api/securityadvisory/search` (`{"page":N,"size":100,"sort":["published,desc"]}`) pages data back to 2014. - - `GET /portal/api/securityadvisory/export?format=json&from=YYYY-MM-DD` emits JSON bundles suitable for Offline Kit mirrors. -- Locale note: content is German-only; Concelier preserves `language=de` and Docs will publish a CERT-Bund glossary so operators can bridge terminology without machine translation. - -## KISA / KNVD (Korea) -- `https://knvd.krcert.or.kr/rss/securityInfo.do` and `/rss/securityNotice.do` return UTF-8 RSS (10-item window) with `detailDos.do?IDX=` links. No cookies required for feed fetch. -- Detail SPA calls resolve to `rssDetailData.do?IDX=` JSON payloads; connector fetches those directly, sanitises HTML, and records Hangul metadata (NFC). See `docs/dev/kisa_connector_notes.md` for telemetry + localisation guidance. - -## BDU (Russia / FSTEC) -- Candidate endpoints (`https://bdu.fstec.ru/component/rsform/form/7-bdu?format=xml/json`) return 403/404; TLS chain requires Russian Trusted Sub CA and WAF expects additional headers. -- Next actions: acquire official PEM chain, point `concelier:httpClients:source.bdu:trustedRootPaths` (or `concelier:sources:bdu:http:trustedRootPaths`) at the Offline Kit PEM, keep `allowInvalidCertificates=false`, script session bootstrap, then capture RSS/HTML schema for parser work. - -## NKTsKI / cert.gov.ru (Russia) -- `https://cert.gov.ru/rss/advisories.xml` served via Bitrix returns 403/404 even with `Accept-Language: ru-RU`; TLS chain also requires Russian trust anchors. -- Next actions: source trust store, configure `concelier:httpClients:source.nkcki:trustedRootPaths` (Offline Kit root via `concelier:offline:root`), prepare proxy fallback, and once accessible document taxonomy/retention plus attachment handling. - -## CISA ICS (United States) -- `curl -I https://www.cisa.gov/cybersecurity-advisories/ics-advisories.xml` returns HTTP 403 + `x-reference-error` (Akamai). Same for legacy feed paths. -- Next actions: secure GovDelivery access, document token rotation, and build HTML/email fallback with throttling. - -## Cisco PSIRT -- `https://api.cisco.com/security/advisories/latest` returns `ERR_596_SERVICE_NOT_FOUND` when unauthenticated. openVuln REST requires Mashery OAuth (client credentials) with quotas ~5 req/s, 30/min, 5 000/day; supports `pageIndex/pageSize` pagination. -- Next actions: register OAuth app, capture pagination/delta parameters, and compare API vs RSS coverage. - -## Microsoft MSRC -- REST endpoint (`https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerabilities`) requires Azure AD token + `api-version` (current `2024-08-01`) and supports delta filters (`lastModifiedStartDateTime`). CVRF ZIP remains available for offline use. -- Next actions: finalise AAD app registration, implement token cache, and design combined REST+CVRF ingestion path for determinism. +# Concelier Connector Research – 2025-10-11 + +Snapshot of direct network checks performed on 2025-10-11 (UTC) for the national/vendor connectors in scope. Use alongside each module’s `TASKS.md` notes. + +## ACSC (Australia) +- Enumerated feed slugs `/acsc/view-all-content/{alerts,advisories,news,publications,threats}/rss`; every endpoint negotiates HTTP/2 then aborts with `INTERNAL_ERROR` (curl exit 92). Forcing HTTP/1.1 hangs >600 s and sitemap/HTML fetches fail the same way. +- Next actions: prototype `SocketsHttpHandler` settings (`RequestVersionOrLower`, allow fallback to relay), capture successful headers from partner vantage (need retention + cache semantics), and keep `FEEDCONN-SHARED-HTTP2-001` open for downgrade work. + +## CCCS (Canada) +- JSON endpoint (`https://www.cyber.gc.ca/api/cccs/threats/v1/get?lang=&content_type=cccs_threat`) returns ~5 100 records per language; `page=` still works for segmented pulls and the earliest `date_created` seen is 2018‑06‑08 (EN) / 2018‑06‑08 (FR). Use an explicit `User-Agent` to avoid 403 responses. +- Follow-up: telemetry, sanitiser coverage, and backfill procedures are documented in `docs/modules/concelier/operations/connectors/cccs.md` (2025‑10‑15). Adjust `maxEntriesPerFetch` when performing historical sweeps so cursor state remains responsive. + +## CERT-Bund (Germany) +- `https://wid.cert-bund.de/content/public/securityAdvisory/rss` responds 200 without cookies (≈250-item window, German taxonomy). Detail links load an Angular SPA that fetches JSON behind the bootstrap session. +- Confirmed `GET https://wid.cert-bund.de/portal/api/securityadvisory?name=` returns JSON once the portal cookie container is primed; payload includes severity, CVEs, products, and references used by the connector fixtures. +- Historical advisories accessible through the SPA search/export endpoints once the `XSRF-TOKEN` cookie (exposed via `GET /portal/api/security/csrf`) is supplied with the `X-XSRF-TOKEN` header: + - `POST /portal/api/securityadvisory/search` (`{"page":N,"size":100,"sort":["published,desc"]}`) pages data back to 2014. + - `GET /portal/api/securityadvisory/export?format=json&from=YYYY-MM-DD` emits JSON bundles suitable for Offline Kit mirrors. +- Locale note: content is German-only; Concelier preserves `language=de` and Docs will publish a CERT-Bund glossary so operators can bridge terminology without machine translation. + +## KISA / KNVD (Korea) +- `https://knvd.krcert.or.kr/rss/securityInfo.do` and `/rss/securityNotice.do` return UTF-8 RSS (10-item window) with `detailDos.do?IDX=` links. No cookies required for feed fetch. +- Detail SPA calls resolve to `rssDetailData.do?IDX=` JSON payloads; connector fetches those directly, sanitises HTML, and records Hangul metadata (NFC). See `docs/dev/kisa_connector_notes.md` for telemetry + localisation guidance. + +## BDU (Russia / FSTEC) +- Candidate endpoints (`https://bdu.fstec.ru/component/rsform/form/7-bdu?format=xml/json`) return 403/404; TLS chain requires Russian Trusted Sub CA and WAF expects additional headers. +- Next actions: acquire official PEM chain, point `concelier:httpClients:source.bdu:trustedRootPaths` (or `concelier:sources:bdu:http:trustedRootPaths`) at the Offline Kit PEM, keep `allowInvalidCertificates=false`, script session bootstrap, then capture RSS/HTML schema for parser work. + +## NKTsKI / cert.gov.ru (Russia) +- `https://cert.gov.ru/rss/advisories.xml` served via Bitrix returns 403/404 even with `Accept-Language: ru-RU`; TLS chain also requires Russian trust anchors. +- Next actions: source trust store, configure `concelier:httpClients:source.nkcki:trustedRootPaths` (Offline Kit root via `concelier:offline:root`), prepare proxy fallback, and once accessible document taxonomy/retention plus attachment handling. + +## CISA ICS (United States) +- `curl -I https://www.cisa.gov/cybersecurity-advisories/ics-advisories.xml` returns HTTP 403 + `x-reference-error` (Akamai). Same for legacy feed paths. +- Next actions: secure GovDelivery access, document token rotation, and build HTML/email fallback with throttling. + +## Cisco PSIRT +- `https://api.cisco.com/security/advisories/latest` returns `ERR_596_SERVICE_NOT_FOUND` when unauthenticated. openVuln REST requires Mashery OAuth (client credentials) with quotas ~5 req/s, 30/min, 5 000/day; supports `pageIndex/pageSize` pagination. +- Next actions: register OAuth app, capture pagination/delta parameters, and compare API vs RSS coverage. + +## Microsoft MSRC +- REST endpoint (`https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerabilities`) requires Azure AD token + `api-version` (current `2024-08-01`) and supports delta filters (`lastModifiedStartDateTime`). CVRF ZIP remains available for offline use. +- Next actions: finalise AAD app registration, implement token cache, and design combined REST+CVRF ingestion path for determinism. diff --git a/docs/deploy/console.md b/docs/deploy/console.md index b28d156e..8024e3d4 100644 --- a/docs/deploy/console.md +++ b/docs/deploy/console.md @@ -1,228 +1,228 @@ -# Deploying the StellaOps Console - -> **Audience:** Deployment Guild, Console Guild, operators rolling out the web console. -> **Scope:** Helm and Docker Compose deployment steps, ingress/TLS configuration, required environment variables, health checks, offline/air-gap operation, and compliance checklist (Sprint 23). - -The StellaOps Console ships as part of the `stellaops` stack Helm chart and Compose bundles maintained under `deploy/`. This guide describes the supported deployment paths, the configuration surface, and operational checks needed to run the console in connected or air-gapped environments. - ---- - -## 1. Prerequisites - -- Kubernetes cluster (v1.28+) with ingress controller (NGINX, Traefik, or equivalent) and Cert-Manager for automated TLS, or Docker host for Compose deployments. -- Container registry access to `registry.stella-ops.org` (or mirrored registry) for all images listed in `deploy/releases/*.yaml`. -- Authority service configured with console client (`aud=ui`, scopes `ui.read`, `ui.admin`). -- DNS entry pointing to the console hostname (for example, `console.acme.internal`). -- Cosign public key for manifest verification (`deploy/releases/manifest.json.sig`). -- Optional: Offline Kit bundle for air-gapped sites (`stella-ops-offline-kit-.tar.gz`). - ---- - -## 2. Helm deployment (recommended) - -### 2.1 Install chart repository - -```bash -helm repo add stellaops https://downloads.stella-ops.org/helm -helm repo update stellaops -``` - -If operating offline, copy the chart archive from the Offline Kit (`deploy/helm/stellaops-.tgz`) and run: - -```bash -helm install stellaops ./stellaops-.tgz --namespace stellaops --create-namespace -``` - -### 2.2 Base installation - -```bash -helm install stellaops stellaops/stellaops \ - --namespace stellaops \ - --create-namespace \ - --values deploy/helm/stellaops/values-prod.yaml -``` - -The chart deploys Authority, Console web/API gateway, Scanner API, Scheduler, and supporting services. The console frontend pod is labelled `app=stellaops-web-ui`. - -### 2.3 Helm values highlights - -Key sections in `deploy/helm/stellaops/values-prod.yaml`: - -| Path | Description | -|------|-------------| -| `console.ingress.host` | Hostname served by the console (`console.example.com`). | -| `console.ingress.tls.secretName` | Kubernetes secret containing TLS certificate (generated by Cert-Manager or uploaded manually). | -| `console.config.apiGateway.baseUrl` | Internal base URL the UI uses to reach the gateway (defaults to `https://stellaops-web`). | -| `console.env.AUTHORITY_ISSUER` | Authority issuer URL (for example, `https://authority.example.com`). | -| `console.env.AUTHORITY_CLIENT_ID` | Authority client ID for the console UI. | -| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). | -| `console.resources` | CPU/memory requests and limits (default 250m CPU / 512Mi memory). | -| `console.podAnnotations` | Optional annotations for service mesh or monitoring. | - -Use `values-stage.yaml`, `values-dev.yaml`, or `values-airgap.yaml` as templates for other environments. - -### 2.4 TLS and ingress - -Example ingress override: - -```yaml -console: - ingress: - enabled: true - className: nginx - host: console.acme.internal - tls: - enabled: true - secretName: console-tls -``` - -Generate certificates using Cert-Manager or provide an existing secret. For air-gapped deployments, pre-create the secret with the mirrored CA chain. - -### 2.5 Health checks - -Console pods expose: - -| Path | Purpose | Notes | -|------|---------|-------| -| `/health/live` | Liveness probe | Confirms process responsive. | -| `/health/ready` | Readiness probe | Verifies configuration bootstrap and Authority reachability. | -| `/metrics` | Prometheus metrics | Enabled when `console.metrics.enabled=true`. | - -Helm chart sets default probes (`initialDelaySeconds: 10`, `periodSeconds: 15`). Adjust via `console.livenessProbe` and `console.readinessProbe`. - ---- - -## 3. Docker Compose deployment - -Located in `deploy/compose/docker-compose.console.yaml`. Quick start: - -```bash -cd deploy/compose -docker compose -f docker-compose.console.yaml --env-file console.env up -d -``` - -`console.env` should define: - -``` -CONSOLE_PUBLIC_BASE_URL=https://console.acme.internal -AUTHORITY_ISSUER=https://authority.acme.internal -AUTHORITY_CLIENT_ID=console-ui -AUTHORITY_CLIENT_SECRET= -AUTHORITY_SCOPES=ui.read ui.admin -CONSOLE_GATEWAY_BASE_URL=https://api.acme.internal -``` - -The compose bundle includes Traefik as reverse proxy with TLS termination. Update `traefik/dynamic/console.yml` for custom certificates or additional middlewares (CSP headers, rate limits). - ---- - -## 4. Environment variables - -| Variable | Description | Default | -|----------|-------------|---------| -| `CONSOLE_PUBLIC_BASE_URL` | External URL used for redirects, deep links, and telemetry. | None (required). | -| `CONSOLE_GATEWAY_BASE_URL` | URL of the web gateway that proxies API calls (`/console/*`). | Chart service name. | -| `AUTHORITY_ISSUER` | Authority issuer (`https://authority.example.com`). | None (required). | -| `AUTHORITY_CLIENT_ID` | OIDC client configured in Authority. | None (required). | -| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin`. | -| `AUTHORITY_DPOP_ENABLED` | Enables DPoP challenge/response (recommended true). | `true`. | -| `CONSOLE_FEATURE_FLAGS` | Comma-separated feature flags (`runs`, `downloads.offline`, etc.). | `runs,downloads,policies`. | -| `CONSOLE_LOG_LEVEL` | Minimum log level (`Information`, `Debug`, etc.). | `Information`. | -| `CONSOLE_METRICS_ENABLED` | Expose `/metrics` endpoint. | `true`. | -| `CONSOLE_SENTRY_DSN` | Optional error reporting DSN. | Blank. | - -When running behind additional proxies, set `ASPNETCORE_FORWARDEDHEADERS_ENABLED=true` to honour `X-Forwarded-*` headers. - ---- - -## 5. Security headers and CSP - -The console serves a strict Content Security Policy (CSP) by default: - -``` -default-src 'self'; -connect-src 'self' https://*.stella-ops.local; -script-src 'self'; -style-src 'self' 'unsafe-inline'; -img-src 'self' data:; -font-src 'self'; -frame-ancestors 'none'; -``` - -Adjust via `console.config.cspOverrides` if additional domains are required. For integrations embedding the console, update OIDC redirect URIs and Authority scopes accordingly. - -TLS recommendations: - -- Use TLS 1.2+ with modern cipher suite policy. -- Enable HSTS (`Strict-Transport-Security: max-age=31536000; includeSubDomains`). -- Provide custom trust bundles via `console.config.trustBundleSecret` when using private CAs. - ---- - -## 6. Logging and metrics - -- Structured logs emitted to stdout with correlation IDs. Configure log shipping via Fluent Bit or similar. -- Metrics available at `/metrics` in Prometheus format. Key metrics include `ui_request_duration_seconds`, `ui_tenant_switch_total`, and `ui_download_manifest_refresh_seconds`. -- Enable OpenTelemetry exporter by setting `OTEL_EXPORTER_OTLP_ENDPOINT` and associated headers in environment variables. - ---- - -## 7. Offline and air-gap deployment - -- Mirror container images using the Downloads workspace or Offline Kit manifest. Example: - -```bash -oras copy registry.stella-ops.org/stellaops/web-ui@sha256: \ - registry.airgap.local/stellaops/web-ui:2025.10.0 -``` - -- Import Offline Kit using `stella ouk import` before starting the console so manifest parity checks succeed. -- Use `values-airgap.yaml` to disable external telemetry endpoints and configure internal certificate chains. -- Run `helm upgrade --install` using the mirrored chart (`stellaops-.tgz`) and set `console.offlineMode=true` to surface offline banners. - ---- - -## 8. Health checks and remediation - -| Check | Command | Expected result | -|-------|---------|-----------------| -| Pod status | `kubectl get pods -n stellaops` | `Running` state with restarts = 0. | -| Liveness | `kubectl exec deploy/stellaops-web-ui -- curl -fsS http://localhost:8080/health/live` | Returns `{"status":"Healthy"}`. | -| Readiness | `kubectl exec deploy/stellaops-web-ui -- curl -fsS http://localhost:8080/health/ready` | Returns `{"status":"Ready"}`. | -| Gateway reachability | `curl -I https://console.example.com/api/console/status` | `200 OK` with CSP headers. | -| Static assets | `curl -I https://console.example.com/static/assets/app.js` | `200 OK` with long cache headers. | - -Troubleshooting steps: - -- **Authority unreachable:** readiness fails with `AUTHORITY_UNREACHABLE`. Check DNS, trust bundles, and Authority service health. -- **Manifest mismatch:** console logs `DOWNLOAD_MANIFEST_SIGNATURE_INVALID`. Verify cosign key and re-sync manifest. -- **Ingress 404:** ensure ingress controller routes host to `stellaops-web-ui` service; check TLS secret name. -- **SSE blocked:** confirm proxy allows HTTP/1.1 and disables buffering on `/console/runs/*`. - ---- - -## 9. References - -- `deploy/helm/stellaops/values-*.yaml` - environment-specific overrides. -- `deploy/compose/docker-compose.console.yaml` - Compose bundle. -- `/docs/ui/downloads.md` - manifest and offline bundle guidance. -- `/docs/security/console-security.md` - CSP and Authority scopes. -- `/docs/24_OFFLINE_KIT.md` - Offline kit packaging and verification. -- `/docs/modules/devops/runbooks/deployment-runbook.md` (pending) - wider platform deployment steps. - ---- - -## 10. Compliance checklist - -- [ ] Helm and Compose instructions verified against `deploy/` assets. -- [ ] Ingress/TLS guidance aligns with Security Guild recommendations. -- [ ] Environment variables documented with defaults and required values. -- [ ] Health/liveness/readiness endpoints tested and listed. -- [ ] Offline workflow (mirrors, manifest parity) captured. -- [ ] Logging and metrics surface documented metrics. -- [ ] CSP and security header defaults stated alongside override guidance. -- [ ] Troubleshooting section linked to relevant runbooks. - ---- - -*Last updated: 2025-10-27 (Sprint 23).* +# Deploying the StellaOps Console + +> **Audience:** Deployment Guild, Console Guild, operators rolling out the web console. +> **Scope:** Helm and Docker Compose deployment steps, ingress/TLS configuration, required environment variables, health checks, offline/air-gap operation, and compliance checklist (Sprint 23). + +The StellaOps Console ships as part of the `stellaops` stack Helm chart and Compose bundles maintained under `deploy/`. This guide describes the supported deployment paths, the configuration surface, and operational checks needed to run the console in connected or air-gapped environments. + +--- + +## 1. Prerequisites + +- Kubernetes cluster (v1.28+) with ingress controller (NGINX, Traefik, or equivalent) and Cert-Manager for automated TLS, or Docker host for Compose deployments. +- Container registry access to `registry.stella-ops.org` (or mirrored registry) for all images listed in `deploy/releases/*.yaml`. +- Authority service configured with console client (`aud=ui`, scopes `ui.read`, `ui.admin`). +- DNS entry pointing to the console hostname (for example, `console.acme.internal`). +- Cosign public key for manifest verification (`deploy/releases/manifest.json.sig`). +- Optional: Offline Kit bundle for air-gapped sites (`stella-ops-offline-kit-.tar.gz`). + +--- + +## 2. Helm deployment (recommended) + +### 2.1 Install chart repository + +```bash +helm repo add stellaops https://downloads.stella-ops.org/helm +helm repo update stellaops +``` + +If operating offline, copy the chart archive from the Offline Kit (`deploy/helm/stellaops-.tgz`) and run: + +```bash +helm install stellaops ./stellaops-.tgz --namespace stellaops --create-namespace +``` + +### 2.2 Base installation + +```bash +helm install stellaops stellaops/stellaops \ + --namespace stellaops \ + --create-namespace \ + --values deploy/helm/stellaops/values-prod.yaml +``` + +The chart deploys Authority, Console web/API gateway, Scanner API, Scheduler, and supporting services. The console frontend pod is labelled `app=stellaops-web-ui`. + +### 2.3 Helm values highlights + +Key sections in `deploy/helm/stellaops/values-prod.yaml`: + +| Path | Description | +|------|-------------| +| `console.ingress.host` | Hostname served by the console (`console.example.com`). | +| `console.ingress.tls.secretName` | Kubernetes secret containing TLS certificate (generated by Cert-Manager or uploaded manually). | +| `console.config.apiGateway.baseUrl` | Internal base URL the UI uses to reach the gateway (defaults to `https://stellaops-web`). | +| `console.env.AUTHORITY_ISSUER` | Authority issuer URL (for example, `https://authority.example.com`). | +| `console.env.AUTHORITY_CLIENT_ID` | Authority client ID for the console UI. | +| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). | +| `console.resources` | CPU/memory requests and limits (default 250m CPU / 512Mi memory). | +| `console.podAnnotations` | Optional annotations for service mesh or monitoring. | + +Use `values-stage.yaml`, `values-dev.yaml`, or `values-airgap.yaml` as templates for other environments. + +### 2.4 TLS and ingress + +Example ingress override: + +```yaml +console: + ingress: + enabled: true + className: nginx + host: console.acme.internal + tls: + enabled: true + secretName: console-tls +``` + +Generate certificates using Cert-Manager or provide an existing secret. For air-gapped deployments, pre-create the secret with the mirrored CA chain. + +### 2.5 Health checks + +Console pods expose: + +| Path | Purpose | Notes | +|------|---------|-------| +| `/health/live` | Liveness probe | Confirms process responsive. | +| `/health/ready` | Readiness probe | Verifies configuration bootstrap and Authority reachability. | +| `/metrics` | Prometheus metrics | Enabled when `console.metrics.enabled=true`. | + +Helm chart sets default probes (`initialDelaySeconds: 10`, `periodSeconds: 15`). Adjust via `console.livenessProbe` and `console.readinessProbe`. + +--- + +## 3. Docker Compose deployment + +Located in `deploy/compose/docker-compose.console.yaml`. Quick start: + +```bash +cd deploy/compose +docker compose -f docker-compose.console.yaml --env-file console.env up -d +``` + +`console.env` should define: + +``` +CONSOLE_PUBLIC_BASE_URL=https://console.acme.internal +AUTHORITY_ISSUER=https://authority.acme.internal +AUTHORITY_CLIENT_ID=console-ui +AUTHORITY_CLIENT_SECRET= +AUTHORITY_SCOPES=ui.read ui.admin +CONSOLE_GATEWAY_BASE_URL=https://api.acme.internal +``` + +The compose bundle includes Traefik as reverse proxy with TLS termination. Update `traefik/dynamic/console.yml` for custom certificates or additional middlewares (CSP headers, rate limits). + +--- + +## 4. Environment variables + +| Variable | Description | Default | +|----------|-------------|---------| +| `CONSOLE_PUBLIC_BASE_URL` | External URL used for redirects, deep links, and telemetry. | None (required). | +| `CONSOLE_GATEWAY_BASE_URL` | URL of the web gateway that proxies API calls (`/console/*`). | Chart service name. | +| `AUTHORITY_ISSUER` | Authority issuer (`https://authority.example.com`). | None (required). | +| `AUTHORITY_CLIENT_ID` | OIDC client configured in Authority. | None (required). | +| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin`. | +| `AUTHORITY_DPOP_ENABLED` | Enables DPoP challenge/response (recommended true). | `true`. | +| `CONSOLE_FEATURE_FLAGS` | Comma-separated feature flags (`runs`, `downloads.offline`, etc.). | `runs,downloads,policies`. | +| `CONSOLE_LOG_LEVEL` | Minimum log level (`Information`, `Debug`, etc.). | `Information`. | +| `CONSOLE_METRICS_ENABLED` | Expose `/metrics` endpoint. | `true`. | +| `CONSOLE_SENTRY_DSN` | Optional error reporting DSN. | Blank. | + +When running behind additional proxies, set `ASPNETCORE_FORWARDEDHEADERS_ENABLED=true` to honour `X-Forwarded-*` headers. + +--- + +## 5. Security headers and CSP + +The console serves a strict Content Security Policy (CSP) by default: + +``` +default-src 'self'; +connect-src 'self' https://*.stella-ops.local; +script-src 'self'; +style-src 'self' 'unsafe-inline'; +img-src 'self' data:; +font-src 'self'; +frame-ancestors 'none'; +``` + +Adjust via `console.config.cspOverrides` if additional domains are required. For integrations embedding the console, update OIDC redirect URIs and Authority scopes accordingly. + +TLS recommendations: + +- Use TLS 1.2+ with modern cipher suite policy. +- Enable HSTS (`Strict-Transport-Security: max-age=31536000; includeSubDomains`). +- Provide custom trust bundles via `console.config.trustBundleSecret` when using private CAs. + +--- + +## 6. Logging and metrics + +- Structured logs emitted to stdout with correlation IDs. Configure log shipping via Fluent Bit or similar. +- Metrics available at `/metrics` in Prometheus format. Key metrics include `ui_request_duration_seconds`, `ui_tenant_switch_total`, and `ui_download_manifest_refresh_seconds`. +- Enable OpenTelemetry exporter by setting `OTEL_EXPORTER_OTLP_ENDPOINT` and associated headers in environment variables. + +--- + +## 7. Offline and air-gap deployment + +- Mirror container images using the Downloads workspace or Offline Kit manifest. Example: + +```bash +oras copy registry.stella-ops.org/stellaops/web-ui@sha256: \ + registry.airgap.local/stellaops/web-ui:2025.10.0 +``` + +- Import Offline Kit using `stella ouk import` before starting the console so manifest parity checks succeed. +- Use `values-airgap.yaml` to disable external telemetry endpoints and configure internal certificate chains. +- Run `helm upgrade --install` using the mirrored chart (`stellaops-.tgz`) and set `console.offlineMode=true` to surface offline banners. + +--- + +## 8. Health checks and remediation + +| Check | Command | Expected result | +|-------|---------|-----------------| +| Pod status | `kubectl get pods -n stellaops` | `Running` state with restarts = 0. | +| Liveness | `kubectl exec deploy/stellaops-web-ui -- curl -fsS http://localhost:8080/health/live` | Returns `{"status":"Healthy"}`. | +| Readiness | `kubectl exec deploy/stellaops-web-ui -- curl -fsS http://localhost:8080/health/ready` | Returns `{"status":"Ready"}`. | +| Gateway reachability | `curl -I https://console.example.com/api/console/status` | `200 OK` with CSP headers. | +| Static assets | `curl -I https://console.example.com/static/assets/app.js` | `200 OK` with long cache headers. | + +Troubleshooting steps: + +- **Authority unreachable:** readiness fails with `AUTHORITY_UNREACHABLE`. Check DNS, trust bundles, and Authority service health. +- **Manifest mismatch:** console logs `DOWNLOAD_MANIFEST_SIGNATURE_INVALID`. Verify cosign key and re-sync manifest. +- **Ingress 404:** ensure ingress controller routes host to `stellaops-web-ui` service; check TLS secret name. +- **SSE blocked:** confirm proxy allows HTTP/1.1 and disables buffering on `/console/runs/*`. + +--- + +## 9. References + +- `deploy/helm/stellaops/values-*.yaml` - environment-specific overrides. +- `deploy/compose/docker-compose.console.yaml` - Compose bundle. +- `/docs/ui/downloads.md` - manifest and offline bundle guidance. +- `/docs/security/console-security.md` - CSP and Authority scopes. +- `/docs/24_OFFLINE_KIT.md` - Offline kit packaging and verification. +- `/docs/modules/devops/runbooks/deployment-runbook.md` (pending) - wider platform deployment steps. + +--- + +## 10. Compliance checklist + +- [ ] Helm and Compose instructions verified against `deploy/` assets. +- [ ] Ingress/TLS guidance aligns with Security Guild recommendations. +- [ ] Environment variables documented with defaults and required values. +- [ ] Health/liveness/readiness endpoints tested and listed. +- [ ] Offline workflow (mirrors, manifest parity) captured. +- [ ] Logging and metrics surface documented metrics. +- [ ] CSP and security header defaults stated alongside override guidance. +- [ ] Troubleshooting section linked to relevant runbooks. + +--- + +*Last updated: 2025-10-27 (Sprint 23).* diff --git a/docs/deploy/containers.md b/docs/deploy/containers.md index 4b6a21e2..a68134e7 100644 --- a/docs/deploy/containers.md +++ b/docs/deploy/containers.md @@ -1,160 +1,160 @@ -# Container Deployment Guide — AOC Update - -> **Audience:** DevOps Guild, platform operators deploying StellaOps services. -> **Scope:** Deployment configuration changes required by the Aggregation-Only Contract (AOC), including schema validators, guard environment flags, and verifier identities. - -This guide supplements existing deployment manuals with AOC-specific configuration. It assumes familiarity with the base Compose/Helm manifests described in `ops/deployment/` and `docs/modules/devops/architecture.md`. - ---- - -## 1 · Schema validator enablement - -### 1.1 MongoDB validators - -- Apply JSON schema validators to `advisory_raw` and `vex_raw` collections before enabling AOC guards. -- Before enabling validators or the idempotency index, run the duplicate audit helper to confirm no conflicting raw advisories remain: - ```bash - mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;' - ``` - Resolve any reported rows prior to rollout. -- Use the migration script provided in `ops/devops/scripts/apply-aoc-validators.js`: - -```bash -kubectl exec -n concelier deploy/concelier-mongo -- \ - mongo concelier ops/devops/scripts/apply-aoc-validators.js - -kubectl exec -n excititor deploy/excititor-mongo -- \ - mongo excititor ops/devops/scripts/apply-aoc-validators.js -``` - -- Validators enforce required fields (`tenant`, `source`, `upstream`, `linkset`) and reject forbidden keys at DB level. -- Rollback plan: validators are applied with `validationLevel: moderate`—downgrade via the same script with `--remove` if required. - -### 1.2 Migration order - -1. Deploy validators in maintenance window. -2. Roll out Concelier/Excititor images with guard middleware enabled (`AOC_GUARD_ENABLED=true`). -3. Run smoke tests (`stella sources ingest --dry-run` fixtures) before resuming production ingestion. - -### 1.3 Supersedes backfill verification - -1. **Duplicate audit:** Confirm `mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;'` reports no conflicts before restarting Concelier with the new migrations. -2. **Post-migration check:** After the service restarts, validate that `db.advisory` is a view pointing to `advisory_backup_20251028`: - ```bash - mongo concelier --quiet --eval 'db.getCollectionInfos({ name: "advisory" })[0]' - ``` - The `type` should be `"view"` and `options.viewOn` should equal `"advisory_backup_20251028"`. -3. **Supersedes chain spot-check:** Inspect a sample set to ensure deterministic chaining: - ```bash - mongo concelier --quiet --eval ' - db.advisory_raw.aggregate([ - { $match: { "upstream.upstream_id": { $exists: true } } }, - { $sort: { "tenant": 1, "source.vendor": 1, "upstream.upstream_id": 1, "upstream.retrieved_at": 1 } }, - { $limit: 5 }, - { $project: { _id: 1, supersedes: 1 } } - ]).forEach(printjson)' - ``` - Each revision should reference the previous `_id` (or `null` for the first revision). Record findings in the change ticket before proceeding to production. - ---- - -## 2 · Container environment flags - -Add the following environment variables to Concelier/Excititor deployments: - -| Variable | Default | Description | -|----------|---------|-------------| -| `AOC_GUARD_ENABLED` | `true` | Enables `AOCWriteGuard` interception. Set `false` only for controlled rollback. | -| `AOC_ALLOW_SUPERSEDES_RETROFIT` | `false` | Allows temporary supersedes backfill during migration. Remove after cutover. | -| `AOC_METRICS_ENABLED` | `true` | Emits `ingestion_write_total`, `aoc_violation_total`, etc. | -| `AOC_TENANT_HEADER` | `X-Stella-Tenant` | Header name expected from Gateway. | -| `AOC_VERIFIER_USER` | `stella-aoc-verify` | Read-only service user used by UI/CLI verification. | - -Compose snippet: - -```yaml -environment: - - AOC_GUARD_ENABLED=true - - AOC_ALLOW_SUPERSEDES_RETROFIT=false - - AOC_METRICS_ENABLED=true - - AOC_TENANT_HEADER=X-Stella-Tenant - - AOC_VERIFIER_USER=stella-aoc-verify -``` - -Ensure `AOC_VERIFIER_USER` exists in Authority with `aoc:verify` scope and no write permissions. - ---- - -## 3 · Verifier identity - -- Create a dedicated client (`stella-aoc-verify`) via Authority bootstrap: - -```yaml -clients: - - clientId: stella-aoc-verify - grantTypes: [client_credentials] - scopes: [aoc:verify, advisory:read, vex:read] - tenants: [default] -``` - -- Store credentials in secret store (`Kubernetes Secret`, `Docker swarm secret`). -- Bind credentials to `stella aoc verify` CI jobs and Console verification service. -- Rotate quarterly; document in `ops/authority-key-rotation.md`. - ---- - -## 4 · Deployment steps - -1. **Pre-checks:** Confirm database backups, alerting in maintenance mode, and staging environment validated. -2. **Apply validators:** Run scripts per § 1.1. -3. **Update manifests:** Inject environment variables (§ 2) and mount guard configuration configmaps. -4. **Redeploy services:** Rolling restart Concelier/Excititor pods. Monitor `ingestion_write_total` for steady throughput. -5. **Seed verifier:** Deploy read-only verifier user and store credentials. -6. **Run verification:** Execute `stella aoc verify --since 24h` and ensure exit code `0`. -7. **Update dashboards:** Point Grafana panels to new metrics (`aoc_violation_total`). -8. **Record handoff:** Capture console screenshots and verification logs for release notes. - ---- - -## 5 · Offline Kit updates - -- Ship validator scripts with Offline Kit (`offline-kit/scripts/apply-aoc-validators.js`). -- Include pre-generated verification reports for air-gapped deployments. -- Document offline CLI workflow in bundle README referencing `docs/modules/cli/guides/cli-reference.md`. -- Ensure `stella-aoc-verify` credentials are scoped to offline tenant and rotated during bundle refresh. - ---- - -## 6 · Rollback plan - -1. Disable guard via `AOC_GUARD_ENABLED=false` on Concelier/Excititor and rollout. -2. Remove validators with the migration script (`--remove`). -3. Pause verification jobs to prevent noise. -4. Investigate and remediate upstream issues before re-enabling guards. - ---- - -## 7 · References - -- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) -- [Authority scopes & tenancy](../security/authority-scopes.md) -- [Observability guide](../observability/observability.md) -- [CLI AOC commands](../modules/cli/guides/cli-reference.md) -- [Concelier architecture](../modules/concelier/architecture.md) -- [Excititor architecture](../modules/excititor/architecture.md) - ---- - -## 8 · Compliance checklist - -- [ ] Validators documented and scripts referenced for online/offline deployments. -- [ ] Environment variables cover guard enablement, metrics, and tenant header. -- [ ] Read-only verifier user installation steps included. -- [ ] Offline kit instructions align with validator/verification workflow. -- [ ] Rollback procedure captured. -- [ ] Cross-links to AOC docs, Authority scopes, and observability guides present. -- [ ] DevOps Guild sign-off tracked (owner: @devops-guild, due 2025-10-29). - ---- - -*Last updated: 2025-10-26 (Sprint 19).* +# Container Deployment Guide — AOC Update + +> **Audience:** DevOps Guild, platform operators deploying StellaOps services. +> **Scope:** Deployment configuration changes required by the Aggregation-Only Contract (AOC), including schema validators, guard environment flags, and verifier identities. + +This guide supplements existing deployment manuals with AOC-specific configuration. It assumes familiarity with the base Compose/Helm manifests described in `ops/deployment/` and `docs/modules/devops/architecture.md`. + +--- + +## 1 · Schema validator enablement + +### 1.1 MongoDB validators + +- Apply JSON schema validators to `advisory_raw` and `vex_raw` collections before enabling AOC guards. +- Before enabling validators or the idempotency index, run the duplicate audit helper to confirm no conflicting raw advisories remain: + ```bash + mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;' + ``` + Resolve any reported rows prior to rollout. +- Use the migration script provided in `ops/devops/scripts/apply-aoc-validators.js`: + +```bash +kubectl exec -n concelier deploy/concelier-mongo -- \ + mongo concelier ops/devops/scripts/apply-aoc-validators.js + +kubectl exec -n excititor deploy/excititor-mongo -- \ + mongo excititor ops/devops/scripts/apply-aoc-validators.js +``` + +- Validators enforce required fields (`tenant`, `source`, `upstream`, `linkset`) and reject forbidden keys at DB level. +- Rollback plan: validators are applied with `validationLevel: moderate`—downgrade via the same script with `--remove` if required. + +### 1.2 Migration order + +1. Deploy validators in maintenance window. +2. Roll out Concelier/Excititor images with guard middleware enabled (`AOC_GUARD_ENABLED=true`). +3. Run smoke tests (`stella sources ingest --dry-run` fixtures) before resuming production ingestion. + +### 1.3 Supersedes backfill verification + +1. **Duplicate audit:** Confirm `mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;'` reports no conflicts before restarting Concelier with the new migrations. +2. **Post-migration check:** After the service restarts, validate that `db.advisory` is a view pointing to `advisory_backup_20251028`: + ```bash + mongo concelier --quiet --eval 'db.getCollectionInfos({ name: "advisory" })[0]' + ``` + The `type` should be `"view"` and `options.viewOn` should equal `"advisory_backup_20251028"`. +3. **Supersedes chain spot-check:** Inspect a sample set to ensure deterministic chaining: + ```bash + mongo concelier --quiet --eval ' + db.advisory_raw.aggregate([ + { $match: { "upstream.upstream_id": { $exists: true } } }, + { $sort: { "tenant": 1, "source.vendor": 1, "upstream.upstream_id": 1, "upstream.retrieved_at": 1 } }, + { $limit: 5 }, + { $project: { _id: 1, supersedes: 1 } } + ]).forEach(printjson)' + ``` + Each revision should reference the previous `_id` (or `null` for the first revision). Record findings in the change ticket before proceeding to production. + +--- + +## 2 · Container environment flags + +Add the following environment variables to Concelier/Excititor deployments: + +| Variable | Default | Description | +|----------|---------|-------------| +| `AOC_GUARD_ENABLED` | `true` | Enables `AOCWriteGuard` interception. Set `false` only for controlled rollback. | +| `AOC_ALLOW_SUPERSEDES_RETROFIT` | `false` | Allows temporary supersedes backfill during migration. Remove after cutover. | +| `AOC_METRICS_ENABLED` | `true` | Emits `ingestion_write_total`, `aoc_violation_total`, etc. | +| `AOC_TENANT_HEADER` | `X-Stella-Tenant` | Header name expected from Gateway. | +| `AOC_VERIFIER_USER` | `stella-aoc-verify` | Read-only service user used by UI/CLI verification. | + +Compose snippet: + +```yaml +environment: + - AOC_GUARD_ENABLED=true + - AOC_ALLOW_SUPERSEDES_RETROFIT=false + - AOC_METRICS_ENABLED=true + - AOC_TENANT_HEADER=X-Stella-Tenant + - AOC_VERIFIER_USER=stella-aoc-verify +``` + +Ensure `AOC_VERIFIER_USER` exists in Authority with `aoc:verify` scope and no write permissions. + +--- + +## 3 · Verifier identity + +- Create a dedicated client (`stella-aoc-verify`) via Authority bootstrap: + +```yaml +clients: + - clientId: stella-aoc-verify + grantTypes: [client_credentials] + scopes: [aoc:verify, advisory:read, vex:read] + tenants: [default] +``` + +- Store credentials in secret store (`Kubernetes Secret`, `Docker swarm secret`). +- Bind credentials to `stella aoc verify` CI jobs and Console verification service. +- Rotate quarterly; document in `ops/authority-key-rotation.md`. + +--- + +## 4 · Deployment steps + +1. **Pre-checks:** Confirm database backups, alerting in maintenance mode, and staging environment validated. +2. **Apply validators:** Run scripts per § 1.1. +3. **Update manifests:** Inject environment variables (§ 2) and mount guard configuration configmaps. +4. **Redeploy services:** Rolling restart Concelier/Excititor pods. Monitor `ingestion_write_total` for steady throughput. +5. **Seed verifier:** Deploy read-only verifier user and store credentials. +6. **Run verification:** Execute `stella aoc verify --since 24h` and ensure exit code `0`. +7. **Update dashboards:** Point Grafana panels to new metrics (`aoc_violation_total`). +8. **Record handoff:** Capture console screenshots and verification logs for release notes. + +--- + +## 5 · Offline Kit updates + +- Ship validator scripts with Offline Kit (`offline-kit/scripts/apply-aoc-validators.js`). +- Include pre-generated verification reports for air-gapped deployments. +- Document offline CLI workflow in bundle README referencing `docs/modules/cli/guides/cli-reference.md`. +- Ensure `stella-aoc-verify` credentials are scoped to offline tenant and rotated during bundle refresh. + +--- + +## 6 · Rollback plan + +1. Disable guard via `AOC_GUARD_ENABLED=false` on Concelier/Excititor and rollout. +2. Remove validators with the migration script (`--remove`). +3. Pause verification jobs to prevent noise. +4. Investigate and remediate upstream issues before re-enabling guards. + +--- + +## 7 · References + +- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) +- [Authority scopes & tenancy](../security/authority-scopes.md) +- [Observability guide](../observability/observability.md) +- [CLI AOC commands](../modules/cli/guides/cli-reference.md) +- [Concelier architecture](../modules/concelier/architecture.md) +- [Excititor architecture](../modules/excititor/architecture.md) + +--- + +## 8 · Compliance checklist + +- [ ] Validators documented and scripts referenced for online/offline deployments. +- [ ] Environment variables cover guard enablement, metrics, and tenant header. +- [ ] Read-only verifier user installation steps included. +- [ ] Offline kit instructions align with validator/verification workflow. +- [ ] Rollback procedure captured. +- [ ] Cross-links to AOC docs, Authority scopes, and observability guides present. +- [ ] DevOps Guild sign-off tracked (owner: @devops-guild, due 2025-10-29). + +--- + +*Last updated: 2025-10-26 (Sprint 19).* diff --git a/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md b/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md index fcb67ef2..77c47984 100644 --- a/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md +++ b/docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md @@ -1,220 +1,220 @@ -# Excititor Connector Packaging Guide - -> **Audience:** teams implementing new Excititor provider plug‑ins (CSAF feeds, -> OpenVEX attestations, etc.) -> **Prerequisites:** read `docs/modules/excititor/architecture.md` and the module -> `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`. - -The Excititor connector SDK gives you: - -- `VexConnectorBase` – deterministic logging, SHA‑256 helpers, time provider. -- `VexConnectorOptionsBinder` – strongly typed YAML/JSON configuration binding. -- `IVexConnectorOptionsValidator` – custom validation hooks (offline defaults, auth invariants). -- `VexConnectorDescriptor` & metadata helpers for consistent telemetry. - -This guide explains how to package a connector so the Excititor Worker/WebService -can load it via the plugin host. - ---- - -## 1. Project layout - -Start from the template under -`docs/dev/templates/excititor-connector/`. It contains: - -``` -Excititor.MyConnector/ -├── src/ -│ ├── Excititor.MyConnector.csproj -│ ├── MyConnectorOptions.cs -│ ├── MyConnector.cs -│ └── MyConnectorPlugin.cs -└── manifest/ - └── connector.manifest.yaml -``` - -Key points: - -- Target `net10.0`, enable `TreatWarningsAsErrors`, reference the - `StellaOps.Excititor.Connectors.Abstractions` project (or NuGet once published). -- Keep project ID prefix `StellaOps.Excititor.Connectors.` so the - plugin loader can discover it with the default search pattern. - -### 1.1 csproj snippet - -```xml - - - net10.0 - enable - enable - true - - - - - -``` - -Adjust the `ProjectReference` for your checkout (or switch to a NuGet package -once published). - ---- - -## 2. Implement the connector - -1. **Options model** – create an options POCO with data-annotation attributes. - Bind it via `VexConnectorOptionsBinder.Bind` in your connector - constructor or `ValidateAsync`. -2. **Validator** – implement `IVexConnectorOptionsValidator` to add - complex checks (e.g., ensure both `clientId` and `clientSecret` are present). -3. **Connector** – inherit from `VexConnectorBase`. Implement: - - `ValidateAsync` – run binder/validators, log configuration summary. - - `FetchAsync` – stream raw documents to `context.RawSink`. - - `NormalizeAsync` – convert raw documents into `VexClaimBatch` via - format-specific normalizers (`context.Normalizers`). -4. **Plugin adapter** – expose the connector via a plugin entry point so the - host can instantiate it. - -### 2.1 Options binding example - -```csharp -public sealed class MyConnectorOptions -{ - [Required] - [Url] - public string CatalogUri { get; set; } = default!; - - [Required] - public string ApiKey { get; set; } = default!; - - [Range(1, 64)] - public int MaxParallelRequests { get; set; } = 4; -} - -public sealed class MyConnectorOptionsValidator : IVexConnectorOptionsValidator -{ - public void Validate(VexConnectorDescriptor descriptor, MyConnectorOptions options, IList errors) - { - if (!options.CatalogUri.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) - { - errors.Add("CatalogUri must use HTTPS."); - } - } -} -``` - -Bind inside the connector: - -```csharp -private readonly MyConnectorOptions _options; - -public MyConnector(VexConnectorDescriptor descriptor, ILogger logger, TimeProvider timeProvider) - : base(descriptor, logger, timeProvider) -{ - // `settings` comes from the orchestrator; validators registered via DI. - _options = VexConnectorOptionsBinder.Bind( - descriptor, - VexConnectorSettings.Empty, - validators: new[] { new MyConnectorOptionsValidator() }); -} -``` - -Replace `VexConnectorSettings.Empty` with the actual settings from context -inside `ValidateAsync`. - ---- - -## 3. Plugin adapter & manifest - -Create a simple plugin class that implements -`StellaOps.Plugin.IConnectorPlugin`. The Worker/WebService plugin host uses -this contract today. - -```csharp -public sealed class MyConnectorPlugin : IConnectorPlugin -{ - private static readonly VexConnectorDescriptor Descriptor = - new("excititor:my-provider", VexProviderKind.Vendor, "My Provider VEX"); - - public string Name => Descriptor.DisplayName; - - public bool IsAvailable(IServiceProvider services) => true; // inject feature flags if needed - - public IFeedConnector Create(IServiceProvider services) - { - var logger = services.GetRequiredService>(); - var timeProvider = services.GetRequiredService(); - return new MyConnector(Descriptor, logger, timeProvider); - } -} -``` - -> **Note:** the Excititor Worker currently instantiates connectors through the -> shared `IConnectorPlugin` contract. Once a dedicated Excititor plugin interface -> lands you simply swap the base interface; the descriptor/connector code -> remains unchanged. - -Provide a manifest describing the assembly for operational tooling: - -```yaml -# manifest/connector.manifest.yaml -id: excititor-my-provider -assembly: StellaOps.Excititor.Connectors.MyProvider.dll -entryPoint: StellaOps.Excititor.Connectors.MyProvider.MyConnectorPlugin -description: > - Official VEX feed for ExampleCorp products (CSAF JSON, daily updates). -tags: - - excititor - - csaf - - vendor -``` - -Store manifests under `/opt/stella/excititor/plugins//manifest/` in -production so the deployment tooling can inventory and verify plug‑ins. - ---- - -## 4. Packaging workflow - -1. `dotnet publish -c Release` → copy the published DLLs to - `/opt/stella/excititor/plugins//`. -2. Place `connector.manifest.yaml` next to the binaries. -3. Restart the Excititor Worker or WebService (hot reload not supported yet). -4. Verify logs: `VEX-ConnectorLoader` should list the connector descriptor. - -### 4.1 Offline kits - -- Add the connector folder (binaries + manifest) to the Offline Kit bundle. -- Include a `settings.sample.yaml` demonstrating offline-friendly defaults. -- Document any external dependencies (e.g., SHA mirrors) in the manifest `notes` - field. - ---- - -## 5. Testing checklist - -- Unit tests around options binding & validators. -- Integration tests (future `StellaOps.Excititor.Connectors.Abstractions.Tests`) - verifying deterministic logging scopes: - `logger.BeginScope` should produce `vex.connector.id`, `vex.connector.kind`, - and `vex.connector.operation`. -- Deterministic SHA tests: repeated `CreateRawDocument` calls with identical - content must return the same digest. - ---- - -## 6. Reference template - -See `docs/dev/templates/excititor-connector/` for the full quick‑start including: - -- Sample options class + validator. -- Connector implementation inheriting from `VexConnectorBase`. -- Plugin adapter + manifest. - -Copy the directory, rename namespaces/IDs, then iterate on provider-specific -logic. - ---- - -*Last updated: 2025-10-17* +# Excititor Connector Packaging Guide + +> **Audience:** teams implementing new Excititor provider plug‑ins (CSAF feeds, +> OpenVEX attestations, etc.) +> **Prerequisites:** read `docs/modules/excititor/architecture.md` and the module +> `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`. + +The Excititor connector SDK gives you: + +- `VexConnectorBase` – deterministic logging, SHA‑256 helpers, time provider. +- `VexConnectorOptionsBinder` – strongly typed YAML/JSON configuration binding. +- `IVexConnectorOptionsValidator` – custom validation hooks (offline defaults, auth invariants). +- `VexConnectorDescriptor` & metadata helpers for consistent telemetry. + +This guide explains how to package a connector so the Excititor Worker/WebService +can load it via the plugin host. + +--- + +## 1. Project layout + +Start from the template under +`docs/dev/templates/excititor-connector/`. It contains: + +``` +Excititor.MyConnector/ +├── src/ +│ ├── Excititor.MyConnector.csproj +│ ├── MyConnectorOptions.cs +│ ├── MyConnector.cs +│ └── MyConnectorPlugin.cs +└── manifest/ + └── connector.manifest.yaml +``` + +Key points: + +- Target `net10.0`, enable `TreatWarningsAsErrors`, reference the + `StellaOps.Excititor.Connectors.Abstractions` project (or NuGet once published). +- Keep project ID prefix `StellaOps.Excititor.Connectors.` so the + plugin loader can discover it with the default search pattern. + +### 1.1 csproj snippet + +```xml + + + net10.0 + enable + enable + true + + + + + +``` + +Adjust the `ProjectReference` for your checkout (or switch to a NuGet package +once published). + +--- + +## 2. Implement the connector + +1. **Options model** – create an options POCO with data-annotation attributes. + Bind it via `VexConnectorOptionsBinder.Bind` in your connector + constructor or `ValidateAsync`. +2. **Validator** – implement `IVexConnectorOptionsValidator` to add + complex checks (e.g., ensure both `clientId` and `clientSecret` are present). +3. **Connector** – inherit from `VexConnectorBase`. Implement: + - `ValidateAsync` – run binder/validators, log configuration summary. + - `FetchAsync` – stream raw documents to `context.RawSink`. + - `NormalizeAsync` – convert raw documents into `VexClaimBatch` via + format-specific normalizers (`context.Normalizers`). +4. **Plugin adapter** – expose the connector via a plugin entry point so the + host can instantiate it. + +### 2.1 Options binding example + +```csharp +public sealed class MyConnectorOptions +{ + [Required] + [Url] + public string CatalogUri { get; set; } = default!; + + [Required] + public string ApiKey { get; set; } = default!; + + [Range(1, 64)] + public int MaxParallelRequests { get; set; } = 4; +} + +public sealed class MyConnectorOptionsValidator : IVexConnectorOptionsValidator +{ + public void Validate(VexConnectorDescriptor descriptor, MyConnectorOptions options, IList errors) + { + if (!options.CatalogUri.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) + { + errors.Add("CatalogUri must use HTTPS."); + } + } +} +``` + +Bind inside the connector: + +```csharp +private readonly MyConnectorOptions _options; + +public MyConnector(VexConnectorDescriptor descriptor, ILogger logger, TimeProvider timeProvider) + : base(descriptor, logger, timeProvider) +{ + // `settings` comes from the orchestrator; validators registered via DI. + _options = VexConnectorOptionsBinder.Bind( + descriptor, + VexConnectorSettings.Empty, + validators: new[] { new MyConnectorOptionsValidator() }); +} +``` + +Replace `VexConnectorSettings.Empty` with the actual settings from context +inside `ValidateAsync`. + +--- + +## 3. Plugin adapter & manifest + +Create a simple plugin class that implements +`StellaOps.Plugin.IConnectorPlugin`. The Worker/WebService plugin host uses +this contract today. + +```csharp +public sealed class MyConnectorPlugin : IConnectorPlugin +{ + private static readonly VexConnectorDescriptor Descriptor = + new("excititor:my-provider", VexProviderKind.Vendor, "My Provider VEX"); + + public string Name => Descriptor.DisplayName; + + public bool IsAvailable(IServiceProvider services) => true; // inject feature flags if needed + + public IFeedConnector Create(IServiceProvider services) + { + var logger = services.GetRequiredService>(); + var timeProvider = services.GetRequiredService(); + return new MyConnector(Descriptor, logger, timeProvider); + } +} +``` + +> **Note:** the Excititor Worker currently instantiates connectors through the +> shared `IConnectorPlugin` contract. Once a dedicated Excititor plugin interface +> lands you simply swap the base interface; the descriptor/connector code +> remains unchanged. + +Provide a manifest describing the assembly for operational tooling: + +```yaml +# manifest/connector.manifest.yaml +id: excititor-my-provider +assembly: StellaOps.Excititor.Connectors.MyProvider.dll +entryPoint: StellaOps.Excititor.Connectors.MyProvider.MyConnectorPlugin +description: > + Official VEX feed for ExampleCorp products (CSAF JSON, daily updates). +tags: + - excititor + - csaf + - vendor +``` + +Store manifests under `/opt/stella/excititor/plugins//manifest/` in +production so the deployment tooling can inventory and verify plug‑ins. + +--- + +## 4. Packaging workflow + +1. `dotnet publish -c Release` → copy the published DLLs to + `/opt/stella/excititor/plugins//`. +2. Place `connector.manifest.yaml` next to the binaries. +3. Restart the Excititor Worker or WebService (hot reload not supported yet). +4. Verify logs: `VEX-ConnectorLoader` should list the connector descriptor. + +### 4.1 Offline kits + +- Add the connector folder (binaries + manifest) to the Offline Kit bundle. +- Include a `settings.sample.yaml` demonstrating offline-friendly defaults. +- Document any external dependencies (e.g., SHA mirrors) in the manifest `notes` + field. + +--- + +## 5. Testing checklist + +- Unit tests around options binding & validators. +- Integration tests (future `StellaOps.Excititor.Connectors.Abstractions.Tests`) + verifying deterministic logging scopes: + `logger.BeginScope` should produce `vex.connector.id`, `vex.connector.kind`, + and `vex.connector.operation`. +- Deterministic SHA tests: repeated `CreateRawDocument` calls with identical + content must return the same digest. + +--- + +## 6. Reference template + +See `docs/dev/templates/excititor-connector/` for the full quick‑start including: + +- Sample options class + validator. +- Connector implementation inheriting from `VexConnectorBase`. +- Plugin adapter + manifest. + +Copy the directory, rename namespaces/IDs, then iterate on provider-specific +logic. + +--- + +*Last updated: 2025-10-17* diff --git a/docs/dev/30_VEXER_CONNECTOR_GUIDE.md b/docs/dev/30_VEXER_CONNECTOR_GUIDE.md index 328865b0..8c7d0890 100644 --- a/docs/dev/30_VEXER_CONNECTOR_GUIDE.md +++ b/docs/dev/30_VEXER_CONNECTOR_GUIDE.md @@ -1,220 +1,220 @@ -# Vexer Connector Packaging Guide - -> **Audience:** teams implementing new Vexer provider plug‑ins (CSAF feeds, -> OpenVEX attestations, etc.) -> **Prerequisites:** read `docs/modules/vexer/architecture.md` and the module -> `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`. - -The Vexer connector SDK gives you: - -- `VexConnectorBase` – deterministic logging, SHA‑256 helpers, time provider. -- `VexConnectorOptionsBinder` – strongly typed YAML/JSON configuration binding. -- `IVexConnectorOptionsValidator` – custom validation hooks (offline defaults, auth invariants). -- `VexConnectorDescriptor` & metadata helpers for consistent telemetry. - -This guide explains how to package a connector so the Vexer Worker/WebService -can load it via the plugin host. - ---- - -## 1. Project layout - -Start from the template under -`docs/dev/templates/vexer-connector/`. It contains: - -``` -Vexer.MyConnector/ -├── src/ -│ ├── Vexer.MyConnector.csproj -│ ├── MyConnectorOptions.cs -│ ├── MyConnector.cs -│ └── MyConnectorPlugin.cs -└── manifest/ - └── connector.manifest.yaml -``` - -Key points: - -- Target `net10.0`, enable `TreatWarningsAsErrors`, reference the - `StellaOps.Vexer.Connectors.Abstractions` project (or NuGet once published). -- Keep project ID prefix `StellaOps.Vexer.Connectors.` so the - plugin loader can discover it with the default search pattern. - -### 1.1 csproj snippet - -```xml - - - net10.0 - enable - enable - true - - - - - -``` - -Adjust the `ProjectReference` for your checkout (or switch to a NuGet package -once published). - ---- - -## 2. Implement the connector - -1. **Options model** – create an options POCO with data-annotation attributes. - Bind it via `VexConnectorOptionsBinder.Bind` in your connector - constructor or `ValidateAsync`. -2. **Validator** – implement `IVexConnectorOptionsValidator` to add - complex checks (e.g., ensure both `clientId` and `clientSecret` are present). -3. **Connector** – inherit from `VexConnectorBase`. Implement: - - `ValidateAsync` – run binder/validators, log configuration summary. - - `FetchAsync` – stream raw documents to `context.RawSink`. - - `NormalizeAsync` – convert raw documents into `VexClaimBatch` via - format-specific normalizers (`context.Normalizers`). -4. **Plugin adapter** – expose the connector via a plugin entry point so the - host can instantiate it. - -### 2.1 Options binding example - -```csharp -public sealed class MyConnectorOptions -{ - [Required] - [Url] - public string CatalogUri { get; set; } = default!; - - [Required] - public string ApiKey { get; set; } = default!; - - [Range(1, 64)] - public int MaxParallelRequests { get; set; } = 4; -} - -public sealed class MyConnectorOptionsValidator : IVexConnectorOptionsValidator -{ - public void Validate(VexConnectorDescriptor descriptor, MyConnectorOptions options, IList errors) - { - if (!options.CatalogUri.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) - { - errors.Add("CatalogUri must use HTTPS."); - } - } -} -``` - -Bind inside the connector: - -```csharp -private readonly MyConnectorOptions _options; - -public MyConnector(VexConnectorDescriptor descriptor, ILogger logger, TimeProvider timeProvider) - : base(descriptor, logger, timeProvider) -{ - // `settings` comes from the orchestrator; validators registered via DI. - _options = VexConnectorOptionsBinder.Bind( - descriptor, - VexConnectorSettings.Empty, - validators: new[] { new MyConnectorOptionsValidator() }); -} -``` - -Replace `VexConnectorSettings.Empty` with the actual settings from context -inside `ValidateAsync`. - ---- - -## 3. Plugin adapter & manifest - -Create a simple plugin class that implements -`StellaOps.Plugin.IConnectorPlugin`. The Worker/WebService plugin host uses -this contract today. - -```csharp -public sealed class MyConnectorPlugin : IConnectorPlugin -{ - private static readonly VexConnectorDescriptor Descriptor = - new("vexer:my-provider", VexProviderKind.Vendor, "My Provider VEX"); - - public string Name => Descriptor.DisplayName; - - public bool IsAvailable(IServiceProvider services) => true; // inject feature flags if needed - - public IFeedConnector Create(IServiceProvider services) - { - var logger = services.GetRequiredService>(); - var timeProvider = services.GetRequiredService(); - return new MyConnector(Descriptor, logger, timeProvider); - } -} -``` - -> **Note:** the Vexer Worker currently instantiates connectors through the -> shared `IConnectorPlugin` contract. Once a dedicated Vexer plugin interface -> lands you simply swap the base interface; the descriptor/connector code -> remains unchanged. - -Provide a manifest describing the assembly for operational tooling: - -```yaml -# manifest/connector.manifest.yaml -id: vexer-my-provider -assembly: StellaOps.Vexer.Connectors.MyProvider.dll -entryPoint: StellaOps.Vexer.Connectors.MyProvider.MyConnectorPlugin -description: > - Official VEX feed for ExampleCorp products (CSAF JSON, daily updates). -tags: - - vexer - - csaf - - vendor -``` - -Store manifests under `/opt/stella/vexer/plugins//manifest/` in -production so the deployment tooling can inventory and verify plug‑ins. - ---- - -## 4. Packaging workflow - -1. `dotnet publish -c Release` → copy the published DLLs to - `/opt/stella/vexer/plugins//`. -2. Place `connector.manifest.yaml` next to the binaries. -3. Restart the Vexer Worker or WebService (hot reload not supported yet). -4. Verify logs: `VEX-ConnectorLoader` should list the connector descriptor. - -### 4.1 Offline kits - -- Add the connector folder (binaries + manifest) to the Offline Kit bundle. -- Include a `settings.sample.yaml` demonstrating offline-friendly defaults. -- Document any external dependencies (e.g., SHA mirrors) in the manifest `notes` - field. - ---- - -## 5. Testing checklist - -- Unit tests around options binding & validators. -- Integration tests (future `StellaOps.Vexer.Connectors.Abstractions.Tests`) - verifying deterministic logging scopes: - `logger.BeginScope` should produce `vex.connector.id`, `vex.connector.kind`, - and `vex.connector.operation`. -- Deterministic SHA tests: repeated `CreateRawDocument` calls with identical - content must return the same digest. - ---- - -## 6. Reference template - -See `docs/dev/templates/vexer-connector/` for the full quick‑start including: - -- Sample options class + validator. -- Connector implementation inheriting from `VexConnectorBase`. -- Plugin adapter + manifest. - -Copy the directory, rename namespaces/IDs, then iterate on provider-specific -logic. - ---- - -*Last updated: 2025-10-17* +# Vexer Connector Packaging Guide + +> **Audience:** teams implementing new Vexer provider plug‑ins (CSAF feeds, +> OpenVEX attestations, etc.) +> **Prerequisites:** read `docs/modules/vexer/architecture.md` and the module +> `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`. + +The Vexer connector SDK gives you: + +- `VexConnectorBase` – deterministic logging, SHA‑256 helpers, time provider. +- `VexConnectorOptionsBinder` – strongly typed YAML/JSON configuration binding. +- `IVexConnectorOptionsValidator` – custom validation hooks (offline defaults, auth invariants). +- `VexConnectorDescriptor` & metadata helpers for consistent telemetry. + +This guide explains how to package a connector so the Vexer Worker/WebService +can load it via the plugin host. + +--- + +## 1. Project layout + +Start from the template under +`docs/dev/templates/vexer-connector/`. It contains: + +``` +Vexer.MyConnector/ +├── src/ +│ ├── Vexer.MyConnector.csproj +│ ├── MyConnectorOptions.cs +│ ├── MyConnector.cs +│ └── MyConnectorPlugin.cs +└── manifest/ + └── connector.manifest.yaml +``` + +Key points: + +- Target `net10.0`, enable `TreatWarningsAsErrors`, reference the + `StellaOps.Vexer.Connectors.Abstractions` project (or NuGet once published). +- Keep project ID prefix `StellaOps.Vexer.Connectors.` so the + plugin loader can discover it with the default search pattern. + +### 1.1 csproj snippet + +```xml + + + net10.0 + enable + enable + true + + + + + +``` + +Adjust the `ProjectReference` for your checkout (or switch to a NuGet package +once published). + +--- + +## 2. Implement the connector + +1. **Options model** – create an options POCO with data-annotation attributes. + Bind it via `VexConnectorOptionsBinder.Bind` in your connector + constructor or `ValidateAsync`. +2. **Validator** – implement `IVexConnectorOptionsValidator` to add + complex checks (e.g., ensure both `clientId` and `clientSecret` are present). +3. **Connector** – inherit from `VexConnectorBase`. Implement: + - `ValidateAsync` – run binder/validators, log configuration summary. + - `FetchAsync` – stream raw documents to `context.RawSink`. + - `NormalizeAsync` – convert raw documents into `VexClaimBatch` via + format-specific normalizers (`context.Normalizers`). +4. **Plugin adapter** – expose the connector via a plugin entry point so the + host can instantiate it. + +### 2.1 Options binding example + +```csharp +public sealed class MyConnectorOptions +{ + [Required] + [Url] + public string CatalogUri { get; set; } = default!; + + [Required] + public string ApiKey { get; set; } = default!; + + [Range(1, 64)] + public int MaxParallelRequests { get; set; } = 4; +} + +public sealed class MyConnectorOptionsValidator : IVexConnectorOptionsValidator +{ + public void Validate(VexConnectorDescriptor descriptor, MyConnectorOptions options, IList errors) + { + if (!options.CatalogUri.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) + { + errors.Add("CatalogUri must use HTTPS."); + } + } +} +``` + +Bind inside the connector: + +```csharp +private readonly MyConnectorOptions _options; + +public MyConnector(VexConnectorDescriptor descriptor, ILogger logger, TimeProvider timeProvider) + : base(descriptor, logger, timeProvider) +{ + // `settings` comes from the orchestrator; validators registered via DI. + _options = VexConnectorOptionsBinder.Bind( + descriptor, + VexConnectorSettings.Empty, + validators: new[] { new MyConnectorOptionsValidator() }); +} +``` + +Replace `VexConnectorSettings.Empty` with the actual settings from context +inside `ValidateAsync`. + +--- + +## 3. Plugin adapter & manifest + +Create a simple plugin class that implements +`StellaOps.Plugin.IConnectorPlugin`. The Worker/WebService plugin host uses +this contract today. + +```csharp +public sealed class MyConnectorPlugin : IConnectorPlugin +{ + private static readonly VexConnectorDescriptor Descriptor = + new("vexer:my-provider", VexProviderKind.Vendor, "My Provider VEX"); + + public string Name => Descriptor.DisplayName; + + public bool IsAvailable(IServiceProvider services) => true; // inject feature flags if needed + + public IFeedConnector Create(IServiceProvider services) + { + var logger = services.GetRequiredService>(); + var timeProvider = services.GetRequiredService(); + return new MyConnector(Descriptor, logger, timeProvider); + } +} +``` + +> **Note:** the Vexer Worker currently instantiates connectors through the +> shared `IConnectorPlugin` contract. Once a dedicated Vexer plugin interface +> lands you simply swap the base interface; the descriptor/connector code +> remains unchanged. + +Provide a manifest describing the assembly for operational tooling: + +```yaml +# manifest/connector.manifest.yaml +id: vexer-my-provider +assembly: StellaOps.Vexer.Connectors.MyProvider.dll +entryPoint: StellaOps.Vexer.Connectors.MyProvider.MyConnectorPlugin +description: > + Official VEX feed for ExampleCorp products (CSAF JSON, daily updates). +tags: + - vexer + - csaf + - vendor +``` + +Store manifests under `/opt/stella/vexer/plugins//manifest/` in +production so the deployment tooling can inventory and verify plug‑ins. + +--- + +## 4. Packaging workflow + +1. `dotnet publish -c Release` → copy the published DLLs to + `/opt/stella/vexer/plugins//`. +2. Place `connector.manifest.yaml` next to the binaries. +3. Restart the Vexer Worker or WebService (hot reload not supported yet). +4. Verify logs: `VEX-ConnectorLoader` should list the connector descriptor. + +### 4.1 Offline kits + +- Add the connector folder (binaries + manifest) to the Offline Kit bundle. +- Include a `settings.sample.yaml` demonstrating offline-friendly defaults. +- Document any external dependencies (e.g., SHA mirrors) in the manifest `notes` + field. + +--- + +## 5. Testing checklist + +- Unit tests around options binding & validators. +- Integration tests (future `StellaOps.Vexer.Connectors.Abstractions.Tests`) + verifying deterministic logging scopes: + `logger.BeginScope` should produce `vex.connector.id`, `vex.connector.kind`, + and `vex.connector.operation`. +- Deterministic SHA tests: repeated `CreateRawDocument` calls with identical + content must return the same digest. + +--- + +## 6. Reference template + +See `docs/dev/templates/vexer-connector/` for the full quick‑start including: + +- Sample options class + validator. +- Connector implementation inheriting from `VexConnectorBase`. +- Plugin adapter + manifest. + +Copy the directory, rename namespaces/IDs, then iterate on provider-specific +logic. + +--- + +*Last updated: 2025-10-17* diff --git a/docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md b/docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md index ccd83b7f..b6ffb4b7 100644 --- a/docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md +++ b/docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md @@ -1,212 +1,212 @@ -# Authority Plug-in Developer Guide - -> **Status:** Updated 2025-10-11 (AUTHPLUG-DOCS-01-001) with lifecycle + limiter diagrams and refreshed rate-limit guidance aligned to PLG6 acceptance criteria. - -## 1. Overview -Authority plug-ins extend the **StellaOps Authority** service with custom identity providers, credential stores, and client-management logic. Unlike Concelier plug-ins (which ingest or export advisories), Authority plug-ins participate directly in authentication flows: - -- **Use cases:** integrate corporate directories (LDAP/AD)[^ldap-rfc], delegate to external IDPs, enforce bespoke password/lockout policies, or add client provisioning automation. -- **Constraints:** plug-ins load only during service start (no hot-reload), must function without outbound internet access, and must emit deterministic results for identical configuration input. -- **Ship targets:** build against the host’s .NET 10 preview SDK, honour offline-first requirements, and surface actionable diagnostics so operators can triage issues from `/ready`. - -## 2. Architecture Snapshot -Authority hosts follow a deterministic plug-in lifecycle. The exported diagram (`docs/assets/authority/authority-plugin-lifecycle.svg`) mirrors the steps below; regenerate it from the Mermaid source if you update the flow. - -1. **Configuration load** – `AuthorityPluginConfigurationLoader` resolves YAML manifests under `etc/authority.plugins/`. -2. **Assembly discovery** – the shared `PluginHost` scans `StellaOps.Authority.PluginBinaries` for `StellaOps.Authority.Plugin.*.dll` assemblies. -3. **Registrar execution** – each assembly is searched for `IAuthorityPluginRegistrar` implementations. Registrars bind options, register services, and optionally queue bootstrap tasks. -4. **Runtime** – the host resolves `IIdentityProviderPlugin` instances, uses capability metadata to decide which OAuth grants to expose, and invokes health checks for readiness endpoints. - -![Authority plug-in lifecycle diagram](../assets/authority/authority-plugin-lifecycle.svg) - -_Source:_ `docs/assets/authority/authority-plugin-lifecycle.mmd` - -**Data persistence primer:** the standard Mongo-backed plugin stores users in collections named `authority_users_` and lockout metadata in embedded documents. Additional plugins must document their storage layout and provide deterministic collection naming to honour the Offline Kit replication process. - -## 3. Capability Metadata -Capability flags let the host reason about what your plug-in supports: - -- Declare capabilities in your descriptor using the string constants from `AuthorityPluginCapabilities` (`password`, `mfa`, `clientProvisioning`, `bootstrap`). The configuration loader now validates these tokens and rejects unknown values at startup. -- `AuthorityIdentityProviderCapabilities.FromCapabilities` projects those strings into strongly typed booleans (`SupportsPassword`, etc.). Authority Core will use these flags when wiring flows such as the password grant. Built-in plugins (e.g., Standard) will fail fast or force-enable required capabilities if the descriptor is misconfigured, so keep manifests accurate. -- Typical configuration (`etc/authority.plugins/standard.yaml`): - ```yaml - plugins: - descriptors: - standard: - assemblyName: "StellaOps.Authority.Plugin.Standard" - capabilities: - - password - - bootstrap - ``` -- Only declare a capability if the plug-in genuinely implements it. For example, if `SupportsClientProvisioning` is `true`, the plug-in must supply a working `IClientProvisioningStore`. - -**Operational reminder:** the Authority host surfaces capability summaries during startup (see `AuthorityIdentityProviderRegistry` log lines). Use those logs during smoke tests to ensure manifests align with expectations. - -**Configuration path normalisation:** Manifest-relative paths (e.g., `tokenSigning.keyDirectory: "../keys"`) are resolved against the YAML file location and environment variables are expanded before validation. Plug-ins should expect to receive an absolute, canonical path when options are injected. - -**Password policy guardrails:** The Standard registrar logs a warning when a plug-in weakens the default password policy (minimum length or required character classes). Keep overrides at least as strong as the compiled defaults—operators treat the warning as an actionable security deviation. - -## 4. Project Scaffold -- Target **.NET 10 preview**, enable nullable, treat warnings as errors, and mark Authority plug-ins with `true`. -- Minimum references: - - `StellaOps.Authority.Plugins.Abstractions` (contracts & capability helpers) - - `StellaOps.Plugin` (hosting/DI helpers) - - `StellaOps.Auth.*` libraries as needed for shared token utilities (optional today). -- Example `.csproj` (trimmed from `StellaOps.Authority.Plugin.Standard`): - ```xml - - - net10.0 - enable - true - true - - - - - - - ``` - (Add other references—e.g., MongoDB driver, shared auth libraries—according to your implementation.) - -## 5. Implementing `IAuthorityPluginRegistrar` -- Create a parameterless registrar class that returns your plug-in type name via `PluginType`. -- Use `AuthorityPluginRegistrationContext` to: - - Bind options (`AddOptions(pluginName).Bind(...)`). - - Register singletons for stores/enrichers using manifest metadata. - - Register any hosted bootstrap tasks (e.g., seed admin users). -- Always validate configuration inside `PostConfigure` and throw meaningful `InvalidOperationException` to fail fast during startup. -- Use the provided `ILoggerFactory` from DI; avoid static loggers or console writes. -- Example skeleton: - ```csharp - internal sealed class MyPluginRegistrar : IAuthorityPluginRegistrar - { - public string PluginType => "my-custom"; - - public void Register(AuthorityPluginRegistrationContext context) - { - var name = context.Plugin.Manifest.Name; - - context.Services.AddOptions(name) - .Bind(context.Plugin.Configuration) - .PostConfigure(opts => opts.Validate(name)); - - context.Services.AddSingleton(sp => - new MyIdentityProvider(context.Plugin, sp.GetRequiredService(), - sp.GetRequiredService(), - sp.GetRequiredService>())); - } - } - ``` - -## 6. Identity Provider Surface -- Implement `IIdentityProviderPlugin` to expose: - - `IUserCredentialStore` for password validation and user CRUD. - - `IClaimsEnricher` to append roles/attributes onto issued principals. - - Optional `IClientProvisioningStore` for machine-to-machine clients. - - `AuthorityIdentityProviderCapabilities` to advertise supported flows. -- Password guidance: - - Standard plug-in hashes via `ICryptoProvider` using Argon2id by default and emits PHC-compliant strings. Successful PBKDF2 logins trigger automatic rehashes so migrations complete gradually. See `docs/security/password-hashing.md` for tuning advice. - - Enforce password policies before hashing to avoid storing weak credentials. -- Health checks should probe backing stores (e.g., Mongo `ping`) and return `AuthorityPluginHealthResult` so `/ready` can surface issues. -- When supporting additional factors (e.g., TOTP), implement `SupportsMfa` and document the enrolment flow for resource servers. - -## 7. Configuration & Secrets -- Authority looks for manifests under `etc/authority.plugins/`. Each YAML file maps directly to a plug-in name. -- Support environment overrides using `STELLAOPS_AUTHORITY_PLUGINS__DESCRIPTORS____...`. -- Never store raw secrets in git: allow operators to supply them via `.local.yaml`, environment variables, or injected secret files. Document which keys are mandatory. -- Validate configuration as soon as the registrar runs; use explicit error messages to guide operators. The Standard plug-in now enforces complete bootstrap credentials (username + password) and positive lockout windows via `StandardPluginOptions.Validate`. -- Cross-reference bootstrap workflows with `docs/modules/authority/operations/bootstrap.md` (to be published alongside CORE6) so operators can reuse the same payload formats for manual provisioning. -- `passwordHashing` inherits defaults from `authority.security.passwordHashing`. Override only when hardware constraints differ per plug-in: - ```yaml - passwordHashing: - algorithm: Argon2id - memorySizeInKib: 19456 - iterations: 2 - parallelism: 1 - ``` - Invalid values (≤0) fail fast during startup, and legacy PBKDF2 hashes rehash automatically once the new algorithm succeeds. - -### 7.1 Token Persistence Contract -- The host automatically persists every issued principal (access, refresh, device, authorization code) in `authority_tokens`. Plug-in code **must not** bypass this store; use the provided `IAuthorityTokenStore` helpers when implementing custom flows. -- When a plug-in disables a subject or client outside the standard handlers, call `IAuthorityTokenStore.UpdateStatusAsync(...)` for each affected token so revocation bundles stay consistent. -- Supply machine-friendly `revokedReason` codes (`compromised`, `rotation`, `policy`, `lifecycle`, etc.) and optional `revokedMetadata` entries when invalidating credentials. These flow straight into `revocation-bundle.json` and should remain deterministic. -- Token scopes should be normalised (trimmed, unique, ordinal sort) before returning from plug-in verification paths. `TokenPersistenceHandlers` will keep that ordering for downstream consumers. - -### 7.2 Claims & Enrichment Checklist -- Authority always sets the OpenID Connect basics: `sub`, `client_id`, `preferred_username`, optional `name`, and `role` (for password flows). Plug-ins must use `IClaimsEnricher` to append additional claims in a **deterministic** order (sort arrays, normalise casing) so resource servers can rely on stable shapes. -- Recommended enrichment keys: - - `stellaops.realm` – plug-in/tenant identifier so services can scope policies. - - `stellaops.subject.type` – values such as `human`, `service`, `bootstrap`. - - `groups` / `projects` – sorted arrays describing operator entitlements. -- Claims visible in tokens should mirror what `/token` and `/userinfo` emit. Avoid injecting sensitive PII directly; mark values with `ClassifiedString.Personal` inside the plug-in so audit sinks can tag them appropriately. -- For client-credential flows, remember to enrich both the client principal and the validation path (`TokenValidationHandlers`) so refresh flows keep the same metadata. - -### 7.3 Revocation Bundles & Reasons -- Use `IAuthorityRevocationStore` to record subject/client/token revocations when credentials are deleted or rotated. Stick to the standard categories (`token`, `subject`, `client`, `key`). -- Include a deterministic `reason` string and optional `reasonDescription` so operators understand *why* a subject was revoked when inspecting bundles offline. -- Plug-ins should populate `metadata` with stable keys (e.g., `revokedBy`, `sourcePlugin`, `ticketId`) to simplify SOC correlation. The keys must be lowercase, ASCII, and free of secrets—bundles are mirrored to air-gapped agents. - -## 8. Rate Limiting & Lockout Interplay -Rate limiting and account lockouts are complementary controls. Plug-ins must surface both deterministically so operators can correlate limiter hits with credential rejections. - -**Baseline quotas** (from `docs/dev/authority-rate-limit-tuning-outline.md`): - -| Endpoint | Default policy | Notes | -|----------|----------------|-------| -| `/token` | 30 requests / 60s, queue 0 | Drop to 10/60s for untrusted ranges; raise only with WAF + monitoring. | -| `/authorize` | 60 requests / 60s, queue 10 | Reduce carefully; interactive UX depends on headroom. | -| `/internal/*` | Disabled by default; recommended 5/60s when enabled | Keep queue 0 for bootstrap APIs. | - -**Retry metadata:** The middleware stamps `Retry-After` plus tags `authority.client_id`, `authority.remote_ip`, and `authority.endpoint`. Plug-ins should keep these tags intact when crafting responses or telemetry so dashboards remain consistent. - -**Lockout counters:** Treat lockouts as **subject-scoped** decisions. When multiple instances update counters, reuse the deterministic tie-breakers documented in `src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md` (freshness overrides, precedence, and stable hashes) to avoid divergent lockout states across replicas. - -**Alerting hooks:** Emit structured logs/metrics when either the limiter or credential store rejects access. Suggested gauges include `aspnetcore_rate_limiting_rejections_total{limiter="authority-token"}` and any custom `auth.plugins..lockouts_total` counter. - -![Authority rate limit and lockout flow](../assets/authority/authority-rate-limit-flow.svg) - -_Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd` - -## 9. Logging, Metrics, and Diagnostics -- Always log via the injected `ILogger`; include `pluginName` and correlation IDs where available. -- Activity/metric names should align with `AuthorityTelemetry` constants (`service.name=stellaops-authority`). -- Expose additional diagnostics via structured logging rather than writing custom HTTP endpoints; the host will integrate these into `/health` and `/ready`. -- Emit metrics with stable names (`auth.plugins..*`) when introducing custom instrumentation; coordinate with the Observability guild to reserve prefixes. - -## 10. Testing & Tooling -- Unit tests: use Mongo2Go (or similar) to exercise credential stores without hitting production infrastructure (`StandardUserCredentialStoreTests` is a template). -- Determinism: fix timestamps to UTC and sort outputs consistently; avoid random GUIDs unless stable. -- Smoke tests: launch `dotnet run --project src/Authority/StellaOps.Authority/StellaOps.Authority` with your plug-in under `StellaOps.Authority.PluginBinaries` and verify `/ready`. -- Example verification snippet: - ```csharp - [Fact] - public async Task VerifyPasswordAsync_ReturnsSuccess() - { - var store = CreateCredentialStore(); - await store.UpsertUserAsync(new AuthorityUserRegistration("alice", "Pa55!", null, null, false, - Array.Empty(), new Dictionary()), CancellationToken.None); - - var result = await store.VerifyPasswordAsync("alice", "Pa55!", CancellationToken.None); - Assert.True(result.Succeeded); - Assert.True(result.User?.Roles.Count == 0); - } - ``` - -## 11. Packaging & Delivery -- Output assembly should follow `StellaOps.Authority.Plugin..dll` so the host’s search pattern picks it up. -- Place the compiled DLL plus dependencies under `StellaOps.Authority.PluginBinaries` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming). -- Document any external prerequisites (e.g., CA cert bundle) in your plug-in README. -- Update `etc/authority.plugins/.yaml` samples and include deterministic SHA256 hashes for optional bootstrap payloads when distributing Offline Kit artefacts. - -[^ldap-rfc]: Lightweight Directory Access Protocol (LDAPv3) specification — [RFC 4511](https://datatracker.ietf.org/doc/html/rfc4511). - -## 12. Checklist & Handoff -- ✅ Capabilities declared and validated in automated tests. -- ✅ Bootstrap workflows documented (if `bootstrap` capability used) and repeatable. -- ✅ Local smoke test + unit/integration suites green (`dotnet test`). -- ✅ Operational docs updated: configuration keys, secrets guidance, troubleshooting. -- Submit the developer guide update referencing PLG6/DOC4 and tag DevEx + Docs reviewers for sign-off. - ---- -Mermaid sources for the embedded diagrams live under `docs/assets/authority/`. Regenerate the SVG assets with your preferred renderer before committing future updates so the visuals stay in sync with the `.mmd` definitions. +# Authority Plug-in Developer Guide + +> **Status:** Updated 2025-10-11 (AUTHPLUG-DOCS-01-001) with lifecycle + limiter diagrams and refreshed rate-limit guidance aligned to PLG6 acceptance criteria. + +## 1. Overview +Authority plug-ins extend the **StellaOps Authority** service with custom identity providers, credential stores, and client-management logic. Unlike Concelier plug-ins (which ingest or export advisories), Authority plug-ins participate directly in authentication flows: + +- **Use cases:** integrate corporate directories (LDAP/AD)[^ldap-rfc], delegate to external IDPs, enforce bespoke password/lockout policies, or add client provisioning automation. +- **Constraints:** plug-ins load only during service start (no hot-reload), must function without outbound internet access, and must emit deterministic results for identical configuration input. +- **Ship targets:** build against the host’s .NET 10 preview SDK, honour offline-first requirements, and surface actionable diagnostics so operators can triage issues from `/ready`. + +## 2. Architecture Snapshot +Authority hosts follow a deterministic plug-in lifecycle. The exported diagram (`docs/assets/authority/authority-plugin-lifecycle.svg`) mirrors the steps below; regenerate it from the Mermaid source if you update the flow. + +1. **Configuration load** – `AuthorityPluginConfigurationLoader` resolves YAML manifests under `etc/authority.plugins/`. +2. **Assembly discovery** – the shared `PluginHost` scans `StellaOps.Authority.PluginBinaries` for `StellaOps.Authority.Plugin.*.dll` assemblies. +3. **Registrar execution** – each assembly is searched for `IAuthorityPluginRegistrar` implementations. Registrars bind options, register services, and optionally queue bootstrap tasks. +4. **Runtime** – the host resolves `IIdentityProviderPlugin` instances, uses capability metadata to decide which OAuth grants to expose, and invokes health checks for readiness endpoints. + +![Authority plug-in lifecycle diagram](../assets/authority/authority-plugin-lifecycle.svg) + +_Source:_ `docs/assets/authority/authority-plugin-lifecycle.mmd` + +**Data persistence primer:** the standard Mongo-backed plugin stores users in collections named `authority_users_` and lockout metadata in embedded documents. Additional plugins must document their storage layout and provide deterministic collection naming to honour the Offline Kit replication process. + +## 3. Capability Metadata +Capability flags let the host reason about what your plug-in supports: + +- Declare capabilities in your descriptor using the string constants from `AuthorityPluginCapabilities` (`password`, `mfa`, `clientProvisioning`, `bootstrap`). The configuration loader now validates these tokens and rejects unknown values at startup. +- `AuthorityIdentityProviderCapabilities.FromCapabilities` projects those strings into strongly typed booleans (`SupportsPassword`, etc.). Authority Core will use these flags when wiring flows such as the password grant. Built-in plugins (e.g., Standard) will fail fast or force-enable required capabilities if the descriptor is misconfigured, so keep manifests accurate. +- Typical configuration (`etc/authority.plugins/standard.yaml`): + ```yaml + plugins: + descriptors: + standard: + assemblyName: "StellaOps.Authority.Plugin.Standard" + capabilities: + - password + - bootstrap + ``` +- Only declare a capability if the plug-in genuinely implements it. For example, if `SupportsClientProvisioning` is `true`, the plug-in must supply a working `IClientProvisioningStore`. + +**Operational reminder:** the Authority host surfaces capability summaries during startup (see `AuthorityIdentityProviderRegistry` log lines). Use those logs during smoke tests to ensure manifests align with expectations. + +**Configuration path normalisation:** Manifest-relative paths (e.g., `tokenSigning.keyDirectory: "../keys"`) are resolved against the YAML file location and environment variables are expanded before validation. Plug-ins should expect to receive an absolute, canonical path when options are injected. + +**Password policy guardrails:** The Standard registrar logs a warning when a plug-in weakens the default password policy (minimum length or required character classes). Keep overrides at least as strong as the compiled defaults—operators treat the warning as an actionable security deviation. + +## 4. Project Scaffold +- Target **.NET 10 preview**, enable nullable, treat warnings as errors, and mark Authority plug-ins with `true`. +- Minimum references: + - `StellaOps.Authority.Plugins.Abstractions` (contracts & capability helpers) + - `StellaOps.Plugin` (hosting/DI helpers) + - `StellaOps.Auth.*` libraries as needed for shared token utilities (optional today). +- Example `.csproj` (trimmed from `StellaOps.Authority.Plugin.Standard`): + ```xml + + + net10.0 + enable + true + true + + + + + + + ``` + (Add other references—e.g., MongoDB driver, shared auth libraries—according to your implementation.) + +## 5. Implementing `IAuthorityPluginRegistrar` +- Create a parameterless registrar class that returns your plug-in type name via `PluginType`. +- Use `AuthorityPluginRegistrationContext` to: + - Bind options (`AddOptions(pluginName).Bind(...)`). + - Register singletons for stores/enrichers using manifest metadata. + - Register any hosted bootstrap tasks (e.g., seed admin users). +- Always validate configuration inside `PostConfigure` and throw meaningful `InvalidOperationException` to fail fast during startup. +- Use the provided `ILoggerFactory` from DI; avoid static loggers or console writes. +- Example skeleton: + ```csharp + internal sealed class MyPluginRegistrar : IAuthorityPluginRegistrar + { + public string PluginType => "my-custom"; + + public void Register(AuthorityPluginRegistrationContext context) + { + var name = context.Plugin.Manifest.Name; + + context.Services.AddOptions(name) + .Bind(context.Plugin.Configuration) + .PostConfigure(opts => opts.Validate(name)); + + context.Services.AddSingleton(sp => + new MyIdentityProvider(context.Plugin, sp.GetRequiredService(), + sp.GetRequiredService(), + sp.GetRequiredService>())); + } + } + ``` + +## 6. Identity Provider Surface +- Implement `IIdentityProviderPlugin` to expose: + - `IUserCredentialStore` for password validation and user CRUD. + - `IClaimsEnricher` to append roles/attributes onto issued principals. + - Optional `IClientProvisioningStore` for machine-to-machine clients. + - `AuthorityIdentityProviderCapabilities` to advertise supported flows. +- Password guidance: + - Standard plug-in hashes via `ICryptoProvider` using Argon2id by default and emits PHC-compliant strings. Successful PBKDF2 logins trigger automatic rehashes so migrations complete gradually. See `docs/security/password-hashing.md` for tuning advice. + - Enforce password policies before hashing to avoid storing weak credentials. +- Health checks should probe backing stores (e.g., Mongo `ping`) and return `AuthorityPluginHealthResult` so `/ready` can surface issues. +- When supporting additional factors (e.g., TOTP), implement `SupportsMfa` and document the enrolment flow for resource servers. + +## 7. Configuration & Secrets +- Authority looks for manifests under `etc/authority.plugins/`. Each YAML file maps directly to a plug-in name. +- Support environment overrides using `STELLAOPS_AUTHORITY_PLUGINS__DESCRIPTORS____...`. +- Never store raw secrets in git: allow operators to supply them via `.local.yaml`, environment variables, or injected secret files. Document which keys are mandatory. +- Validate configuration as soon as the registrar runs; use explicit error messages to guide operators. The Standard plug-in now enforces complete bootstrap credentials (username + password) and positive lockout windows via `StandardPluginOptions.Validate`. +- Cross-reference bootstrap workflows with `docs/modules/authority/operations/bootstrap.md` (to be published alongside CORE6) so operators can reuse the same payload formats for manual provisioning. +- `passwordHashing` inherits defaults from `authority.security.passwordHashing`. Override only when hardware constraints differ per plug-in: + ```yaml + passwordHashing: + algorithm: Argon2id + memorySizeInKib: 19456 + iterations: 2 + parallelism: 1 + ``` + Invalid values (≤0) fail fast during startup, and legacy PBKDF2 hashes rehash automatically once the new algorithm succeeds. + +### 7.1 Token Persistence Contract +- The host automatically persists every issued principal (access, refresh, device, authorization code) in `authority_tokens`. Plug-in code **must not** bypass this store; use the provided `IAuthorityTokenStore` helpers when implementing custom flows. +- When a plug-in disables a subject or client outside the standard handlers, call `IAuthorityTokenStore.UpdateStatusAsync(...)` for each affected token so revocation bundles stay consistent. +- Supply machine-friendly `revokedReason` codes (`compromised`, `rotation`, `policy`, `lifecycle`, etc.) and optional `revokedMetadata` entries when invalidating credentials. These flow straight into `revocation-bundle.json` and should remain deterministic. +- Token scopes should be normalised (trimmed, unique, ordinal sort) before returning from plug-in verification paths. `TokenPersistenceHandlers` will keep that ordering for downstream consumers. + +### 7.2 Claims & Enrichment Checklist +- Authority always sets the OpenID Connect basics: `sub`, `client_id`, `preferred_username`, optional `name`, and `role` (for password flows). Plug-ins must use `IClaimsEnricher` to append additional claims in a **deterministic** order (sort arrays, normalise casing) so resource servers can rely on stable shapes. +- Recommended enrichment keys: + - `stellaops.realm` – plug-in/tenant identifier so services can scope policies. + - `stellaops.subject.type` – values such as `human`, `service`, `bootstrap`. + - `groups` / `projects` – sorted arrays describing operator entitlements. +- Claims visible in tokens should mirror what `/token` and `/userinfo` emit. Avoid injecting sensitive PII directly; mark values with `ClassifiedString.Personal` inside the plug-in so audit sinks can tag them appropriately. +- For client-credential flows, remember to enrich both the client principal and the validation path (`TokenValidationHandlers`) so refresh flows keep the same metadata. + +### 7.3 Revocation Bundles & Reasons +- Use `IAuthorityRevocationStore` to record subject/client/token revocations when credentials are deleted or rotated. Stick to the standard categories (`token`, `subject`, `client`, `key`). +- Include a deterministic `reason` string and optional `reasonDescription` so operators understand *why* a subject was revoked when inspecting bundles offline. +- Plug-ins should populate `metadata` with stable keys (e.g., `revokedBy`, `sourcePlugin`, `ticketId`) to simplify SOC correlation. The keys must be lowercase, ASCII, and free of secrets—bundles are mirrored to air-gapped agents. + +## 8. Rate Limiting & Lockout Interplay +Rate limiting and account lockouts are complementary controls. Plug-ins must surface both deterministically so operators can correlate limiter hits with credential rejections. + +**Baseline quotas** (from `docs/dev/authority-rate-limit-tuning-outline.md`): + +| Endpoint | Default policy | Notes | +|----------|----------------|-------| +| `/token` | 30 requests / 60s, queue 0 | Drop to 10/60s for untrusted ranges; raise only with WAF + monitoring. | +| `/authorize` | 60 requests / 60s, queue 10 | Reduce carefully; interactive UX depends on headroom. | +| `/internal/*` | Disabled by default; recommended 5/60s when enabled | Keep queue 0 for bootstrap APIs. | + +**Retry metadata:** The middleware stamps `Retry-After` plus tags `authority.client_id`, `authority.remote_ip`, and `authority.endpoint`. Plug-ins should keep these tags intact when crafting responses or telemetry so dashboards remain consistent. + +**Lockout counters:** Treat lockouts as **subject-scoped** decisions. When multiple instances update counters, reuse the deterministic tie-breakers documented in `src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md` (freshness overrides, precedence, and stable hashes) to avoid divergent lockout states across replicas. + +**Alerting hooks:** Emit structured logs/metrics when either the limiter or credential store rejects access. Suggested gauges include `aspnetcore_rate_limiting_rejections_total{limiter="authority-token"}` and any custom `auth.plugins..lockouts_total` counter. + +![Authority rate limit and lockout flow](../assets/authority/authority-rate-limit-flow.svg) + +_Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd` + +## 9. Logging, Metrics, and Diagnostics +- Always log via the injected `ILogger`; include `pluginName` and correlation IDs where available. +- Activity/metric names should align with `AuthorityTelemetry` constants (`service.name=stellaops-authority`). +- Expose additional diagnostics via structured logging rather than writing custom HTTP endpoints; the host will integrate these into `/health` and `/ready`. +- Emit metrics with stable names (`auth.plugins..*`) when introducing custom instrumentation; coordinate with the Observability guild to reserve prefixes. + +## 10. Testing & Tooling +- Unit tests: use Mongo2Go (or similar) to exercise credential stores without hitting production infrastructure (`StandardUserCredentialStoreTests` is a template). +- Determinism: fix timestamps to UTC and sort outputs consistently; avoid random GUIDs unless stable. +- Smoke tests: launch `dotnet run --project src/Authority/StellaOps.Authority/StellaOps.Authority` with your plug-in under `StellaOps.Authority.PluginBinaries` and verify `/ready`. +- Example verification snippet: + ```csharp + [Fact] + public async Task VerifyPasswordAsync_ReturnsSuccess() + { + var store = CreateCredentialStore(); + await store.UpsertUserAsync(new AuthorityUserRegistration("alice", "Pa55!", null, null, false, + Array.Empty(), new Dictionary()), CancellationToken.None); + + var result = await store.VerifyPasswordAsync("alice", "Pa55!", CancellationToken.None); + Assert.True(result.Succeeded); + Assert.True(result.User?.Roles.Count == 0); + } + ``` + +## 11. Packaging & Delivery +- Output assembly should follow `StellaOps.Authority.Plugin..dll` so the host’s search pattern picks it up. +- Place the compiled DLL plus dependencies under `StellaOps.Authority.PluginBinaries` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming). +- Document any external prerequisites (e.g., CA cert bundle) in your plug-in README. +- Update `etc/authority.plugins/.yaml` samples and include deterministic SHA256 hashes for optional bootstrap payloads when distributing Offline Kit artefacts. + +[^ldap-rfc]: Lightweight Directory Access Protocol (LDAPv3) specification — [RFC 4511](https://datatracker.ietf.org/doc/html/rfc4511). + +## 12. Checklist & Handoff +- ✅ Capabilities declared and validated in automated tests. +- ✅ Bootstrap workflows documented (if `bootstrap` capability used) and repeatable. +- ✅ Local smoke test + unit/integration suites green (`dotnet test`). +- ✅ Operational docs updated: configuration keys, secrets guidance, troubleshooting. +- Submit the developer guide update referencing PLG6/DOC4 and tag DevEx + Docs reviewers for sign-off. + +--- +Mermaid sources for the embedded diagrams live under `docs/assets/authority/`. Regenerate the SVG assets with your preferred renderer before committing future updates so the visuals stay in sync with the `.mmd` definitions. diff --git a/docs/dev/BUILDX_PLUGIN_QUICKSTART.md b/docs/dev/BUILDX_PLUGIN_QUICKSTART.md index 4ede203b..95cf6042 100644 --- a/docs/dev/BUILDX_PLUGIN_QUICKSTART.md +++ b/docs/dev/BUILDX_PLUGIN_QUICKSTART.md @@ -1,119 +1,119 @@ -# BuildX Generator Quickstart - -This quickstart explains how to run the StellaOps **BuildX SBOM generator** offline, verify the CAS handshake, and emit OCI descriptors that downstream services can attest. - -## 1. Prerequisites - -- Docker 25+ with BuildKit enabled (`docker buildx` available). -- .NET 10 (preview) SDK matching the repository `global.json`. -- Optional: network access to a StellaOps Attestor endpoint (the quickstart uses a mock service). - -## 2. Publish the plug-in binaries - -The BuildX generator publishes as a .NET self-contained executable with its manifest under `plugins/scanner/buildx/`. - -```bash -# From the repository root -DOTNET_CLI_HOME="${PWD}/.dotnet" \ -dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \ - -c Release \ - -o out/buildx -``` - -- `out/buildx/` now contains `StellaOps.Scanner.Sbomer.BuildXPlugin.dll` and the manifest `stellaops.sbom-indexer.manifest.json`. -- `plugins/scanner/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin/` receives the same artefacts for release packaging. -- The CI pipeline also tars and signs (SHA-256 manifest) the OS analyzer plug-ins located under - `plugins/scanner/analyzers/os/` so they ship alongside the BuildX generator artefacts. - -## 3. Verify the CAS handshake - -```bash -dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \ - --manifest out/buildx \ - --cas out/cas -``` - -The command performs a deterministic probe write (`sha256`) into the provided CAS directory and prints the resolved path. - -## 4. Emit a descriptor + provenance placeholder - -1. Build or identify the image you want to describe and capture its digest: - - ```bash - docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo - DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}') - ``` - -2. Generate a CycloneDX SBOM for the built image (any tool works; here we use `docker sbom`): - - ```bash - docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json - ``` - -3. Invoke the `descriptor` command, pointing at the SBOM file and optional metadata: - - ```bash - dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \ - --manifest out/buildx \ - --image "$DIGEST" \ - --sbom out/buildx-sbom.cdx.json \ - --sbom-name buildx-sbom.cdx.json \ - --artifact-type application/vnd.stellaops.sbom.layer+json \ - --sbom-format cyclonedx-json \ - --sbom-kind inventory \ - --repository git.stella-ops.org/stellaops/buildx-demo \ - --build-ref $(git rev-parse HEAD) \ - > out/buildx-descriptor.json - ``` - -The output JSON captures: - -- OCI artifact descriptor including size, digest, and annotations (`org.stellaops.*`). -- Provenance placeholder (`expectedDsseSha256`, `nonce`, `attestorUri` when provided). `nonce` is derived deterministically from the image + SBOM metadata so repeated runs produce identical placeholders for identical inputs. -- Generator metadata and deterministic timestamps. - -## 5. (Optional) Send the placeholder to an Attestor - -The plug-in can POST the descriptor metadata to an Attestor endpoint, returning once it receives an HTTP 202. - -```bash -python3 - <<'PY' & -from http.server import BaseHTTPRequestHandler, HTTPServer -class Handler(BaseHTTPRequestHandler): - def do_POST(self): - _ = self.rfile.read(int(self.headers.get('Content-Length', 0))) - self.send_response(202); self.end_headers(); self.wfile.write(b'accepted') - def log_message(self, fmt, *args): - return -server = HTTPServer(('127.0.0.1', 8085), Handler) -try: - server.serve_forever() -except KeyboardInterrupt: - pass -finally: - server.server_close() -PY -MOCK_PID=$! - -dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \ - --manifest out/buildx \ - --image "$DIGEST" \ - --sbom out/buildx-sbom.cdx.json \ - --attestor http://127.0.0.1:8085/provenance \ - --attestor-token "$STELLAOPS_ATTESTOR_TOKEN" \ - > out/buildx-descriptor.json - -kill $MOCK_PID -``` - -Set `STELLAOPS_ATTESTOR_TOKEN` (or pass `--attestor-token`) when the Attestor requires bearer authentication. Use `--attestor-insecure` for lab environments with self-signed certificates. - -## 6. CI workflow example - -A reusable GitHub Actions workflow is provided under `samples/ci/buildx-demo/github-actions-buildx-demo.yml`. It publishes the plug-in, runs the handshake, builds the demo image, emits a descriptor, and uploads both the descriptor and the mock-Attestor request as artefacts. - -Add the workflow to your repository (or call it via `workflow_call`) and adjust the SBOM path + Attestor URL as needed. The workflow also re-runs the `descriptor` command and diffs the results (ignoring the `generatedAt` timestamp) so you catch regressions that would break deterministic CI use. - ---- - -For deeper integration guidance (custom SBOM builders, exporting DSSE bundles), track ADRs in `docs/modules/scanner/architecture.md` §7 and follow upcoming Attestor API releases. +# BuildX Generator Quickstart + +This quickstart explains how to run the StellaOps **BuildX SBOM generator** offline, verify the CAS handshake, and emit OCI descriptors that downstream services can attest. + +## 1. Prerequisites + +- Docker 25+ with BuildKit enabled (`docker buildx` available). +- .NET 10 (preview) SDK matching the repository `global.json`. +- Optional: network access to a StellaOps Attestor endpoint (the quickstart uses a mock service). + +## 2. Publish the plug-in binaries + +The BuildX generator publishes as a .NET self-contained executable with its manifest under `plugins/scanner/buildx/`. + +```bash +# From the repository root +DOTNET_CLI_HOME="${PWD}/.dotnet" \ +dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \ + -c Release \ + -o out/buildx +``` + +- `out/buildx/` now contains `StellaOps.Scanner.Sbomer.BuildXPlugin.dll` and the manifest `stellaops.sbom-indexer.manifest.json`. +- `plugins/scanner/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin/` receives the same artefacts for release packaging. +- The CI pipeline also tars and signs (SHA-256 manifest) the OS analyzer plug-ins located under + `plugins/scanner/analyzers/os/` so they ship alongside the BuildX generator artefacts. + +## 3. Verify the CAS handshake + +```bash +dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \ + --manifest out/buildx \ + --cas out/cas +``` + +The command performs a deterministic probe write (`sha256`) into the provided CAS directory and prints the resolved path. + +## 4. Emit a descriptor + provenance placeholder + +1. Build or identify the image you want to describe and capture its digest: + + ```bash + docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo + DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}') + ``` + +2. Generate a CycloneDX SBOM for the built image (any tool works; here we use `docker sbom`): + + ```bash + docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json + ``` + +3. Invoke the `descriptor` command, pointing at the SBOM file and optional metadata: + + ```bash + dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \ + --manifest out/buildx \ + --image "$DIGEST" \ + --sbom out/buildx-sbom.cdx.json \ + --sbom-name buildx-sbom.cdx.json \ + --artifact-type application/vnd.stellaops.sbom.layer+json \ + --sbom-format cyclonedx-json \ + --sbom-kind inventory \ + --repository git.stella-ops.org/stellaops/buildx-demo \ + --build-ref $(git rev-parse HEAD) \ + > out/buildx-descriptor.json + ``` + +The output JSON captures: + +- OCI artifact descriptor including size, digest, and annotations (`org.stellaops.*`). +- Provenance placeholder (`expectedDsseSha256`, `nonce`, `attestorUri` when provided). `nonce` is derived deterministically from the image + SBOM metadata so repeated runs produce identical placeholders for identical inputs. +- Generator metadata and deterministic timestamps. + +## 5. (Optional) Send the placeholder to an Attestor + +The plug-in can POST the descriptor metadata to an Attestor endpoint, returning once it receives an HTTP 202. + +```bash +python3 - <<'PY' & +from http.server import BaseHTTPRequestHandler, HTTPServer +class Handler(BaseHTTPRequestHandler): + def do_POST(self): + _ = self.rfile.read(int(self.headers.get('Content-Length', 0))) + self.send_response(202); self.end_headers(); self.wfile.write(b'accepted') + def log_message(self, fmt, *args): + return +server = HTTPServer(('127.0.0.1', 8085), Handler) +try: + server.serve_forever() +except KeyboardInterrupt: + pass +finally: + server.server_close() +PY +MOCK_PID=$! + +dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \ + --manifest out/buildx \ + --image "$DIGEST" \ + --sbom out/buildx-sbom.cdx.json \ + --attestor http://127.0.0.1:8085/provenance \ + --attestor-token "$STELLAOPS_ATTESTOR_TOKEN" \ + > out/buildx-descriptor.json + +kill $MOCK_PID +``` + +Set `STELLAOPS_ATTESTOR_TOKEN` (or pass `--attestor-token`) when the Attestor requires bearer authentication. Use `--attestor-insecure` for lab environments with self-signed certificates. + +## 6. CI workflow example + +A reusable GitHub Actions workflow is provided under `samples/ci/buildx-demo/github-actions-buildx-demo.yml`. It publishes the plug-in, runs the handshake, builds the demo image, emits a descriptor, and uploads both the descriptor and the mock-Attestor request as artefacts. + +Add the workflow to your repository (or call it via `workflow_call`) and adjust the SBOM path + Attestor URL as needed. The workflow also re-runs the `descriptor` command and diffs the results (ignoring the `generatedAt` timestamp) so you catch regressions that would break deterministic CI use. + +--- + +For deeper integration guidance (custom SBOM builders, exporting DSSE bundles), track ADRs in `docs/modules/scanner/architecture.md` §7 and follow upcoming Attestor API releases. diff --git a/docs/dev/aoc-normalization-removal-notes.md b/docs/dev/aoc-normalization-removal-notes.md index 516c142f..40b2b7b9 100644 --- a/docs/dev/aoc-normalization-removal-notes.md +++ b/docs/dev/aoc-normalization-removal-notes.md @@ -1,21 +1,21 @@ -# AOC Normalization Removal Notes - -_Last updated: 2025-10-29_ - -## Goal - -Document follow-up actions for CONCELIER-CORE-AOC-19-004 as we unwind the final pieces of normalization from the ingestion/runtime path. - -## Current Findings - -- `AdvisoryRawService` and `MongoAdvisoryRawRepository` already preserve upstream ordering and duplicate aliases (trim-only). No additional code changes required there. -- Observation layers (`AdvisoryObservationFactory`, `AdvisoryObservationQueryService`) still canonicalise aliases, PURLs, CPEs, and references. These need to be relaxed so Policy/overlays receive raw linksets and can own dedupe logic. -- Linkset mapper continues to emit deterministic hints. We will keep the mapper but ensure observation output can surface both raw and canonical views for downstream services. - -## Next Steps - -1. Introduce a raw linkset projection alongside the existing canonical mapper so Policy Engine can choose which flavour to consume. -2. Update observation factory/query tests to assert duplicate handling and ordering with the relaxed projection. +# AOC Normalization Removal Notes + +_Last updated: 2025-10-29_ + +## Goal + +Document follow-up actions for CONCELIER-CORE-AOC-19-004 as we unwind the final pieces of normalization from the ingestion/runtime path. + +## Current Findings + +- `AdvisoryRawService` and `MongoAdvisoryRawRepository` already preserve upstream ordering and duplicate aliases (trim-only). No additional code changes required there. +- Observation layers (`AdvisoryObservationFactory`, `AdvisoryObservationQueryService`) still canonicalise aliases, PURLs, CPEs, and references. These need to be relaxed so Policy/overlays receive raw linksets and can own dedupe logic. +- Linkset mapper continues to emit deterministic hints. We will keep the mapper but ensure observation output can surface both raw and canonical views for downstream services. + +## Next Steps + +1. Introduce a raw linkset projection alongside the existing canonical mapper so Policy Engine can choose which flavour to consume. ✅ 2025-10-31: `AdvisoryObservation` now surfaces `RawLinkset`; Mongo documents store both canonical & raw shapes; tests/goldens updated. +2. Update observation factory/query tests to assert duplicate handling and ordering with the relaxed projection. ✅ 2025-10-31. 3. Refresh docs (`docs/ingestion/aggregation-only-contract.md`) once behaviour lands to explain the “raw vs canonical linkset” split. -4. Coordinate with Policy Guild to validate consumers against the new raw projection before flipping defaults. - +4. Coordinate with Policy Guild to validate consumers against the new raw projection before flipping defaults. ↺ Ongoing — see action items in `docs/dev/raw-linkset-backfill-plan.md` (2025-10-31 handshake with POLICY-ENGINE-20-003 owners). + diff --git a/docs/dev/authority-dpop-mtls-plan.md b/docs/dev/authority-dpop-mtls-plan.md index 6f211db9..f8a6efe0 100644 --- a/docs/dev/authority-dpop-mtls-plan.md +++ b/docs/dev/authority-dpop-mtls-plan.md @@ -1,146 +1,146 @@ -# Authority DPoP & mTLS Implementation Plan (2025-10-19) - -## Purpose -- Provide the implementation blueprint for AUTH-DPOP-11-001 and AUTH-MTLS-11-002. -- Unify sender-constraint validation across Authority, downstream services, and clients. -- Capture deterministic, testable steps that unblock UI/Signer guilds depending on DPoP/mTLS hardening. - -## Scope -- Token endpoint validation, issuance, and storage changes inside `StellaOps.Authority`. -- Shared security primitives consumed by Authority, Scanner, Signer, CLI, and UI. -- Operator-facing configuration, auditing, and observability. -- Out of scope: PoE enforcement (Signer) and CLI/UI client UX; those teams consume the new capabilities. - -> **Status update (2025-10-19):** `ValidateDpopProofHandler`, `AuthorityClientCertificateValidator`, and the supporting storage/audit plumbing now live in `src/Authority/StellaOps.Authority`. DPoP proofs populate `cnf.jkt`, mTLS bindings enforce certificate thumbprints via `cnf.x5t#S256`, and token documents persist the sender constraint metadata. In-memory nonce issuance is wired (Redis implementation to follow). Documentation and configuration references were updated (`docs/11_AUTHORITY.md`). Targeted unit/integration tests were added; running the broader test suite is currently blocked by pre-existing `StellaOps.Concelier.Storage.Mongo` build errors. -> -> **Status update (2025-10-20):** Redis-backed nonce configuration is exposed through `security.senderConstraints.dpop.nonce` with sample YAML (`etc/authority.yaml.sample`) and architecture docs refreshed. Operator guide now includes concrete Redis/required audiences snippet; nonce challenge regression remains covered by `ValidateDpopProof_IssuesNonceChallenge_WhenNonceMissing`. -> -> **Status update (2025-10-23):** mTLS enforcement now honours `security.senderConstraints.mtls.enforceForAudiences`, automatically rejecting non-mTLS clients targeting audiences such as `signer`. Certificate bindings validate thumbprint, issuer, subject, serial number, and SAN values, producing deterministic error codes for operators. Introspection responses include `cnf.x5t#S256`, and new unit tests cover audience enforcement, binding mismatches, and bootstrap storage. Docs/sample config updated accordingly. - -## Design Summary -- Extract the existing Scanner `DpopProofValidator` stack into a shared `StellaOps.Auth.Security` library used by Authority and resource servers. -- Extend Authority configuration (`authority.yaml`) with strongly-typed `senderConstraints.dpop` and `senderConstraints.mtls` sections (map to sample already shown in architecture doc). -- Require DPoP proofs on `/token` when the registered client policy is `senderConstraint=dpop`; bind issued access tokens via `cnf.jkt`. -- Introduce Authority-managed nonce issuance for “high value” audiences (default: `signer`, `attestor`) with Redis-backed persistence and deterministic auditing. -- Enable OAuth 2.0 mTLS (RFC 8705) by storing certificate bindings per client, requesting client certificates at TLS termination, and stamping `cnf.x5t#S256` into issued tokens plus introspection output. -- Surface structured logs and counters for both DPoP and mTLS flows; provide integration tests that cover success, replay, invalid proof, and certificate mismatch cases. - -## AUTH-DPOP-11-001 — Proof Validation & Nonce Handling - -**Shared validator** -- Move `DpopProofValidator`, option types, and replay cache interfaces from `StellaOps.Scanner.Core` into a new assembly `StellaOps.Auth.Security`. -- Provide pluggable caches: `InMemoryDpopReplayCache` (existing) and new `RedisDpopReplayCache` (leveraging the Authority Redis connection). -- Ensure the validator exposes the validated `SecurityKey`, `jti`, and `iat` so Authority can construct the `cnf` claim and compute nonce expiry. - -**Configuration model** -- Extend `StellaOpsAuthorityOptions.Security` with a `SenderConstraints` property containing: - - `Dpop` (`enabled`, `allowedAlgorithms`, `maxAgeSeconds`, `clockSkewSeconds`, `replayWindowSeconds`, `nonce` settings with `enabled`, `ttlSeconds`, `requiredAudiences`, `maxIssuancePerMinute`). - - `Mtls` (`enabled`, `requireChainValidation`, `clientCaBundle`, `allowedSubjectPatterns`, `allowedSanTypes`). -- Bind from YAML (`authority.security.senderConstraints.*`) while preserving backwards compatibility (defaults keep both disabled). - -**Token endpoint pipeline** -- Introduce a scoped OpenIddict handler `ValidateDpopProofHandler` inserted before `ValidateClientCredentialsHandler`. -- Determine the required sender constraint from client metadata: - - Add `AuthorityClientMetadataKeys.SenderConstraint` storing `dpop` or `mtls`. - - Optionally allow per-client overrides for nonce requirement. -- When `dpop` is required: - - Read the `DPoP` header from the ASP.NET request, reject with `invalid_token` + `WWW-Authenticate: DPoP error="invalid_dpop_proof"` if absent. - - Call the shared validator with method/URI. Enforce algorithm allowlist and `iat` window from options. - - Persist the `jkt` thumbprint plus replay cache state in the OpenIddict transaction (`AuthorityOpenIddictConstants.DpopKeyThumbprintProperty`, `DpopIssuedAtProperty`). - - When the requested audience intersects `SenderConstraints.Dpop.Nonce.RequiredAudiences`, require `nonce` in the proof; on first failure respond with HTTP 401, `error="use_dpop_nonce"`, and include `DPoP-Nonce` header (see nonce note below). Cache the rejection reason for audit logging. - -**Nonce service** -- Add `IDpopNonceStore` with methods `IssueAsync(audience, clientId, jkt)` and `TryConsumeAsync(nonce, audience, clientId, jkt)`. -- Default implementation `RedisDpopNonceStore` storing SHA-256 hashes of nonces keyed by `audience:clientId:jkt`. TTL comes from `SenderConstraints.Dpop.Nonce.Ttl`. -- Create helper `DpopNonceIssuer` used by `ValidateDpopProofHandler` to issue nonces when missing/expired, enforcing issuance rate limits (per options) and tagging audit/log records. -- On successful validation (nonce supplied and consumed) stamp metadata into the transaction for auditing. -- Update `ClientCredentialsHandlers` to observe nonce enforcement: when a nonce challenge was sent, emit structured audit with `nonce_issued`, `audiences`, and `retry`. - -**Token issuance** -- In `HandleClientCredentialsHandler`, if the transaction contains a validated DPoP key: - - Build `cnf.jkt` using thumbprint from validator. - - Include `auth_time`/`dpop_jti` as needed for diagnostics. - - Persist the thumbprint alongside token metadata in Mongo (extend `AuthorityTokenDocument` with `SenderConstraint`, `KeyThumbprint`, `Nonce` fields). - -**Auditing & observability** -- Emit new audit events: - - `authority.dpop.proof.validated` (success/failure, clientId, audience, thumbprint, nonce status, jti). - - `authority.dpop.nonce.issued` and `authority.dpop.nonce.consumed`. -- Metrics (Prometheus style): - - `authority_dpop_validations_total{result,reason}`. - - `authority_dpop_nonce_issued_total{audience}` and `authority_dpop_nonce_fails_total{reason}`. -- Structured logs include `authority.sender_constraint=dpop`, `authority.dpop_thumbprint`, `authority.dpop_nonce`. - -**Testing** -- Unit tests for the handler pipeline using fake OpenIddict transactions. -- Replay/nonce tests with in-memory and Redis stores. -- Integration tests in `StellaOps.Authority.Tests` covering: - - Valid DPoP proof issuing `cnf.jkt`. - - Missing header → challenge with nonce. - - Replayed `jti` rejected. - - Invalid nonce rejected even after issuance. -- Contract tests to ensure `/.well-known/openid-configuration` advertises `dpop_signing_alg_values_supported` and `dpop_nonce_supported` when enabled. - -## AUTH-MTLS-11-002 — Certificate-Bound Tokens - -**Configuration model** -- Reuse `SenderConstraints.Mtls` described above; include: - - `enforceForAudiences` list (defaults `signer`, `attestor`, `scheduler`). - - `certificateRotationGraceSeconds` for overlap. - - `allowedClientCertificateAuthorities` absolute paths. - -**Kestrel/TLS pipeline** -- Configure Kestrel with `ClientCertificateMode.AllowCertificate` globally and implement middleware that enforces certificate presence only when the resolved client requires mTLS. -- Add `IAuthorityClientCertificateValidator` that validates presented certificate chain, SANs (`dns`, `uri`, optional SPIFFE), and thumbprint matches one of the stored bindings. -- Cache validation results per connection id to avoid rehashing on every request. - -**Client registration & storage** -- Extend `AuthorityClientDocument` with `List` containing: - - `Thumbprint`, `SerialNumber`, `Subject`, `NotBefore`, `NotAfter`, `Sans`, `CreatedAt`, `UpdatedAt`, `Label`. -- Provide admin API mutations (`/admin/clients/{id}/certificates`) for ops tooling (deferred implementation but schema ready). -- Update plugin provisioning store (`StandardClientProvisioningStore`) to map descriptors with certificate bindings and `senderConstraint`. -- Persist binding state in Mongo migrations (index on `{clientId, thumbprint}`). - -**Token issuance & introspection** -- Add a transaction property capturing the validated client certificate thumbprint. -- `HandleClientCredentialsHandler`: - - When mTLS required, ensure certificate info present; reject otherwise. - - Stamp `cnf` claim: `principal.SetClaim("cnf", JsonSerializer.Serialize(new { x5t#S256 = thumbprint }))`. - - Store binding metadata in issued token document for audit. -- Update `ValidateAccessTokenHandler` and introspection responses to surface `cnf.x5t#S256`. -- Ensure refresh tokens (if ever enabled) copy the binding data. - -**Auditing & observability** -- Audit events: - - `authority.mtls.handshake` (success/failure, clientId, thumbprint, issuer, subject). - - `authority.mtls.binding.missing` when a required client posts without a cert. -- Metrics: - - `authority_mtls_handshakes_total{result}`. - - `authority_mtls_certificate_rotations_total`. -- Logs include `authority.sender_constraint=mtls`, `authority.mtls_thumbprint`, `authority.mtls_subject`. - -**Testing** -- Unit tests for certificate validation rules (SAN mismatches, expiry, CA trust). -- Integration tests running Kestrel with test certificates: - - Successful token issuance with bound certificate. - - Request without certificate → `invalid_client`. - - Token introspection reveals `cnf.x5t#S256`. - - Rotation scenario (old + new cert allowed during grace window). - -## Implementation Checklist - -**DPoP work-stream** -1. Extract shared validator into `StellaOps.Auth.Security`; update Scanner references. -2. Introduce configuration classes and bind from YAML/environment. -3. Implement nonce store (Redis + in-memory), handler integration, and OpenIddict transaction plumbing. -4. Stamp `cnf.jkt`, audit events, and metrics; update Mongo documents and migrations. -5. Extend docs: `docs/modules/authority/architecture.md`, `docs/security/audit-events.md`, `docs/security/rate-limits.md`, CLI/UI references. - -**mTLS work-stream** -1. Extend client document/schema and provisioning stores with certificate bindings + sender constraint flag. -2. Configure Kestrel/middleware for optional client certificates and validation service. -3. Update token issuance/introspection to honour certificate bindings and emit `cnf.x5t#S256`. -4. Add auditing/metrics and integration tests (happy path + failure). -5. Refresh operator documentation (`docs/modules/authority/operations/backup-restore.md`, `docs/modules/authority/operations/monitoring.md`, sample `authority.yaml`) to cover certificate lifecycle. - -Both streams should conclude with `dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln` and documentation cross-links so dependent guilds can unblock UI/Signer work. +# Authority DPoP & mTLS Implementation Plan (2025-10-19) + +## Purpose +- Provide the implementation blueprint for AUTH-DPOP-11-001 and AUTH-MTLS-11-002. +- Unify sender-constraint validation across Authority, downstream services, and clients. +- Capture deterministic, testable steps that unblock UI/Signer guilds depending on DPoP/mTLS hardening. + +## Scope +- Token endpoint validation, issuance, and storage changes inside `StellaOps.Authority`. +- Shared security primitives consumed by Authority, Scanner, Signer, CLI, and UI. +- Operator-facing configuration, auditing, and observability. +- Out of scope: PoE enforcement (Signer) and CLI/UI client UX; those teams consume the new capabilities. + +> **Status update (2025-10-19):** `ValidateDpopProofHandler`, `AuthorityClientCertificateValidator`, and the supporting storage/audit plumbing now live in `src/Authority/StellaOps.Authority`. DPoP proofs populate `cnf.jkt`, mTLS bindings enforce certificate thumbprints via `cnf.x5t#S256`, and token documents persist the sender constraint metadata. In-memory nonce issuance is wired (Redis implementation to follow). Documentation and configuration references were updated (`docs/11_AUTHORITY.md`). Targeted unit/integration tests were added; running the broader test suite is currently blocked by pre-existing `StellaOps.Concelier.Storage.Mongo` build errors. +> +> **Status update (2025-10-20):** Redis-backed nonce configuration is exposed through `security.senderConstraints.dpop.nonce` with sample YAML (`etc/authority.yaml.sample`) and architecture docs refreshed. Operator guide now includes concrete Redis/required audiences snippet; nonce challenge regression remains covered by `ValidateDpopProof_IssuesNonceChallenge_WhenNonceMissing`. +> +> **Status update (2025-10-23):** mTLS enforcement now honours `security.senderConstraints.mtls.enforceForAudiences`, automatically rejecting non-mTLS clients targeting audiences such as `signer`. Certificate bindings validate thumbprint, issuer, subject, serial number, and SAN values, producing deterministic error codes for operators. Introspection responses include `cnf.x5t#S256`, and new unit tests cover audience enforcement, binding mismatches, and bootstrap storage. Docs/sample config updated accordingly. + +## Design Summary +- Extract the existing Scanner `DpopProofValidator` stack into a shared `StellaOps.Auth.Security` library used by Authority and resource servers. +- Extend Authority configuration (`authority.yaml`) with strongly-typed `senderConstraints.dpop` and `senderConstraints.mtls` sections (map to sample already shown in architecture doc). +- Require DPoP proofs on `/token` when the registered client policy is `senderConstraint=dpop`; bind issued access tokens via `cnf.jkt`. +- Introduce Authority-managed nonce issuance for “high value” audiences (default: `signer`, `attestor`) with Redis-backed persistence and deterministic auditing. +- Enable OAuth 2.0 mTLS (RFC 8705) by storing certificate bindings per client, requesting client certificates at TLS termination, and stamping `cnf.x5t#S256` into issued tokens plus introspection output. +- Surface structured logs and counters for both DPoP and mTLS flows; provide integration tests that cover success, replay, invalid proof, and certificate mismatch cases. + +## AUTH-DPOP-11-001 — Proof Validation & Nonce Handling + +**Shared validator** +- Move `DpopProofValidator`, option types, and replay cache interfaces from `StellaOps.Scanner.Core` into a new assembly `StellaOps.Auth.Security`. +- Provide pluggable caches: `InMemoryDpopReplayCache` (existing) and new `RedisDpopReplayCache` (leveraging the Authority Redis connection). +- Ensure the validator exposes the validated `SecurityKey`, `jti`, and `iat` so Authority can construct the `cnf` claim and compute nonce expiry. + +**Configuration model** +- Extend `StellaOpsAuthorityOptions.Security` with a `SenderConstraints` property containing: + - `Dpop` (`enabled`, `allowedAlgorithms`, `maxAgeSeconds`, `clockSkewSeconds`, `replayWindowSeconds`, `nonce` settings with `enabled`, `ttlSeconds`, `requiredAudiences`, `maxIssuancePerMinute`). + - `Mtls` (`enabled`, `requireChainValidation`, `clientCaBundle`, `allowedSubjectPatterns`, `allowedSanTypes`). +- Bind from YAML (`authority.security.senderConstraints.*`) while preserving backwards compatibility (defaults keep both disabled). + +**Token endpoint pipeline** +- Introduce a scoped OpenIddict handler `ValidateDpopProofHandler` inserted before `ValidateClientCredentialsHandler`. +- Determine the required sender constraint from client metadata: + - Add `AuthorityClientMetadataKeys.SenderConstraint` storing `dpop` or `mtls`. + - Optionally allow per-client overrides for nonce requirement. +- When `dpop` is required: + - Read the `DPoP` header from the ASP.NET request, reject with `invalid_token` + `WWW-Authenticate: DPoP error="invalid_dpop_proof"` if absent. + - Call the shared validator with method/URI. Enforce algorithm allowlist and `iat` window from options. + - Persist the `jkt` thumbprint plus replay cache state in the OpenIddict transaction (`AuthorityOpenIddictConstants.DpopKeyThumbprintProperty`, `DpopIssuedAtProperty`). + - When the requested audience intersects `SenderConstraints.Dpop.Nonce.RequiredAudiences`, require `nonce` in the proof; on first failure respond with HTTP 401, `error="use_dpop_nonce"`, and include `DPoP-Nonce` header (see nonce note below). Cache the rejection reason for audit logging. + +**Nonce service** +- Add `IDpopNonceStore` with methods `IssueAsync(audience, clientId, jkt)` and `TryConsumeAsync(nonce, audience, clientId, jkt)`. +- Default implementation `RedisDpopNonceStore` storing SHA-256 hashes of nonces keyed by `audience:clientId:jkt`. TTL comes from `SenderConstraints.Dpop.Nonce.Ttl`. +- Create helper `DpopNonceIssuer` used by `ValidateDpopProofHandler` to issue nonces when missing/expired, enforcing issuance rate limits (per options) and tagging audit/log records. +- On successful validation (nonce supplied and consumed) stamp metadata into the transaction for auditing. +- Update `ClientCredentialsHandlers` to observe nonce enforcement: when a nonce challenge was sent, emit structured audit with `nonce_issued`, `audiences`, and `retry`. + +**Token issuance** +- In `HandleClientCredentialsHandler`, if the transaction contains a validated DPoP key: + - Build `cnf.jkt` using thumbprint from validator. + - Include `auth_time`/`dpop_jti` as needed for diagnostics. + - Persist the thumbprint alongside token metadata in Mongo (extend `AuthorityTokenDocument` with `SenderConstraint`, `KeyThumbprint`, `Nonce` fields). + +**Auditing & observability** +- Emit new audit events: + - `authority.dpop.proof.validated` (success/failure, clientId, audience, thumbprint, nonce status, jti). + - `authority.dpop.nonce.issued` and `authority.dpop.nonce.consumed`. +- Metrics (Prometheus style): + - `authority_dpop_validations_total{result,reason}`. + - `authority_dpop_nonce_issued_total{audience}` and `authority_dpop_nonce_fails_total{reason}`. +- Structured logs include `authority.sender_constraint=dpop`, `authority.dpop_thumbprint`, `authority.dpop_nonce`. + +**Testing** +- Unit tests for the handler pipeline using fake OpenIddict transactions. +- Replay/nonce tests with in-memory and Redis stores. +- Integration tests in `StellaOps.Authority.Tests` covering: + - Valid DPoP proof issuing `cnf.jkt`. + - Missing header → challenge with nonce. + - Replayed `jti` rejected. + - Invalid nonce rejected even after issuance. +- Contract tests to ensure `/.well-known/openid-configuration` advertises `dpop_signing_alg_values_supported` and `dpop_nonce_supported` when enabled. + +## AUTH-MTLS-11-002 — Certificate-Bound Tokens + +**Configuration model** +- Reuse `SenderConstraints.Mtls` described above; include: + - `enforceForAudiences` list (defaults `signer`, `attestor`, `scheduler`). + - `certificateRotationGraceSeconds` for overlap. + - `allowedClientCertificateAuthorities` absolute paths. + +**Kestrel/TLS pipeline** +- Configure Kestrel with `ClientCertificateMode.AllowCertificate` globally and implement middleware that enforces certificate presence only when the resolved client requires mTLS. +- Add `IAuthorityClientCertificateValidator` that validates presented certificate chain, SANs (`dns`, `uri`, optional SPIFFE), and thumbprint matches one of the stored bindings. +- Cache validation results per connection id to avoid rehashing on every request. + +**Client registration & storage** +- Extend `AuthorityClientDocument` with `List` containing: + - `Thumbprint`, `SerialNumber`, `Subject`, `NotBefore`, `NotAfter`, `Sans`, `CreatedAt`, `UpdatedAt`, `Label`. +- Provide admin API mutations (`/admin/clients/{id}/certificates`) for ops tooling (deferred implementation but schema ready). +- Update plugin provisioning store (`StandardClientProvisioningStore`) to map descriptors with certificate bindings and `senderConstraint`. +- Persist binding state in Mongo migrations (index on `{clientId, thumbprint}`). + +**Token issuance & introspection** +- Add a transaction property capturing the validated client certificate thumbprint. +- `HandleClientCredentialsHandler`: + - When mTLS required, ensure certificate info present; reject otherwise. + - Stamp `cnf` claim: `principal.SetClaim("cnf", JsonSerializer.Serialize(new { x5t#S256 = thumbprint }))`. + - Store binding metadata in issued token document for audit. +- Update `ValidateAccessTokenHandler` and introspection responses to surface `cnf.x5t#S256`. +- Ensure refresh tokens (if ever enabled) copy the binding data. + +**Auditing & observability** +- Audit events: + - `authority.mtls.handshake` (success/failure, clientId, thumbprint, issuer, subject). + - `authority.mtls.binding.missing` when a required client posts without a cert. +- Metrics: + - `authority_mtls_handshakes_total{result}`. + - `authority_mtls_certificate_rotations_total`. +- Logs include `authority.sender_constraint=mtls`, `authority.mtls_thumbprint`, `authority.mtls_subject`. + +**Testing** +- Unit tests for certificate validation rules (SAN mismatches, expiry, CA trust). +- Integration tests running Kestrel with test certificates: + - Successful token issuance with bound certificate. + - Request without certificate → `invalid_client`. + - Token introspection reveals `cnf.x5t#S256`. + - Rotation scenario (old + new cert allowed during grace window). + +## Implementation Checklist + +**DPoP work-stream** +1. Extract shared validator into `StellaOps.Auth.Security`; update Scanner references. +2. Introduce configuration classes and bind from YAML/environment. +3. Implement nonce store (Redis + in-memory), handler integration, and OpenIddict transaction plumbing. +4. Stamp `cnf.jkt`, audit events, and metrics; update Mongo documents and migrations. +5. Extend docs: `docs/modules/authority/architecture.md`, `docs/security/audit-events.md`, `docs/security/rate-limits.md`, CLI/UI references. + +**mTLS work-stream** +1. Extend client document/schema and provisioning stores with certificate bindings + sender constraint flag. +2. Configure Kestrel/middleware for optional client certificates and validation service. +3. Update token issuance/introspection to honour certificate bindings and emit `cnf.x5t#S256`. +4. Add auditing/metrics and integration tests (happy path + failure). +5. Refresh operator documentation (`docs/modules/authority/operations/backup-restore.md`, `docs/modules/authority/operations/monitoring.md`, sample `authority.yaml`) to cover certificate lifecycle. + +Both streams should conclude with `dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln` and documentation cross-links so dependent guilds can unblock UI/Signer work. diff --git a/docs/dev/fixtures.md b/docs/dev/fixtures.md index eccfdc8b..fd4566ee 100644 --- a/docs/dev/fixtures.md +++ b/docs/dev/fixtures.md @@ -1,45 +1,45 @@ -# Concelier Fixture Maintenance - -Concelier uses a handful of deterministic fixtures to keep connector regressions in check. This guide lists the -fixture sets, where they live, and how to regenerate them safely. - ---- - -## GHSA ↔ OSV parity fixtures - -- **Location:** `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.*.json` -- **Purpose:** Exercised by `OsvGhsaParityRegressionTests` to ensure OSV + GHSA outputs stay aligned on aliases, - ranges, references, and credits. -- **Regeneration:** Either run the test harness with online regeneration (`UPDATE_PARITY_FIXTURES=1 dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj`) - or execute the fixture updater (`dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj`). Both paths - normalise timestamps and canonical ordering. -- **SemVer provenance:** The regenerated fixtures should show `normalizedVersions[].notes` in the - `osv:{ecosystem}:{advisoryId}:{identifier}` shape emitted by `SemVerRangeRuleBuilder`. Confirm the - constraints and notes line up with GHSA/NVD composites before committing. -- **Verification:** Inspect the diff, then re-run `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj` to confirm parity. - -## GHSA credit parity fixtures - -- **Location:** `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.{ghsa,osv,nvd}.json` -- **Purpose:** Exercised by `GhsaCreditParityRegressionTests` to guarantee GHSA/NVD/OSV acknowledgements remain in lockstep. -- **Regeneration:** `dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj` rewrites all three canonical snapshots. -- **Verification:** `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj`. - -> Always commit fixture changes together with the code that motivated them and reference the regression test that guards the behaviour. - -## Apple security update fixtures - -- **Location:** `src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/*.html` and `.expected.json`. -- **Purpose:** Exercised by `AppleLiveRegressionTests` to guarantee the Apple HTML parser and mapper stay deterministic while covering Rapid Security Responses and multi-device advisories. -- **Regeneration:** Use the helper scripts (`scripts/update-apple-fixtures.sh` or `scripts/update-apple-fixtures.ps1`). They export `UPDATE_APPLE_FIXTURES=1`, propagate the flag through `WSLENV`, touch `.update-apple-fixtures`, and then run the Apple test project. This keeps WSL/VSCode test invocations in sync while the refresh workflow fetches live Apple support pages, sanitises them, and rewrites both the HTML and expected DTO snapshots with normalised ordering. -- **Verification:** Inspect the generated diffs and re-run `dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests.csproj` without the env var to confirm determinism. - -> **Tip for other connector owners:** mirror the sentinel + `WSLENV` pattern (`touch .update--fixtures`, append the env var via `WSLENV`) when you add fixture refresh scripts so contributors running under WSL inherit the regeneration flag automatically. - -## KISA advisory fixtures - -- **Location:** `src/Concelier/__Tests/StellaOps.Concelier.Connector.Kisa.Tests/Fixtures/kisa-{feed,detail}.(xml|json)` -- **Purpose:** Used by `KisaConnectorTests` to verify Hangul-aware fetch → parse → map flows and to assert telemetry counters stay wired. -- **Regeneration:** `UPDATE_KISA_FIXTURES=1 dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Kisa.Tests/StellaOps.Concelier.Connector.Kisa.Tests.csproj` -- **Verification:** Re-run the same test suite without the env var; confirm advisory content remains NFC-normalised and HTML is sanitised. Metrics assertions will fail if counters drift. -- **Localisation note:** RSS `category` values (e.g. `취약점정보`) remain in Hangul—do not translate them in fixtures; they feed directly into metrics/log tags. +# Concelier Fixture Maintenance + +Concelier uses a handful of deterministic fixtures to keep connector regressions in check. This guide lists the +fixture sets, where they live, and how to regenerate them safely. + +--- + +## GHSA ↔ OSV parity fixtures + +- **Location:** `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.*.json` +- **Purpose:** Exercised by `OsvGhsaParityRegressionTests` to ensure OSV + GHSA outputs stay aligned on aliases, + ranges, references, and credits. +- **Regeneration:** Either run the test harness with online regeneration (`UPDATE_PARITY_FIXTURES=1 dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj`) + or execute the fixture updater (`dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj`). Both paths + normalise timestamps and canonical ordering. +- **SemVer provenance:** The regenerated fixtures should show `normalizedVersions[].notes` in the + `osv:{ecosystem}:{advisoryId}:{identifier}` shape emitted by `SemVerRangeRuleBuilder`. Confirm the + constraints and notes line up with GHSA/NVD composites before committing. +- **Verification:** Inspect the diff, then re-run `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj` to confirm parity. + +## GHSA credit parity fixtures + +- **Location:** `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.{ghsa,osv,nvd}.json` +- **Purpose:** Exercised by `GhsaCreditParityRegressionTests` to guarantee GHSA/NVD/OSV acknowledgements remain in lockstep. +- **Regeneration:** `dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj` rewrites all three canonical snapshots. +- **Verification:** `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj`. + +> Always commit fixture changes together with the code that motivated them and reference the regression test that guards the behaviour. + +## Apple security update fixtures + +- **Location:** `src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/*.html` and `.expected.json`. +- **Purpose:** Exercised by `AppleLiveRegressionTests` to guarantee the Apple HTML parser and mapper stay deterministic while covering Rapid Security Responses and multi-device advisories. +- **Regeneration:** Use the helper scripts (`scripts/update-apple-fixtures.sh` or `scripts/update-apple-fixtures.ps1`). They export `UPDATE_APPLE_FIXTURES=1`, propagate the flag through `WSLENV`, touch `.update-apple-fixtures`, and then run the Apple test project. This keeps WSL/VSCode test invocations in sync while the refresh workflow fetches live Apple support pages, sanitises them, and rewrites both the HTML and expected DTO snapshots with normalised ordering. +- **Verification:** Inspect the generated diffs and re-run `dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests.csproj` without the env var to confirm determinism. + +> **Tip for other connector owners:** mirror the sentinel + `WSLENV` pattern (`touch .update--fixtures`, append the env var via `WSLENV`) when you add fixture refresh scripts so contributors running under WSL inherit the regeneration flag automatically. + +## KISA advisory fixtures + +- **Location:** `src/Concelier/__Tests/StellaOps.Concelier.Connector.Kisa.Tests/Fixtures/kisa-{feed,detail}.(xml|json)` +- **Purpose:** Used by `KisaConnectorTests` to verify Hangul-aware fetch → parse → map flows and to assert telemetry counters stay wired. +- **Regeneration:** `UPDATE_KISA_FIXTURES=1 dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Kisa.Tests/StellaOps.Concelier.Connector.Kisa.Tests.csproj` +- **Verification:** Re-run the same test suite without the env var; confirm advisory content remains NFC-normalised and HTML is sanitised. Metrics assertions will fail if counters drift. +- **Localisation note:** RSS `category` values (e.g. `취약점정보`) remain in Hangul—do not translate them in fixtures; they feed directly into metrics/log tags. diff --git a/docs/dev/merge_semver_playbook.md b/docs/dev/merge_semver_playbook.md index 63074f06..203efb61 100644 --- a/docs/dev/merge_semver_playbook.md +++ b/docs/dev/merge_semver_playbook.md @@ -1,154 +1,154 @@ -# Concelier SemVer Merge Playbook (Sprint 1–2) - -This playbook describes how the merge layer and connector teams should emit the new SemVer primitives introduced in Sprint 1–2, how those primitives become normalized version rules, and how downstream jobs query them deterministically. - -## 1. What landed in Sprint 1–2 - -- `RangePrimitives.SemVer` now infers a canonical `style` (`range`, `exact`, `lt`, `lte`, `gt`, `gte`) and captures `exactValue` when the constraint is a single version. -- `NormalizedVersionRule` documents the analytics-friendly projection of each `AffectedPackage` coverage entry and is persisted alongside legacy `versionRanges`. -- `AdvisoryProvenance.decisionReason` records whether merge resolution favored precedence, freshness, or a tie-breaker comparison. - -See `src/Concelier/__Libraries/StellaOps.Concelier.Models/CANONICAL_RECORDS.md` for the full schema and field descriptions. - -## 2. Mapper pattern - -Connectors should emit SemVer primitives as soon as they can normalize a vendor constraint. The helper `SemVerPrimitiveExtensions.ToNormalizedVersionRule` turns those primitives into the persisted rules: - -```csharp -var primitive = new SemVerPrimitive( - introduced: "1.2.3", - introducedInclusive: true, - fixed: "2.0.0", - fixedInclusive: false, - lastAffected: null, - lastAffectedInclusive: false, - constraintExpression: ">=1.2.3 <2.0.0", - exactValue: null); - -var rule = primitive.ToNormalizedVersionRule(notes: "nvd:CVE-2025-1234"); -// rule => scheme=semver, type=range, min=1.2.3, minInclusive=true, max=2.0.0, maxInclusive=false -``` - -If you omit the optional `notes` argument, `ToNormalizedVersionRule` now falls back to the primitive’s `ConstraintExpression`, ensuring the original comparator expression is preserved for provenance/audit queries. - -Emit the resulting rule inside `AffectedPackage.NormalizedVersions` while continuing to populate `AffectedVersionRange.RangeExpression` for backward compatibility. - -## 3. Merge dedupe flow - -During merge, feed all package candidates through `NormalizedVersionRuleComparer.Instance` prior to persistence. The comparer orders by scheme → type → min → minInclusive → max → maxInclusive → value → notes, guaranteeing consistent document layout and making `$unwind` pipelines deterministic. - -If multiple connectors emit identical constraints, the merge layer should: - -1. Combine provenance entries (preserving one per source). -2. Preserve a single normalized rule instance (thanks to `NormalizedVersionRuleEqualityComparer.Instance`). -3. Attach `decisionReason="precedence"` if one source overrides another. - -## 4. Example Mongo pipeline - -Use the following aggregation to locate advisories that affect a specific SemVer: - -```javascript -db.advisories.aggregate([ - { $match: { "affectedPackages.type": "semver", "affectedPackages.identifier": "pkg:npm/lodash" } }, - { $unwind: "$affectedPackages" }, - { $unwind: "$affectedPackages.normalizedVersions" }, - { $match: { - $or: [ - { "affectedPackages.normalizedVersions.type": "exact", - "affectedPackages.normalizedVersions.value": "4.17.21" }, - { "affectedPackages.normalizedVersions.type": "range", - "affectedPackages.normalizedVersions.min": { $lte: "4.17.21" }, - "affectedPackages.normalizedVersions.max": { $gt: "4.17.21" } }, - { "affectedPackages.normalizedVersions.type": "gte", - "affectedPackages.normalizedVersions.min": { $lte: "4.17.21" } }, - { "affectedPackages.normalizedVersions.type": "lte", - "affectedPackages.normalizedVersions.max": { $gte: "4.17.21" } } - ] - }}, - { $project: { advisoryKey: 1, title: 1, "affectedPackages.identifier": 1 } } -]); -``` - -Pair this query with the indexes listed in [Normalized Versions Query Guide](mongo_indices.md). - -## 5. Recommended indexes - -| Collection | Index | Purpose | -|------------|-------|---------| -| `advisory` | `{ "affectedPackages.identifier": 1, "affectedPackages.normalizedVersions.scheme": 1, "affectedPackages.normalizedVersions.type": 1 }` (compound, multikey) | Speeds up `$match` on identifier + rule style. | -| `advisory` | `{ "affectedPackages.normalizedVersions.value": 1 }` (sparse) | Optimizes lookups for exact version hits. | - -Coordinate with the Storage team when enabling these indexes so deployment windows account for collection size. - -## 6. Dual-write rollout - -Follow the operational checklist in `docs/modules/devops/migrations/semver-style.md`. The summary: - -1. **Dual write (now)** – emit both legacy `versionRanges` and the new `normalizedVersions`. -2. **Backfill** – follow the storage migration in `docs/modules/devops/migrations/semver-style.md` to rewrite historical advisories before switching consumers. -3. **Verify** – run the aggregation above (with `explain("executionStats")`) to ensure the new indexes are used. -4. **Cutover** – after consumers switch to normalized rules, mark the old `rangeExpression` as deprecated. - -## 7. Checklist for connectors & merge - -- [ ] Populate `SemVerPrimitive` for every SemVer-friendly constraint. -- [ ] Call `ToNormalizedVersionRule` and store the result. -- [ ] Emit provenance masks covering both `versionRanges[].primitives.semver` and `normalizedVersions[]`. -- [ ] Ensure merge deduping relies on the canonical comparer. -- [ ] Capture merge decisions via `decisionReason`. -- [ ] Confirm integration tests include fixtures with normalized rules and SemVer styles. - -For deeper query examples and maintenance tasks, continue with [Normalized Versions Query Guide](mongo_indices.md). - -## 8. Storage projection reference - -`NormalizedVersionDocumentFactory` copies each normalized rule into MongoDB using the shape below. Use this as a contract when reviewing connector fixtures or diagnosing merge/storage diffs: - -```json -{ - "packageId": "pkg:npm/example", - "packageType": "npm", - "scheme": "semver", - "type": "range", - "style": "range", - "min": "1.2.3", - "minInclusive": true, - "max": "2.0.0", - "maxInclusive": false, - "value": null, - "notes": "ghsa:GHSA-xxxx-yyyy", - "decisionReason": "ghsa-precedence-over-nvd", - "constraint": ">= 1.2.3 < 2.0.0", - "source": "ghsa", - "recordedAt": "2025-10-11T00:00:00Z" -} -``` - -For distro-specific ranges (`nevra`, `evr`) the same envelope applies with `scheme` switched accordingly. Example: - -```json -{ - "packageId": "bash", - "packageType": "rpm", - "scheme": "nevra", - "type": "range", - "style": "range", - "min": "0:4.4.18-2.el7", - "minInclusive": true, - "max": "0:4.4.20-1.el7", - "maxInclusive": false, - "value": null, - "notes": "redhat:RHSA-2025:1234", - "decisionReason": "rhel-priority-over-nvd", - "constraint": "<= 0:4.4.20-1.el7", - "source": "redhat", - "recordedAt": "2025-10-11T00:00:00Z" -} -``` - -If a new scheme is required (for example, `apple.build` or `ios.semver`), raise it with the Models team before emitting documents so merge comparers and hashing logic can incorporate the change deterministically. - -## 9. Observability signals - -- `concelier.merge.normalized_rules` (counter, tags: `package_type`, `scheme`) – increments once per normalized rule retained after precedence merge. -- `concelier.merge.normalized_rules_missing` (counter, tags: `package_type`) – increments when a merged package still carries version ranges but no normalized rules; watch for spikes to catch connectors that have not emitted normalized arrays yet. +# Concelier SemVer Merge Playbook (Sprint 1–2) + +This playbook describes how the merge layer and connector teams should emit the new SemVer primitives introduced in Sprint 1–2, how those primitives become normalized version rules, and how downstream jobs query them deterministically. + +## 1. What landed in Sprint 1–2 + +- `RangePrimitives.SemVer` now infers a canonical `style` (`range`, `exact`, `lt`, `lte`, `gt`, `gte`) and captures `exactValue` when the constraint is a single version. +- `NormalizedVersionRule` documents the analytics-friendly projection of each `AffectedPackage` coverage entry and is persisted alongside legacy `versionRanges`. +- `AdvisoryProvenance.decisionReason` records whether merge resolution favored precedence, freshness, or a tie-breaker comparison. + +See `src/Concelier/__Libraries/StellaOps.Concelier.Models/CANONICAL_RECORDS.md` for the full schema and field descriptions. + +## 2. Mapper pattern + +Connectors should emit SemVer primitives as soon as they can normalize a vendor constraint. The helper `SemVerPrimitiveExtensions.ToNormalizedVersionRule` turns those primitives into the persisted rules: + +```csharp +var primitive = new SemVerPrimitive( + introduced: "1.2.3", + introducedInclusive: true, + fixed: "2.0.0", + fixedInclusive: false, + lastAffected: null, + lastAffectedInclusive: false, + constraintExpression: ">=1.2.3 <2.0.0", + exactValue: null); + +var rule = primitive.ToNormalizedVersionRule(notes: "nvd:CVE-2025-1234"); +// rule => scheme=semver, type=range, min=1.2.3, minInclusive=true, max=2.0.0, maxInclusive=false +``` + +If you omit the optional `notes` argument, `ToNormalizedVersionRule` now falls back to the primitive’s `ConstraintExpression`, ensuring the original comparator expression is preserved for provenance/audit queries. + +Emit the resulting rule inside `AffectedPackage.NormalizedVersions` while continuing to populate `AffectedVersionRange.RangeExpression` for backward compatibility. + +## 3. Merge dedupe flow + +During merge, feed all package candidates through `NormalizedVersionRuleComparer.Instance` prior to persistence. The comparer orders by scheme → type → min → minInclusive → max → maxInclusive → value → notes, guaranteeing consistent document layout and making `$unwind` pipelines deterministic. + +If multiple connectors emit identical constraints, the merge layer should: + +1. Combine provenance entries (preserving one per source). +2. Preserve a single normalized rule instance (thanks to `NormalizedVersionRuleEqualityComparer.Instance`). +3. Attach `decisionReason="precedence"` if one source overrides another. + +## 4. Example Mongo pipeline + +Use the following aggregation to locate advisories that affect a specific SemVer: + +```javascript +db.advisories.aggregate([ + { $match: { "affectedPackages.type": "semver", "affectedPackages.identifier": "pkg:npm/lodash" } }, + { $unwind: "$affectedPackages" }, + { $unwind: "$affectedPackages.normalizedVersions" }, + { $match: { + $or: [ + { "affectedPackages.normalizedVersions.type": "exact", + "affectedPackages.normalizedVersions.value": "4.17.21" }, + { "affectedPackages.normalizedVersions.type": "range", + "affectedPackages.normalizedVersions.min": { $lte: "4.17.21" }, + "affectedPackages.normalizedVersions.max": { $gt: "4.17.21" } }, + { "affectedPackages.normalizedVersions.type": "gte", + "affectedPackages.normalizedVersions.min": { $lte: "4.17.21" } }, + { "affectedPackages.normalizedVersions.type": "lte", + "affectedPackages.normalizedVersions.max": { $gte: "4.17.21" } } + ] + }}, + { $project: { advisoryKey: 1, title: 1, "affectedPackages.identifier": 1 } } +]); +``` + +Pair this query with the indexes listed in [Normalized Versions Query Guide](mongo_indices.md). + +## 5. Recommended indexes + +| Collection | Index | Purpose | +|------------|-------|---------| +| `advisory` | `{ "affectedPackages.identifier": 1, "affectedPackages.normalizedVersions.scheme": 1, "affectedPackages.normalizedVersions.type": 1 }` (compound, multikey) | Speeds up `$match` on identifier + rule style. | +| `advisory` | `{ "affectedPackages.normalizedVersions.value": 1 }` (sparse) | Optimizes lookups for exact version hits. | + +Coordinate with the Storage team when enabling these indexes so deployment windows account for collection size. + +## 6. Dual-write rollout + +Follow the operational checklist in `docs/modules/devops/migrations/semver-style.md`. The summary: + +1. **Dual write (now)** – emit both legacy `versionRanges` and the new `normalizedVersions`. +2. **Backfill** – follow the storage migration in `docs/modules/devops/migrations/semver-style.md` to rewrite historical advisories before switching consumers. +3. **Verify** – run the aggregation above (with `explain("executionStats")`) to ensure the new indexes are used. +4. **Cutover** – after consumers switch to normalized rules, mark the old `rangeExpression` as deprecated. + +## 7. Checklist for connectors & merge + +- [ ] Populate `SemVerPrimitive` for every SemVer-friendly constraint. +- [ ] Call `ToNormalizedVersionRule` and store the result. +- [ ] Emit provenance masks covering both `versionRanges[].primitives.semver` and `normalizedVersions[]`. +- [ ] Ensure merge deduping relies on the canonical comparer. +- [ ] Capture merge decisions via `decisionReason`. +- [ ] Confirm integration tests include fixtures with normalized rules and SemVer styles. + +For deeper query examples and maintenance tasks, continue with [Normalized Versions Query Guide](mongo_indices.md). + +## 8. Storage projection reference + +`NormalizedVersionDocumentFactory` copies each normalized rule into MongoDB using the shape below. Use this as a contract when reviewing connector fixtures or diagnosing merge/storage diffs: + +```json +{ + "packageId": "pkg:npm/example", + "packageType": "npm", + "scheme": "semver", + "type": "range", + "style": "range", + "min": "1.2.3", + "minInclusive": true, + "max": "2.0.0", + "maxInclusive": false, + "value": null, + "notes": "ghsa:GHSA-xxxx-yyyy", + "decisionReason": "ghsa-precedence-over-nvd", + "constraint": ">= 1.2.3 < 2.0.0", + "source": "ghsa", + "recordedAt": "2025-10-11T00:00:00Z" +} +``` + +For distro-specific ranges (`nevra`, `evr`) the same envelope applies with `scheme` switched accordingly. Example: + +```json +{ + "packageId": "bash", + "packageType": "rpm", + "scheme": "nevra", + "type": "range", + "style": "range", + "min": "0:4.4.18-2.el7", + "minInclusive": true, + "max": "0:4.4.20-1.el7", + "maxInclusive": false, + "value": null, + "notes": "redhat:RHSA-2025:1234", + "decisionReason": "rhel-priority-over-nvd", + "constraint": "<= 0:4.4.20-1.el7", + "source": "redhat", + "recordedAt": "2025-10-11T00:00:00Z" +} +``` + +If a new scheme is required (for example, `apple.build` or `ios.semver`), raise it with the Models team before emitting documents so merge comparers and hashing logic can incorporate the change deterministically. + +## 9. Observability signals + +- `concelier.merge.normalized_rules` (counter, tags: `package_type`, `scheme`) – increments once per normalized rule retained after precedence merge. +- `concelier.merge.normalized_rules_missing` (counter, tags: `package_type`) – increments when a merged package still carries version ranges but no normalized rules; watch for spikes to catch connectors that have not emitted normalized arrays yet. diff --git a/docs/dev/raw-linkset-backfill-plan.md b/docs/dev/raw-linkset-backfill-plan.md new file mode 100644 index 00000000..db6e0f2b --- /dev/null +++ b/docs/dev/raw-linkset-backfill-plan.md @@ -0,0 +1,56 @@ +# Raw Linkset Backfill & Adoption Plan + +_Last updated: 2025-10-31_ +Owners: Concelier Storage Guild, DevOps Guild, Policy Guild + +## Context + +- Concelier observations now emit both a **canonical linkset** (deduped, normalised identifiers) and a **raw linkset** (`rawLinkset`) that preserves upstream ordering, duplicates, and original pointer metadata. +- Existing `concelier.advisory_observations` documents created before 2025-10-31 do **not** contain the `rawLinkset` field. +- Policy Engine selection joiners (`POLICY-ENGINE-20-003`) will switch to the raw projection once backfill completes and consumers validate fixtures. + +## Objectives + +1. Populate `rawLinkset` for historical observations across online clusters and Offline Kit bundles without breaking append-only guarantees. +2. Provide migration scripts + runbook so operators can rehearse in staging (and air-gapped deployments) before production rollout. +3. Unblock Policy Engine adoption by guaranteeing dual projections exist for all tenants. + +## Deliverables + +- [ ] **Migration script** (`20251104_advisory_observations_raw_linkset_backfill.csx`) + - Iterates observations lacking `rawLinkset` + - Rehydrates raw document via existing snapshot (or cached DTO) + - Reuses `AdvisoryObservationFactory.CreateRawLinkset` + - Writes using `$set` with optimistic retry; preserves `updatedAt` via `setOnInsert` +- [ ] **Offline Kit updater** (extend `ops/offline-kit/scripts/export_offline_bundle.py`) to patch bundles in-place +- [ ] **Runbook** covering: + - Pre-check query: `db.concelier.advisory_observations.countDocuments({ rawLinkset: { $exists: false } })` + - Backup procedure (`mongodump` or snapshot requirement) + - Dry-run mode limiting batches by tenant + - Metrics/telemetry expectations (`concelier.migrations.documents_processed_total`) + - Rollback (no-op because field addition; note to retain snapshot for verification) +- [ ] **Fixture updates** ensuring storage/CLI/Policy tests include `rawLinkset` +- [ ] **Policy Engine follow-up** to flip joiners once `rawLinkset` population reaches 100% (tracked via metrics). + +## Timeline + +| Date (UTC) | Milestone | Notes | +|------------|-----------|-------| +| 2025-10-31 | Handshake w/ Policy | Agreement to consume `rawLinkset`; this document created. | +| 2025-11-01 | Draft migration script | Validate against staging dataset snapshots. | +| 2025-11-04 | Storage task CONCELIER-STORE-AOC-19-005 due | Deliver script + runbook for review. | +| 2025-11-06 | Staging backfill rehearsal | Target < 30 min runtime on 5M observations. | +| 2025-11-08 | Policy fixtures updated | POL engine branch consumes `rawLinkset`. | +| 2025-11-11 | Production rollout window | Pending DevOps sign-off after rehearsals. | + +## Open Questions + +- Do we need archival of the canonical-only projection for backwards compatibility exports? (Policy to confirm.) +- Offline Kit delta: should we regenerate entire bundle or ship incremental patch? (DevOps reviewing.) +- Metrics: add `raw_linkset_missing_total` counter to detect regressions post-backfill? + +## Next Actions + +- [ ] Concelier Storage Guild: prototype migration script, share for review (`2025-11-01`). +- [ ] DevOps Guild: schedule staging rehearsal + update `docs/deploy/containers.md` with new runbook section. +- [ ] Policy Guild: prepare feature flag/branch to switch joiners once metrics show zero missing `rawLinkset`. diff --git a/docs/events/orchestrator-scanner-events.md b/docs/events/orchestrator-scanner-events.md index 4c59fa56..c00a892c 100644 --- a/docs/events/orchestrator-scanner-events.md +++ b/docs/events/orchestrator-scanner-events.md @@ -1,39 +1,39 @@ -# Scanner Orchestrator Events (ORCH-SVC-38-101) - -Last updated: 2025-10-26 - -The Notifications Studio initiative (NOTIFY-SVC-38-001) and orchestrator backlog (ORCH-SVC-38-101) standardise how platform services emit lifecycle events. This document describes the Scanner WebService contract for the new **orchestrator envelopes** (`scanner.event.*`) and how they supersede the legacy Redis-backed `scanner.report.ready` / `scanner.scan.completed` events. - -## 1. Envelope overview - -Orchestrator events share a deterministic JSON envelope: - -| Field | Type | Notes | -|-------|------|-------| -| `eventId` | `uuid` | Globally unique identifier generated per occurrence. | -| `kind` | `string` | Event identifier; Scanner emits `scanner.event.report.ready` and `scanner.event.scan.completed`. | -| `version` | `integer` | Schema version. Initial release uses `1`. | -| `tenant` | `string` | Tenant that owns the scan/report. Mirrors Authority claims. | -| `occurredAt` | `date-time` | UTC instant when the underlying state transition happened (e.g., report persisted). | -| `recordedAt` | `date-time` | UTC instant when the event was durably written. Optional but recommended. | -| `source` | `string` | Producer identifier (`scanner.webservice`). | -| `idempotencyKey` | `string` | Deterministic key for duplicate suppression (see §4). | -| `correlationId` | `string` | Maps back to the API request or scan identifier. | -| `traceId` / `spanId` | `string` | W3C trace context propagated into downstream telemetry. | -| `scope` | `object` | Describes the affected artefact. Requires `repo` and `digest`; optional `namespace`, `component`, `image`. | -| `attributes` | `object` | Flat string map for frequently queried metadata (e.g., policy revision). | -| `payload` | `object` | Event-specific body (see §2). | - -Canonical schemas live under `docs/events/scanner.event.*@1.json`. Samples that round-trip through `NotifyCanonicalJsonSerializer` are stored in `docs/events/samples/`. - -## 2. Event kinds and payloads - -### 2.1 `scanner.event.report.ready` - -Emitted once a signed report is persisted and attested. Payload highlights: - -- `reportId` / `scanId` — identifiers for the persisted report and originating scan. Until Scan IDs are surfaced by the API, `scanId` mirrors `reportId` so downstream correlators can stabilise on a single key. -- **Attributes:** `reportId`, `policyRevisionId`, `policyDigest`, `verdict` — pre-sorted for deterministic routing. +# Scanner Orchestrator Events (ORCH-SVC-38-101) + +Last updated: 2025-10-26 + +The Notifications Studio initiative (NOTIFY-SVC-38-001) and orchestrator backlog (ORCH-SVC-38-101) standardise how platform services emit lifecycle events. This document describes the Scanner WebService contract for the new **orchestrator envelopes** (`scanner.event.*`) and how they supersede the legacy Redis-backed `scanner.report.ready` / `scanner.scan.completed` events. + +## 1. Envelope overview + +Orchestrator events share a deterministic JSON envelope: + +| Field | Type | Notes | +|-------|------|-------| +| `eventId` | `uuid` | Globally unique identifier generated per occurrence. | +| `kind` | `string` | Event identifier; Scanner emits `scanner.event.report.ready` and `scanner.event.scan.completed`. | +| `version` | `integer` | Schema version. Initial release uses `1`. | +| `tenant` | `string` | Tenant that owns the scan/report. Mirrors Authority claims. | +| `occurredAt` | `date-time` | UTC instant when the underlying state transition happened (e.g., report persisted). | +| `recordedAt` | `date-time` | UTC instant when the event was durably written. Optional but recommended. | +| `source` | `string` | Producer identifier (`scanner.webservice`). | +| `idempotencyKey` | `string` | Deterministic key for duplicate suppression (see §4). | +| `correlationId` | `string` | Maps back to the API request or scan identifier. | +| `traceId` / `spanId` | `string` | W3C trace context propagated into downstream telemetry. | +| `scope` | `object` | Describes the affected artefact. Requires `repo` and `digest`; optional `namespace`, `component`, `image`. | +| `attributes` | `object` | Flat string map for frequently queried metadata (e.g., policy revision). | +| `payload` | `object` | Event-specific body (see §2). | + +Canonical schemas live under `docs/events/scanner.event.*@1.json`. Samples that round-trip through `NotifyCanonicalJsonSerializer` are stored in `docs/events/samples/`. + +## 2. Event kinds and payloads + +### 2.1 `scanner.event.report.ready` + +Emitted once a signed report is persisted and attested. Payload highlights: + +- `reportId` / `scanId` — identifiers for the persisted report and originating scan. Until Scan IDs are surfaced by the API, `scanId` mirrors `reportId` so downstream correlators can stabilise on a single key. +- **Attributes:** `reportId`, `policyRevisionId`, `policyDigest`, `verdict` — pre-sorted for deterministic routing. - **Links:** - `report.ui` → `/ui/reports/{reportId}` on the current host. - `report.api` → `{apiBasePath}/{reportsSegment}/{reportId}` (defaults to `/api/v1/reports/{reportId}`). @@ -41,83 +41,83 @@ Emitted once a signed report is persisted and attested. Payload highlights: - `policy.api` → `{apiBasePath}/{policySegment}/revisions/{revisionId}` when a revision is present. - `attestation.ui` → `/ui/attestations/{reportId}` when a DSSE envelope is included. - `attestation.api` → `{apiBasePath}/{reportsSegment}/{reportId}/attestation` when a DSSE envelope is included. -- `imageDigest` — OCI image digest associated with the analysis. -- `generatedAt` — report generation timestamp (ISO-8601 UTC). -- `verdict` — `pass`, `warn`, or `fail` after policy evaluation. -- `summary` — blocked/warned/ignored/quieted counters (all non-negative integers). -- `delta` — newly critical/high counts and optional `kev` array. -- `quietedFindingCount` — mirrors `summary.quieted`. -- `policy` — revision metadata (`digest`, `revisionId`) surfaced for routing. -- `links` — UI/report/policy URLs suitable for operators. -- `dsse` — embedded DSSE envelope (payload, type, signature list). -- `report` — canonical report document; identical to the DSSE payload. - -Schema: `docs/events/scanner.event.report.ready@1.json` -Sample: `docs/events/samples/scanner.event.report.ready@1.sample.json` - -### 2.2 `scanner.event.scan.completed` - -Emitted after scan execution finishes (success or policy failure). Payload highlights: - -- `reportId` / `scanId` / `imageDigest` — identifiers mirroring the report-ready event. As with the report-ready payload, `scanId` currently mirrors `reportId` as a temporary shim. -- **Attributes:** `reportId`, `policyRevisionId`, `policyDigest`, `verdict`. +- `imageDigest` — OCI image digest associated with the analysis. +- `generatedAt` — report generation timestamp (ISO-8601 UTC). +- `verdict` — `pass`, `warn`, or `fail` after policy evaluation. +- `summary` — blocked/warned/ignored/quieted counters (all non-negative integers). +- `delta` — newly critical/high counts and optional `kev` array. +- `quietedFindingCount` — mirrors `summary.quieted`. +- `policy` — revision metadata (`digest`, `revisionId`) surfaced for routing. +- `links` — UI/report/policy URLs suitable for operators. +- `dsse` — embedded DSSE envelope (payload, type, signature list). +- `report` — canonical report document; identical to the DSSE payload. + +Schema: `docs/events/scanner.event.report.ready@1.json` +Sample: `docs/events/samples/scanner.event.report.ready@1.sample.json` + +### 2.2 `scanner.event.scan.completed` + +Emitted after scan execution finishes (success or policy failure). Payload highlights: + +- `reportId` / `scanId` / `imageDigest` — identifiers mirroring the report-ready event. As with the report-ready payload, `scanId` currently mirrors `reportId` as a temporary shim. +- **Attributes:** `reportId`, `policyRevisionId`, `policyDigest`, `verdict`. - **Links:** same as above (`report.*`, `policy.*`) with `attestation.*` populated when DSSE metadata exists. -- `verdict`, `summary`, `delta`, `policy` — same semantics as above. -- `findings` — array of surfaced findings with `id`, `severity`, optional `cve`, `purl`, and `reachability`. -- `links`, `dsse`, `report` — same structure as §2.1 (allows Notifier to reuse signatures). - -Schema: `docs/events/scanner.event.scan.completed@1.json` -Sample: `docs/events/samples/scanner.event.scan.completed@1.sample.json` - -### 2.3 Relationship to legacy events - -| Legacy Redis event | Replacement orchestrator event | Notes | -|--------------------|-------------------------------|-------| -| `scanner.report.ready` | `scanner.event.report.ready` | Adds versioning, idempotency, trace context. Payload is a superset of the legacy fields. | -| `scanner.scan.completed` | `scanner.event.scan.completed` | Same data plus explicit scan identifiers and orchestrator metadata. | - -Legacy schemas remain for backwards-compatibility during migration, but new integrations **must** target the orchestrator variants. - -## 3. Deterministic serialization - -- Producers must serialise events using `NotifyCanonicalJsonSerializer` to guarantee consistent key ordering and whitespace. -- Timestamps (`occurredAt`, `recordedAt`, `payload.generatedAt`) use `DateTimeOffset.UtcDateTime.ToString("O")`. -- Payload arrays (`delta.kev`, `findings`) should be pre-sorted (e.g., alphabetical CVE order) so hash-based consumers remain stable. -- Optional fields are omitted rather than emitted as `null`. - -## 4. Idempotency and correlation - -Idempotency keys dedupe repeated publishes and align with the orchestrator’s outbox pattern: - -| Event kind | Idempotency key template | -|------------|-------------------------| -| `scanner.event.report.ready` | `scanner.event.report.ready::` | -| `scanner.event.scan.completed` | `scanner.event.scan.completed::` | - -Keys are ASCII lowercase; components should be trimmed and validated before concatenation. Retries must reuse the same key. - -`correlationId` should match the scan identifier that appears in REST responses (`scanId`). Re-using the same value across the pair of events allows Notifier and orchestrator analytics to stitch lifecycle data together. - -## 5. Versioning and evolution - -- Increment the `version` field and the `@` suffix for **breaking** changes (field removals, type changes, semantic shifts). -- Additive optional fields may remain within version 1; update the JSON schema and samples accordingly. -- When introducing `@2`, keep the `@1` schema/docs in place until orchestrator subscribers confirm migration. - -## 6. Consumer checklist - -1. Validate incoming payloads against the schema for the targeted version. -2. Use `idempotencyKey` for dedupe, not `eventId`. -3. Map `traceId`/`spanId` into telemetry spans to preserve causality. -4. Prefer `payload.report` → `policy.revisionId` when populating templates; the top-level `attributes` are convenience duplicates for quick routing. -5. Reserve the legacy Redis events for transitional compatibility only; downstream systems should subscribe to the orchestrator bus exposed by ORCH-SVC-38-101. - -## 7. Implementation status and next actions - -- **Scanner WebService** — `SCANNER-EVENTS-16-301` (blocked) and `SCANNER-EVENTS-16-302` (doing) track the production of these envelopes. The remaining blocker is the .NET 10 preview OpenAPI/Auth dependency drift that currently breaks `dotnet test`. Once Gateway and Notifier owners land the replacement packages, rerun the full test suite and capture fresh fixtures under `docs/events/samples/`. -- **Gateway/Notifier consumers** — subscribe to the orchestrator stream documented in ORCH-SVC-38-101. When the Scanner tasks unblock, regenerate notifier contract tests against the sample events included here. -- **Docs cadence** — update this file and the matching JSON schemas whenever payload fields change. Use the rehearsal checklist in `docs/modules/devops/runbooks/launch-cutover.md` to confirm downstream validation before the production cutover. Record gaps or newly required fields in `docs/modules/devops/runbooks/launch-readiness.md` so they land in the launch checklist. - ---- - -**Imposed rule reminder:** work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. +- `verdict`, `summary`, `delta`, `policy` — same semantics as above. +- `findings` — array of surfaced findings with `id`, `severity`, optional `cve`, `purl`, and `reachability`. +- `links`, `dsse`, `report` — same structure as §2.1 (allows Notifier to reuse signatures). + +Schema: `docs/events/scanner.event.scan.completed@1.json` +Sample: `docs/events/samples/scanner.event.scan.completed@1.sample.json` + +### 2.3 Relationship to legacy events + +| Legacy Redis event | Replacement orchestrator event | Notes | +|--------------------|-------------------------------|-------| +| `scanner.report.ready` | `scanner.event.report.ready` | Adds versioning, idempotency, trace context. Payload is a superset of the legacy fields. | +| `scanner.scan.completed` | `scanner.event.scan.completed` | Same data plus explicit scan identifiers and orchestrator metadata. | + +Legacy schemas remain for backwards-compatibility during migration, but new integrations **must** target the orchestrator variants. + +## 3. Deterministic serialization + +- Producers must serialise events using `NotifyCanonicalJsonSerializer` to guarantee consistent key ordering and whitespace. +- Timestamps (`occurredAt`, `recordedAt`, `payload.generatedAt`) use `DateTimeOffset.UtcDateTime.ToString("O")`. +- Payload arrays (`delta.kev`, `findings`) should be pre-sorted (e.g., alphabetical CVE order) so hash-based consumers remain stable. +- Optional fields are omitted rather than emitted as `null`. + +## 4. Idempotency and correlation + +Idempotency keys dedupe repeated publishes and align with the orchestrator’s outbox pattern: + +| Event kind | Idempotency key template | +|------------|-------------------------| +| `scanner.event.report.ready` | `scanner.event.report.ready::` | +| `scanner.event.scan.completed` | `scanner.event.scan.completed::` | + +Keys are ASCII lowercase; components should be trimmed and validated before concatenation. Retries must reuse the same key. + +`correlationId` should match the scan identifier that appears in REST responses (`scanId`). Re-using the same value across the pair of events allows Notifier and orchestrator analytics to stitch lifecycle data together. + +## 5. Versioning and evolution + +- Increment the `version` field and the `@` suffix for **breaking** changes (field removals, type changes, semantic shifts). +- Additive optional fields may remain within version 1; update the JSON schema and samples accordingly. +- When introducing `@2`, keep the `@1` schema/docs in place until orchestrator subscribers confirm migration. + +## 6. Consumer checklist + +1. Validate incoming payloads against the schema for the targeted version. +2. Use `idempotencyKey` for dedupe, not `eventId`. +3. Map `traceId`/`spanId` into telemetry spans to preserve causality. +4. Prefer `payload.report` → `policy.revisionId` when populating templates; the top-level `attributes` are convenience duplicates for quick routing. +5. Reserve the legacy Redis events for transitional compatibility only; downstream systems should subscribe to the orchestrator bus exposed by ORCH-SVC-38-101. + +## 7. Implementation status and next actions + +- **Scanner WebService** — `SCANNER-EVENTS-16-301` (blocked) and `SCANNER-EVENTS-16-302` (doing) track the production of these envelopes. The remaining blocker is the .NET 10 preview OpenAPI/Auth dependency drift that currently breaks `dotnet test`. Once Gateway and Notifier owners land the replacement packages, rerun the full test suite and capture fresh fixtures under `docs/events/samples/`. +- **Gateway/Notifier consumers** — subscribe to the orchestrator stream documented in ORCH-SVC-38-101. When the Scanner tasks unblock, regenerate notifier contract tests against the sample events included here. +- **Docs cadence** — update this file and the matching JSON schemas whenever payload fields change. Use the rehearsal checklist in `docs/modules/devops/runbooks/launch-cutover.md` to confirm downstream validation before the production cutover. Record gaps or newly required fields in `docs/modules/devops/runbooks/launch-readiness.md` so they land in the launch checklist. + +--- + +**Imposed rule reminder:** work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/docs/implplan/EXECPLAN.md b/docs/implplan/EXECPLAN.md index 83644641..c50a6ba5 100644 --- a/docs/implplan/EXECPLAN.md +++ b/docs/implplan/EXECPLAN.md @@ -1,1831 +1,1831 @@ -# Execution Tree for Open Backlog -Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster tasks by dependency depth; Wave 0 has no unresolved blockers and later waves depend on earlier ones. - -## Wave Instructions -### Wave 0 -- Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (DONE 2025-10-20), AUTH-MTLS-11-002 (DONE 2025-10-23). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team DevEx/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-002 (TODO), CLI-RUNTIME-13-005 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (DONE 2025-10-20); Wave 0A prerequisites reconfirmed so remediation work may proceed. Keep module TASKS.md/Sprints in sync as patches land. -- Team Diff Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md`. SCANNER-DIFF-10-501/502/503 all closed on 2025-10-19; keep determinism fixtures green and sync downstream consumers as Emit/Diff integration tickets arise. -- Team Docs Guild, Plugin Team: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOC4.AUTH-PDG (REVIEW). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Docs/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001) before starting and report status in module TASKS.md. -- Team Emit Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. Sprint 10 composition milestones (10-601..10-606) wrapped 2025-10-22 and SCANNER-EMIT-10-607 completed alongside; remaining watch item is SCANNER-EMIT-17-701 (Wave 1) with build-id enrichment. -- Team EntryTrace Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md`. SCANNER-ENTRYTRACE-10-401..407 landed 2025-10-19; continue monitoring determinism harness outputs and raise follow-ups if new interpreter cases appear. -- Team Language Analyzer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Java, shared helpers, determinism harness, and the Sprint 10 analyzers (10-301..10-309) are DONE (latest 2025-10-22); keep fixture refresh notes current and pivot to Wave 1 benchmarking/packaging follow-ups. -- Team Notify Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md`. Focus on NOTIFY-MODELS-15-101 (TODO), NOTIFY-MODELS-15-102 (TODO), NOTIFY-MODELS-15-103 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Notify Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md`. Focus on NOTIFY-STORAGE-15-201 (TODO), NOTIFY-STORAGE-15-202 (TODO), NOTIFY-STORAGE-15-203 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Notify WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-101 (TODO), NOTIFY-WEB-15-102 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Platform Events Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on PLATFORM-EVENTS-09-401 (TODO). Confirm prerequisites (external: DOCS-EVENTS-09-003) before starting and report status in module TASKS.md. -- Team Plugin Platform Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-002.COORD (DONE 2025-10-20), PLUGIN-DI-08-002 (DONE 2025-10-20), PLUGIN-DI-08-003 (DONE 2025-10-20), PLUGIN-DI-08-004 (DONE 2025-10-20), and PLUGIN-DI-08-005 (DONE 2025-10-20). Confirm prerequisites (PLUGIN-DI-08-001) before starting and report status in module TASKS.md. -- Team Plugin Platform Guild, Authority Core: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Coordination session for PLUGIN-DI-08-002 implementation completed on 2025-10-20 15:00–16:05 UTC and scoped-service changes have shipped with regression coverage; subsequent tasks (PLUGIN-DI-08-003/004/005) remain green. -- Team Policy Guild: Sprint 9 core tasks (POLICY-CORE-09-004/005/006) closed on 2025-10-19; ensure downstream consumers refresh against the published scoring config + quiet/unknown outputs and raise follow-up tasks if additional polish is required. -- Team Runtime Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on RUNTIME-GUILD-09-402 (TODO). Confirm prerequisites (external: SCANNER-POLICY-09-107) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-15-201 (DONE 2025-10-20). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-300 (DONE 2025-10-20) and ensure the temporary stub removal note stays tracked. Confirm prerequisites (external: SAMPLES-10-001) before starting and report status in module TASKS.md. -- Team Scheduler Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`. SCHED-MODELS-16-103 completed (2025-10-20); ensure downstream teams consume the migration helpers and log upgrade warnings. -- Team Scheduler Queue Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-401 completed (2025-10-20); proceed with Wave 1 queue enhancements. -- Team Scheduler Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-201 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-101 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. -- Team Signer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Signer/StellaOps.Signer/TASKS.md`. Focus on SIGNER-API-11-101 (DONE 2025-10-21), SIGNER-REF-11-102 (DONE 2025-10-21), SIGNER-QUOTA-11-103 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`. Focus on SCANNER-ANALYZERS-LANG-10-302C (TODO). Confirm prerequisites (external: SCANNER-ANALYZERS-LANG-10-302B) before starting and report status in module TASKS.md. -- Team Team Connector Resumption – CERT/RedHat: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md`. Focus on FEEDCONN-REDHAT-02-001 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Team Excititor Attestation: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md`. Focus on EXCITITOR-ATTEST-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-ATTEST-01-002) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Cisco: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-CISCO-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-CISCO-01-002, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-MS-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-001 (DOING). Confirm prerequisites (external: EXCITITOR-CONN-ABS-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-SUSE-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-UBUNTU-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-005 (DONE 2025-10-21). Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-EXPORT-01-004) before starting and report status in module TASKS.md. -- Team Team Excititor Formats: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md`. Focus on EXCITITOR-FMT-CSAF-01-002 (TODO), EXCITITOR-FMT-CSAF-01-003 (TODO), EXCITITOR-FMT-CYCLONE-01-002 (TODO), EXCITITOR-FMT-CYCLONE-01-003 (TODO), EXCITITOR-FMT-OPENVEX-01-002 (TODO), EXCITITOR-FMT-OPENVEX-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-EXPORT-01-001, EXCITITOR-FMT-CSAF-01-001, EXCITITOR-FMT-CYCLONE-01-001, EXCITITOR-FMT-OPENVEX-01-001, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Storage: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Focus on EXCITITOR-STORAGE-MONGO-08-001 (DONE 2025-10-19), EXCITITOR-STORAGE-03-001 (TODO). Confirm prerequisites (external: EXCITITOR-STORAGE-01-003, EXCITITOR-STORAGE-02-001) before starting and report status in module TASKS.md. -- Team Team Excititor WebService: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-01-002 (DONE 2025-10-20), EXCITITOR-WEB-01-003 (TODO), EXCITITOR-WEB-01-004 (DONE 2025-10-20). Confirm prerequisites (external: EXCITITOR-ATTEST-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-WEB-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Worker: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-004 (DONE 2025-10-21); EXCITITOR-WORKER-01-002 (DONE 2025-10-21) and EXCITITOR-WORKER-02-001 (DONE 2025-10-21) recorded. Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. -- Team Team Merge & QA Enforcement: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. Focus on FEEDMERGE-COORD-02-900 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. **2025-10-19:** Coordination refreshed; connector owners notified and TASKS.md entries updated. **2025-10-20:** Coordination matrix + rollout dashboard refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) and escalation plan logged. -- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Team WebService & Authority: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on SEC2.PLG (DOING), SEC3.PLG (DOING), SEC5.PLG (DOING), PLG4-6.CAPABILITIES (BLOCKED), PLG6.DIAGRAM (TODO), PLG7.RFC (REVIEW), FEEDWEB-DOCS-01-001 (DOING), FEEDWEB-OPS-01-006 (TODO), FEEDWEB-OPS-01-007 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Tools Guild, BE-Conn-MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md`. Focus on FEEDCONN-SHARED-STATE-003 (**TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team UX Specialist, Angular Eng: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Focus on WEB1.TRIVY-SETTINGS (DONE 2025-10-21), WEB1.TRIVY-SETTINGS-TESTS (DONE 2025-10-21), and WEB1.DEPS-13-001 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. - -### Wave 1 -- Team Concelier WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on CONCELIER-WEB-AOC-19-001/002/003/004 (TODO). Confirm prerequisites (WEB-AOC-19-001, CONCELIER-CORE-AOC-19-001, CONCELIER-STORE-AOC-19-001) before starting and record progress in TASKS.md. -- Team Concelier Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on CONCELIER-CORE-AOC-19-001/002/003/004 (TODO). Coordinate with Policy team on derived-data removal. -- Team Concelier Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Prioritise CONCELIER-STORE-AOC-19-001/002/003/004 (TODO) and align validator rollout with DevOps. -- Team Excititor WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-AOC-19-001/002/003/004 (TODO). Ensure parity with Concelier ingestion guard. -- Team Excititor Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`. Focus on EXCITITOR-CORE-AOC-19-001/002/003/004 (TODO). -- Team Excititor Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Work on EXCITITOR-STORE-AOC-19-001/002/003/004 (TODO) with migration dry-run plans. -- Team Excititor Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-AOC-19-001/002/003 (TODO) coordinating signature enforcement with storage guard. -- Team BE-Base Platform Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Deliver WEB-AOC-19-001/002/003 (TODO) to unblock ingestion services. -- Team Policy Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`. Work on POLICY-AOC-19-001/002/003/004 (TODO) to keep derived data policy-only. -- Team Authority Core & Security Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Prioritise AUTH-AOC-19-001/002/003 (TODO) for new scopes + tenancy. -- Team DevEx/CLI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-AOC-19-001/002/003 (TODO) and sync exit codes with services. -- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Execute UI-AOC-19-001/002/003 (TODO) using new verify endpoints. -- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Implement DEVOPS-AOC-19-001/002/003 (TODO) to gate CI with new guards. -- Team Docs Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `docs/TASKS.md`. Cover DOCS-AOC-19-001..008 (TODO) aligning docs with new ingestion contract. -- Team Bench Guild, Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-SCANNER-10-002 (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-301 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevEx/CLI, QA Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-RUNTIME-13-009 (TODO). Confirm prerequisites (internal: CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-REL-14-001 (DOING 2025-10-23). Confirm prerequisites (internal: SIGNER-API-11-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevOps Guild, Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-204 (TODO). Confirm prerequisites (internal: SCANNER-EVENTS-15-201 (Wave 0)) before starting and report status in module TASKS.md. -- Team Emit Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. SCANNER-EMIT-10-607 shipped 2025-10-22; remaining focus is SCANNER-EMIT-17-701 (build-id enrichment). Confirm prerequisites (internal: POLICY-CORE-09-005 (Wave 0), SCANNER-EMIT-10-602 (Wave 0), SCANNER-EMIT-10-604 (Wave 0)) before starting and report status in module TASKS.md. -- Team Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Sprint 10 language analyzers (10-303..10-306) wrapped by 2025-10-22; shift to Wave 1 benchmarking/packaging follow-ups (10-308+/309 variants) and ensure shared helpers stay stable. Node stream (tasks 10-302/309) closed on 2025-10-21; verify prereqs SCANNER-ANALYZERS-LANG-10-301/307 remain satisfied before new work. -- Team Licensing Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/licensing/TASKS.md`. Focus on DEVOPS-LIC-14-004 (TODO). Confirm prerequisites (internal: AUTH-MTLS-11-002 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-301 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (DONE). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-301 (TODO). Confirm prerequisites (internal: SCANNER-EMIT-10-605 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-402 completed (2025-10-20); next focus is SCHED-QUEUE-16-403. -- Team Scheduler Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-203 (TODO), SCHED-STORAGE-16-202 (TODO). Confirm prerequisites (internal: SCHED-STORAGE-16-201 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-104 (TODO), SCHED-WEB-16-102 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0), SCHED-WEB-16-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-201 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305A/304A/303A/306A all closed by 2025-10-22; use this slot to review cross-language fixture hygiene and prep Wave 1 benchmarking tickets. Node add-ons 10-307N/10-308N/10-309N remain DONE with restart-time packaging verified 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-302C (Wave 0), SCANNER-ANALYZERS-LANG-10-307 (Wave 0)) before starting any new follow-ups and report status in module TASKS.md. -- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-MS-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-001 (Wave 0); external: EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-SUSE-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-006 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team Team Excititor Worker: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-ATTEST-01-003 (Wave 0); external: EXCITITOR-EXPORT-01-002, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. -- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Focus on UI-SCANS-13-002 (TODO), UI-VEX-13-003 (TODO), UI-ADMIN-13-004 (TODO), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md. - -### Wave 2 -- Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Deployment Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/deployment/TASKS.md`. Focus on DEVOPS-OPS-14-003 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1)) before starting and report status in module TASKS.md. -- Team DevOps Guild, Notify Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-205 (TODO). Confirm prerequisites (internal: DEVOPS-SCANNER-09-204 (Wave 1)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-302 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Offline Kit Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/offline-kit/TASKS.md`. Focus on DEVOPS-OFFLINE-14-002 (TODO), DEVOPS-OFFLINE-18-003 (TODO), and DEVOPS-OFFLINE-18-005 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1), DEVOPS-REL-14-004 (Wave 2)) before starting and report status in module TASKS.md. -- Team Samples Guild, Policy Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `samples/TASKS.md`. Focus on SAMPLES-13-004 (TODO). Confirm prerequisites (internal: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-303 (TODO), SCHED-IMPACT-16-302 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-103 (TODO). Confirm prerequisites (internal: SCHED-WEB-16-102 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-202 (TODO), SCHED-WORKER-16-205 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1), SCHED-WORKER-16-201 (Wave 1)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305B/304B/303B/306B wrapped on 2025-10-22; next focus moves to `10-307*` shared helper integration and Wave 2 benchmark polish. Node packaging milestone 10-308N closed 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303A (Wave 1), SCANNER-ANALYZERS-LANG-10-304A (Wave 1), SCANNER-ANALYZERS-LANG-10-305A (Wave 1), SCANNER-ANALYZERS-LANG-10-306A (Wave 1), SCANNER-ANALYZERS-LANG-10-307N (Wave 1)) before starting new work and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-002 (Wave 1); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-007 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-006 (Wave 1)) before starting and report status in module TASKS.md. - -### Wave 3 -- Team DevEx/CLI: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-OFFLINE-13-006 (DONE 2025-10-21). Confirm prerequisites (internal: DEVOPS-OFFLINE-14-002 (Wave 2)) before starting and report status in module TASKS.md. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-001 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-007 (Wave 2)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-303 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. -- Team Notify Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-203 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-203 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-202 (Wave 2)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305C/304C/309N/303C/306C are all DONE (latest 2025-10-22); remaining Wave 3 attention shifts to 10-307* helper consolidation and subsequent benchmarking tickets. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303B (Wave 2), SCANNER-ANALYZERS-LANG-10-304B (Wave 2), SCANNER-ANALYZERS-LANG-10-305B (Wave 2), SCANNER-ANALYZERS-LANG-10-306B (Wave 2), SCANNER-ANALYZERS-LANG-10-308N (Wave 2)) before scheduling new work and report status in module TASKS.md. - -### Wave 4 -- Team DevEx/CLI: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-PLUGIN-13-007 (DONE 2025-10-22). Confirm prerequisites (internal: CLI-OFFLINE-13-006 (Wave 3), CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-001 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Connectors Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-501 (TODO), NOTIFY-CONN-TEAMS-15-601 (TODO), NOTIFY-CONN-EMAIL-15-701 (TODO), NOTIFY-CONN-WEBHOOK-15-801 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-304 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-204 (TODO). Confirm prerequisites (internal: NOTIFY-WORKER-15-203 (Wave 3)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-204 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-203 (Wave 3)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-307D/G/P are DONE (latest 2025-10-23); remaining focus is SCANNER-ANALYZERS-LANG-10-307R (DOING). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303C (Wave 3), SCANNER-ANALYZERS-LANG-10-304C (Wave 3), SCANNER-ANALYZERS-LANG-10-305C (Wave 3), SCANNER-ANALYZERS-LANG-10-306C (Wave 3)) before progressing and report status in module TASKS.md. - -### Wave 5 -- **Sprint 23-28** · StellaOps Console, Policy Studio, Graph Explorer - - Team: Policy Registry Guild - - Path: `src/Policy/StellaOps.Policy.Registry/TASKS.md` - 1. [TODO] REGISTRY-API-27-001..010 — Deliver Registry service (OpenAPI, workspace storage, compile/sim integration, review workflow, publish/attest, promotion, telemetry, testing). Coordinate closely with Policy Engine, Scheduler, Authority, Console, CLI, Docs, and DevOps. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-29-001..009 — Stand up immutable ledger, projector, workflow handlers, hashing/Merkle anchoring, and deployment tooling powering Vuln Explorer. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-30-001..011 — Build VEX normalization, mapping, trust weighting, consensus projection, APIs, simulation, telemetry, and deployment. - - Team: Issuer Directory Guild - - Path: `src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md` - 1. [TODO] ISSUER-30-001..006 — Provide issuer/key management, trust overrides, integration with VEX Lens, telemetry, and deployment guidance. - - Team: Advisory AI Guild - - Path: `src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md` - 1. [TODO] AIAI-31-001..009 — Implement retrievers, deterministics, guardrails, APIs, telemetry, and deployment for Advisory AI summaries/conflict explain/remediation. - - Team: Graph Indexer Guild - - Path: `src/Graph/StellaOps.Graph.Indexer/TASKS.md` - 1. [TODO] GRAPH-INDEX-28-001..010 — Build graph ingestion (SBOM, advisory, VEX, policy overlays), snapshots, clustering, incremental updates, and deployment artifacts. Maintain deterministic identity + tenant isolation. - - Team: Graph API Guild - - Path: `src/Graph/StellaOps.Graph.Api/TASKS.md` - 1. [TODO] GRAPH-API-28-001..011 — Ship streaming query/search/paths/diff/export endpoints with cost enforcement, overlays, RBAC, telemetry, and deployment docs. - - Team: Vuln Explorer API Guild - - Path: `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md` - 1. [TODO] VULN-API-29-001..011 — Provide policy-aware list/detail/workflow/simulation/export APIs atop the ledger with deterministic outputs and auditable telemetry. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-CORE-23-001..CONSOLE-REL-23-303, CONSOLE-DOC-23-501/502, TELEMETRY-CONSOLE-23-001 — Bootstrap the Next.js workspace, build shell/navigation, deliver feature modules (Dashboard, SBOM, Advisories/VEX, Findings, Policies, Runs, Reports, Admin, Downloads), wire telemetry, QA (Playwright, Storybook a11y, Lighthouse), release artifacts, and support docs/parity automation. Sequence: finish core scaffolding (23-001..005) before picking up feature modules; hold Reports/Downloads until backend export + manifest tasks signal ready. - 2. [TODO] CONSOLE-STUDIO-27-001..007, CONSOLE-GRAPH-28-001..008, TELEMETRY-CONSOLE-27-001 — Deliver Policy Studio editor experience and Graph Explorer WebGL module (semantic zoom, overlays, diff, exports, saved queries, accessibility, telemetry). - 3. [TODO] CONSOLE-VULN-29-001..007 — Ship Vuln Explorer UI enhancements (list/detail/workflow/simulation/export) with telemetry and accessibility. - 4. [TODO] CONSOLE-VEX-30-001..005 — Provide VEX Lens console experience with quorum/conflict visualization and telemetry. - 5. [TODO] CONSOLE-AIAI-31-001..005 — Build Advisory AI side panel (summary/conflict/remediation) with copy-as-ticket, a11y, and telemetry integration. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-CONSOLE-23-001..005 — Stand up `/console/*` aggregates, SSE proxy, export orchestrator, global search, and downloads manifest endpoints. Coordinate closely with Policy, Scheduler, Concelier, Excititor, SBOM services to validate payloads. - 2. [TODO] WEB-GRAPH-24-001..004 — Route `/graph/*` APIs to Graph service, enforce scopes, provide overlay/export proxies, and aggregate telemetry. - 3. [TODO] WEB-VULN-29-001..004 — Provide Vuln Explorer routing, ledger proxying, simulation/export orchestration, and telemetry. - 4. [TODO] WEB-AIAI-31-001..003 — Route Advisory AI endpoints, batch orchestration, and telemetry/audit pipelines. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-CONSOLE-23-001..003 — Register Console OIDC client, expose tenant/profile endpoints, refresh security docs. PKCE + short-lived tokens must land before Console auth wiring can start. - 2. [TODO] AUTH-POLICY-27-001..003, AUTH-GRAPH-21-001..003 — Roll out Policy Studio scopes + signing enforcement and ensure Graph scopes/RBAC stay in sync. - 3. [TODO] AUTH-VULN-29-001..003 — Deliver Vuln Explorer scopes, CSRF enforcement, attachment signing, and documentation. - 4. [TODO] AUTH-AIAI-31-001..002 — Define Advisory AI scopes/consent controls and enforce anonymized logging/audit flows. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-CONSOLE-23-001/002, EXPORT-CONSOLE-23-001 — Optimize findings/explain APIs, expose simulation diff + approvals metadata, and deliver evidence bundle generator feeding Web gateway + Console Reports. - 2. [TODO] POLICY-ENGINE-27-001..004, POLICY-ENGINE-30-001..003 — Provide Studio compile metadata, simulation enhancements, complexity limits, and graph overlay contracts/events. - 3. [TODO] POLICY-ENGINE-29-001..004 — Supply batch evaluation/simulation for Vuln Explorer and consensus overlays with telemetry. - 4. [TODO] POLICY-ENGINE-31-001..002 — Surface Advisory AI parameters and policy context endpoints consumed by the assistant. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-CONSOLE-23-001/002 — Provide Console catalog + component lookup endpoints (filters, overlays, raw projections). Coordinate caching hints with Web + Console teams. - 2. [TODO] SBOM-GRAPH-24-001..004 — Maintain graph node/edge collections, builders, diff events, and caches feeding Graph Explorer. - 3. [TODO] SBOM-VULN-29-001/002 — Emit enriched inventory evidence (scope/runtime/path/safe versions) and resolver feeds for Vuln Explorer. - 4. [TODO] SBOM-AIAI-31-001/002 — Deliver path/timeline APIs and telemetry for Advisory AI remediation hints. - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-CONSOLE-23-001..003 — Deliver advisory aggregation views, delta metrics feed, and search helpers backing Dashboard/Search modules. - 2. [TODO] CONCELIER-VULN-29-001..004 — Normalize advisory keys, expose raw evidence, publish safe fix hints, and instrument metrics for Vuln Explorer. - 3. [TODO] CONCELIER-AIAI-31-001..003 — Provide paragraph anchors, structured fields, and telemetry required by Advisory AI. - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-CONSOLE-23-001..003 — Provide VEX aggregation, override deltas, and search helpers for Console UX. - 2. [TODO] EXCITITOR-GRAPH-24-101/102 — Supply VEX summaries for Graph Explorer overlays and inspectors. - 3. [TODO] EXCITITOR-VULN-29-001..004 — Canonicalize VEX keys, surface evidence APIs, suppression metadata, and telemetry for Vuln Explorer. - 4. [TODO] EXCITITOR-AIAI-31-001..003 — Serve VEX chunks/justifications/signature metadata and telemetry for Advisory AI. - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-CONSOLE-23-001 — Extend runs API with SSE progress stream, queue lag summaries, RBAC-gated actions. - 2. [TODO] SCHED-CONSOLE-27-001/002, SCHED-WEB-21-001/002 — Surface policy batch sim orchestration and graph build/overlay monitoring endpoints. - 3. [TODO] SCHED-VULN-29-001/002 — Provide resolver job APIs and lag metrics for Vulnerability Explorer recomputation. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-CONSOLE-23-201/202 — Publish run progress events and coordinate evidence bundle jobs consumed by Console + gateway. - 2. [TODO] SCHED-WORKER-27-301..303, SCHED-WORKER-21-201..203 — Execute policy batch simulation sharding/reduction and graph build/overlay workers with telemetry + security controls. - 3. [TODO] SCHED-WORKER-29-001..003 — Run vulnerability resolver/evaluation workers and monitoring to keep projections fresh. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CONSOLE-23-001/002 — Add console CI workflow (pnpm lint/test/Playwright/Lighthouse) and produce `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. - 2. [TODO] DEVOPS-POLICY-27-001..004 — Wire policy lint/compile/test jobs, optional batch simulation CI, signing key management, and telemetry dashboards/alerts. - 3. [TODO] DEVOPS-GRAPH-28-001..003 — Stand up graph perf/load tests, rate limiting/backpressure controls, and observability dashboards/alerts. - 4. [TODO] DEVOPS-VULN-29-001..003 — Establish ledger CI/backups/anchoring, Vuln Explorer performance dashboards/alerts, and telemetry privacy safeguards. - 5. [TODO] DEVOPS-VEX-30-001 — Provision CI/perf/dashboards/alerts for VEX Lens & Issuer Directory. - 6. [TODO] DEVOPS-AIAI-31-001 — Provide CI, inference monitoring, privacy review, perf dashboards, and alerts for Advisory AI service. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DOWNLOADS-CONSOLE-23-001 — Maintain signed downloads manifest pipeline used by Console `/downloads` and docs parity checks. - 2. [TODO] DEPLOY-POLICY-27-001/002 — Provide Policy Registry deployment overlays and publish policy rollout/rollback runbook. - 3. [TODO] DEPLOY-GRAPH-28-001 — Create deployment/offline instructions for Graph Indexer/API (including cache seeds). - 4. [TODO] DEPLOY-VULN-29-001/002 — Package Findings Ledger and Vuln Explorer API deployments with migrations/backups/offline guidance. - 5. [TODO] DEPLOY-VEX-30-001/002 — Provide deployments/offline instructions for VEX Lens and Issuer Directory. - 6. [TODO] DEPLOY-AIAI-31-001 — Deliver Advisory AI deployment manifests, GPU toggle guidance, and offline kit instructions. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CONSOLE-23-001..017 — Publish the Console doc suite (overview, navigation, module guides, deploy/install, security, observability, parity matrix, accessibility, UI tours). Coordinate media capture with Console Guild. - 2. [TODO] DOCS-POLICY-27-001..014 — Deliver Policy Studio documentation set (overview, authoring, versioning, simulation, review, promotion, CLI/API/security/observability/runbooks/templates/AOC guardrails). - 3. [TODO] DOCS-GRAPH-28-001..012 — Produce Graph Explorer documentation (overview, console usage, query language, API, CLI, overlays, advisory/VEX integration, architecture, telemetry, runbooks, security). - 4. [TODO] DOCS-VULN-29-001..013 — Author Vulnerability Explorer documents (overview, console usage, API/CLI, ledger, policy mapping, advisory/VEX integration, SBOM resolution, telemetry, security, runbooks, install updates). - 5. [TODO] DOCS-VEX-30-001..009 — Publish VEX Lens documentation set (overview, algorithm, issuer directory, APIs, console, policy trust model, mapping, signatures, runbooks). - 6. [TODO] DOCS-AIAI-31-001..009 — Publish Advisory AI documentation suite (overview, architecture, APIs, console, CLI, policy parameters, guardrails, remediation heuristics, ops runbook). - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-27-001..005 — Implement Policy Studio CLI lifecycle (init→lint→simulate→submit→approve→publish→promote/rollback), enhance simulation reporting, and update documentation with CI-friendly outputs. - 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. - 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. - 4. [TODO] CLI-VEX-30-001..004 — Provide VEX Lens CLI commands (consensus list/show/simulate/export). - 5. [TODO] CLI-AIAI-31-001..004 — Implement Advisory AI CLI commands (`stella advise *`) with docs and tests. - 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. - 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-002 (Wave 4)) before starting and report status in module TASKS.md. -- Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (DONE), NOTIFY-CONN-TEAMS-15-602 (DONE), NOTIFY-CONN-EMAIL-15-702 (BLOCKED 2025-10-20), NOTIFY-CONN-WEBHOOK-15-802 (BLOCKED 2025-10-20). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-308D/G/P completed (2025-10-23/2025-10-22/2025-10-23); pending items are SCANNER-ANALYZERS-LANG-10-308R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-307D (Wave 4), SCANNER-ANALYZERS-LANG-10-307G (Wave 4), SCANNER-ANALYZERS-LANG-10-307P (Wave 4), SCANNER-ANALYZERS-LANG-10-307R (Wave 4)) before starting and report status in module TASKS.md. - -### Wave 6 -- Team Notify Connectors Guild: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-503 (DONE), NOTIFY-CONN-TEAMS-15-603 (DONE), NOTIFY-CONN-EMAIL-15-703 (DONE), NOTIFY-CONN-WEBHOOK-15-803 (DONE). Confirm packaging outputs remain deterministic while upstream implementation tasks (15-702/802) stay blocked. -- Team TBD: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-309D/G/P completed (2025-10-23/2025-10-22/2025-10-23); remaining item is SCANNER-ANALYZERS-LANG-10-309R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-308D (Wave 5), SCANNER-ANALYZERS-LANG-10-308G (Wave 5), SCANNER-ANALYZERS-LANG-10-308P (Wave 5), SCANNER-ANALYZERS-LANG-10-308R (Wave 5)) before starting and report status in module TASKS.md. - -### Wave 7 -- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 7 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDSTORAGE-DATA-07-001 (Wave 10)) before starting and report status in module TASKS.md. - -### Wave 8 -- Team Team Core Engine & Data Science: read EXECPLAN.md Wave 8 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-002 (DONE 2025-10-21). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. - -### Wave 9 -- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 9 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. FEEDCORE-ENGINE-07-003 marked DONE (2025-10-21); share ledger heuristics with Policy when integrating confidence decay. - -### Wave 10 -- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 10 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-DATA-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDMERGE-ENGINE-07-001 (Wave 11)) before starting and report status in module TASKS.md. - -### Wave 11 — 48 task(s) ready after Wave 10 -- **Sprint 25** · Exceptions v1 - - Team: Policy Guild - - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-EXC-25-001, POLICY-ENGINE-70-001..005 — SPL updates, evaluation layer, storage, cache, observability, worker hooks. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXC-25-001..003 — Exceptions API workflow, policy integration, events/notifications. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-EXC-25-001..005 — Exception Center, creation wizard, inline flows, badges, accessibility. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXC-25-001/002 — CLI workflow commands and simulation overrides. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXC-25-001/002 — Exception scopes, routing matrix, docs. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-25-101/102 — Exception lifecycle + expiring notification jobs. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXC-25-001..007 — Governance, approvals, API, policy effects, UI, CLI, migration docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] (future) exception monitoring/notifications integration if needed (track under DEVOPS-LNM-22-003 extension). - -- Team BE-Merge: read EXECPLAN.md Wave 11 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. FEEDMERGE-ENGINE-07-001 marked DONE (2025-10-20); share conflict explainer rollout notes with Storage before Wave 10 resumes. - -### Wave 12 — 40 task(s) ready after Wave 11 -- **Sprint 26** · Reachability v1 - - Team: Signals Guild - - Path: `src/Signals/StellaOps.Signals/TASKS.md` - 1. [TODO] SIGNALS-24-001..005 — Signals service API, parsers, runtime ingest, scoring, caching/events. - - Team: Policy Guild - - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-SPL-24-001, POLICY-ENGINE-80-001..004 — SPL updates, evaluation integration, cache optimization, metrics. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-SIG-26-001..003 — Signals endpoints, reachability joins, simulation overrides. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-SIG-26-001..004 — Reachability columns/overlays, explain drawer, center. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-SIG-26-001/002 — CLI commands for reachability upload/list/simulate. - - Team: Authority Core - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-SIG-26-001 — Signals scopes/roles with AOC requirements. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-26-201/202 — Reachability joiner and staleness monitor jobs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-SIG-26-001/002 — Deployment pipelines and observability for Signals. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-SIG-26-001..008 — Reachability concepts, formats, runtime, policy weighting, UI, CLI, API, migration docs. - - Team: Concelier/Excititor Guilds - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] CONCELIER-SIG-26-001, EXCITITOR-SIG-26-001 — Provide symbol/exploitability metadata to Signals. - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-SIG-26-001/002 — Performance benchmarks for Signals and policy evaluation overhead. - -- Team Concelier Export Guild: read EXECPLAN.md Wave 12 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md`. Focus on CONCELIER-EXPORT-08-201 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. - -### Wave 13 -- Team Concelier Export Guild: read EXECPLAN.md Wave 13 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`. Focus on CONCELIER-EXPORT-08-202 (DONE 2025-10-19). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. - -### Wave 14 -- Team Concelier WebService Guild: read EXECPLAN.md Wave 14 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. CONCELIER-WEB-08-201 closed (2025-10-20); coordinate with DevOps for mirror smoke before promoting to stable. - -### Wave 15 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 15 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-001 (DONE 2025-10-20). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. - -### Wave 16 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 16 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. FEEDCONN-STELLA-08-002 completed (2025-10-20) with canonical DTO mapper + provenance fixtures. - -### Wave 17 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 17 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-003 (TODO). Confirm prerequisites (internal: FEEDCONN-STELLA-08-002 (Wave 16)) before starting and report status in module TASKS.md. - -## Wave 0 — 98 task(s) ready now -- **Sprint 1** · Backlog - - Team: UX Specialist, Angular Eng - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: WEB1.TRIVY-SETTINGS - • Current: DONE (2025-10-21) – ChromeHeadless launcher + README updates merged; dependency hardening completed via WEB1.DEPS-13-001. - • Prereqs: WEB1.TRIVY-SETTINGS-TESTS - • Current: DONE (2025-10-21) – Lockfile generated via `npm ci`, Chromium auto-detection/verification scripts added, and deterministic install guide published for offline runners. -- **Sprint 1** · Developer Tooling - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] EXCITITOR-CLI-01-002 — EXCITITOR-CLI-01-002 – Export download & attestation UX - • Prereqs: EXCITITOR-CLI-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed) - • Current: TODO – Display export metadata (sha256, size, Rekor link), support optional artifact download path, and handle cache hits gracefully. - - Team: Docs/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] EXCITITOR-CLI-01-003 — EXCITITOR-CLI-01-003 – CLI docs & examples for Excititor - • Prereqs: EXCITITOR-CLI-01-001 (external/completed) - • Current: TODO – Update docs/09_API_CLI_REFERENCE.md and quickstart snippets to cover Excititor verbs, offline guidance, and attestation verification workflow. -- **Sprint 1** · Stabilize In-Progress Foundations - - Team: Team Connector Resumption – CERT/RedHat - - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md` - 1. [DOING] FEEDCONN-REDHAT-02-001 — Fixture validation sweep — Instructions to work: — Regenerating RHSA fixtures awaits remaining range provenance patches; review snapshot diffs and update docs once upstream helpers land. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. - • Prereqs: — - • Current: DOING (2025-10-10) - - Team: Team WebService & Authority - - Path: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md` - 1. [DOING] SEC2.PLG — Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`; Serilog enrichment complete, storage durability tests in flight. - • Prereqs: — - • Current: DOING (2025-10-14) - 2. [DOING] SEC3.PLG — Ensure lockout responses carry rate-limit metadata through plugin logs/events; retry-after propagation and limiter tests underway. - • Prereqs: — - • Current: DOING (2025-10-14) - 3. [DOING] SEC5.PLG — Address plugin-specific mitigations in threat model backlog; mitigation items tracked, docs updates pending. - • Prereqs: — - • Current: DOING (2025-10-14) - 4. [BLOCKED] PLG4-6.CAPABILITIES — Finalise capability metadata exposure and docs once Authority rate-limiter stream (CORE8/SEC3) is stable; awaiting dependency unblock. - • Prereqs: — - • Current: BLOCKED (2025-10-12) - 5. [TODO] PLG6.DIAGRAM — Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. - • Prereqs: — - • Current: TODO - 6. [REVIEW] PLG7.RFC — Socialize LDAP plugin RFC and capture guild feedback; awaiting final review sign-off and follow-up issue tracking. - • Prereqs: — - • Current: REVIEW (2025-10-13) - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [DOING] FEEDWEB-DOCS-01-001 — Document authority toggle & scope requirements — Quickstart updates are staged; awaiting Docs guild review before publishing operator guide refresh. - • Prereqs: — - • Current: DOING (2025-10-10) - 3. [BLOCKED] FEEDWEB-OPS-01-007 — Authority resilience adoption — Roll out retry/offline knobs to deployment docs and align CLI parity once LIB5 resilience options land; unblock when library release is available and docs review completes. - • Prereqs: — - • Current: BLOCKED (2025-10-10) -- **Sprint 2** · Connector & Data Implementation Wave - - Team: Docs Guild, Plugin Team - - Path: `docs/TASKS.md` - 1. [REVIEW] DOC4.AUTH-PDG — Copy-edit `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, export lifecycle diagram, add LDAP RFC cross-link. - • Prereqs: — - • Current: REVIEW - - Team: Team Merge & QA Enforcement - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` - 1. [DOING] FEEDMERGE-COORD-02-900 — Range primitives rollout coordination — Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) to emit canonical range primitives with provenance tags; fixtures tracked in `RANGE_PRIMITIVES_COORDINATION.md`. - • Prereqs: — - • Current: DOING (2025-10-20) – Coordination docs refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24); escalation plan defined if deadlines slip. -- **Sprint 3** · Backlog - - Team: Tools Guild, BE-Conn-MSRC - - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md` - 1. [**TODO] FEEDCONN-SHARED-STATE-003 — FEEDCONN-SHARED-STATE-003 Source state seeding helper - • Prereqs: — - • Current: **TODO (2025-10-15)** – Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. -- **Sprint 5** · Excititor Core Foundations - - Team: Team Excititor Attestation - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md` - 1. [TODO] EXCITITOR-ATTEST-01-003 — EXCITITOR-ATTEST-01-003 – Verification suite & observability - • Prereqs: EXCITITOR-ATTEST-01-002 (external/completed) - • Current: TODO – Add verification helpers for Worker/WebService, metrics/logging hooks, and negative-path regression tests. - - Team: Team Excititor WebService - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 2. [TODO] EXCITITOR-WEB-01-003 — EXCITITOR-WEB-01-003 – Export & verify endpoints - • Prereqs: EXCITITOR-WEB-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-ATTEST-01-001 (external/completed) - • Current: TODO – Add `/excititor/export`, `/excititor/export/{id}`, `/excititor/export/{id}/download`, `/excititor/verify`, returning artifact + attestation metadata with cache awareness. -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – Cisco - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-CISCO-01-003 — EXCITITOR-CONN-CISCO-01-003 – Provider trust metadata - • Prereqs: EXCITITOR-CONN-CISCO-01-002 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit cosign/PGP trust metadata and advisory provenance hints for policy weighting. - - Team: Team Excititor Connectors – MSRC - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-MS-01-002 — EXCITITOR-CONN-MS-01-002 – CSAF download pipeline - • Prereqs: EXCITITOR-CONN-MS-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF packages with retry/backoff, checksum verification, and raw document persistence plus quarantine for schema failures. - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [DOING] EXCITITOR-CONN-ORACLE-01-001 — EXCITITOR-CONN-ORACLE-01-001 – Oracle CSAF catalogue discovery - • Prereqs: EXCITITOR-CONN-ABS-01-001 (external/completed) - • Current: DOING (2025-10-17) – Implement catalogue discovery, CPU calendar awareness, and offline snapshot import for Oracle CSAF feeds. - - Team: Team Excititor Connectors – SUSE - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` - 1. [TODO] EXCITITOR-CONN-SUSE-01-002 — EXCITITOR-CONN-SUSE-01-002 – Checkpointed event ingestion - • Prereqs: EXCITITOR-CONN-SUSE-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Process hub events with resume checkpoints, deduplication, and quarantine path for malformed payloads. - - Team: Team Excititor Connectors – Ubuntu - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-UBUNTU-01-002 — EXCITITOR-CONN-UBUNTU-01-002 – Incremental fetch & deduplication - • Prereqs: EXCITITOR-CONN-UBUNTU-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF bundles with ETag handling, checksum validation, deduplication, and raw persistence. - - Team: Team Excititor Formats - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-002 — EXCITITOR-FMT-CSAF-01-002 – Status/justification mapping - • Prereqs: EXCITITOR-FMT-CSAF-01-001 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) - • Current: DONE – Normalizer now emits policy-safe status/justification mappings and flags unsupported or missing evidence for audit diagnostics. - 2. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-003 — EXCITITOR-FMT-CSAF-01-003 – CSAF export adapter - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CSAF-01-001 (external/completed) - • Current: DONE – CSAF exporter produces deterministic documents with reconciled product tree, vulnerability statuses, and export metadata. - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-002 — EXCITITOR-FMT-CYCLONE-01-002 – Component reference reconciliation - • Prereqs: EXCITITOR-FMT-CYCLONE-01-001 (external/completed) - • Current: DONE – Component reconciler issues stable bom-refs, aggregates identifiers, and records diagnostics for missing SBOM linkage. - 2. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-003 — EXCITITOR-FMT-CYCLONE-01-003 – CycloneDX export serializer - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CYCLONE-01-001 (external/completed) - • Current: DONE – CycloneDX exporter delivers canonical VEX payloads with reconciled components, per-claim analyses, and metadata for caching. - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-002 — EXCITITOR-FMT-OPENVEX-01-002 – Statement merge utilities - • Prereqs: EXCITITOR-FMT-OPENVEX-01-001 (external/completed) - • Current: DONE – Merge utilities combine statements deterministically, highlight conflicts, and preserve source diagnostics for policy checks. - 2. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-003 — EXCITITOR-FMT-OPENVEX-01-003 – OpenVEX export writer - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-OPENVEX-01-001 (external/completed) - • Current: DONE – OpenVEX exporter serializes merged statements with canonical ordering, provenance metadata, and deterministic digests. - -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-004 (external/completed), EXCITITOR-CORE-02-001 (external/completed) - • Current: TODO – Emit consensus+score envelopes in export manifests, include policy/scoring digests, and update offline bundle/ORAS layouts to carry signed VEX responses. - -- **Sprint 9** · Docs & Governance - - - Team: Runtime Guild - - Path: `docs/TASKS.md` - 1. [TODO] RUNTIME-GUILD-09-402 — Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. - • Prereqs: SCANNER-POLICY-09-107 (external/completed) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-302B (external/completed) - • Current: DONE — Telemetry counter wired, lifecycle script evidence emitted; see Node analyzer fixtures. -- **Sprint 10** · Scanner Analyzers & SBOM - - Team: Diff Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md` - • Prereqs: — - • Current: DONE — Diff engine produces deterministic add/remove/version deltas; regression suite covers warm/cold path parity. - • Prereqs: — - • Current: DONE — Layer attribution recorded on every change; fixtures assert provenance integrity. - • Prereqs: — - • Current: DONE — JSON serializer emits stable ordering; golden outputs locked in tests. - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - • Prereqs: — - • Current: DONE — Inventory builder validated against CycloneDX schema; deterministic fixtures added. - • Prereqs: — - • Current: DONE — Usage view toggles wired; tests confirm subset alignment with EntryTrace signals. - • Prereqs: — - • Current: DONE — BOM Index format published with roaring bitmap helpers; golden fixtures locked. - • Prereqs: — - • Current: DONE — Export packaging deterministic; integration test with storage succeeds. - • Prereqs: — - • Current: DONE — `bom-index@1` schema + fixtures published; Scheduler notes updated. - • Prereqs: — - • Current: DONE — EntryTrace usage bits round-trip in BOM Index; regression harness verified. - - Team: EntryTrace Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md` - • Prereqs: — - • Current: DONE — Parser emits stable AST; determinism tests captured. - • Prereqs: — - • Current: DONE — Resolver walks layered PATH with provenance evidence; fixtures validate. - • Prereqs: — - • Current: DONE — Interpreter tracer resolves Python/Node/Java hand-offs; golden graphs updated. - • Prereqs: — - • Current: DONE — Python analyzer surfaces venv/module details; usage flag propagated. - • Prereqs: — - • Current: DONE — Node/Java launchers traced end-to-end; evidence attached for each hop. - • Prereqs: — - • Current: DONE — Diagnostics enumerated, metrics emitted via `EntryTraceMetrics`. - • Prereqs: — - • Current: DONE — Plug-in manifests under `plugins/scanner/entrytrace`; restart-only guard documented. - - Team: Language Analyzer Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md` - • Prereqs: — - • Current: DONE — Implementation plan captured per language with progress notes through 2025-10-22. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - • Prereqs: — - • Current: DONE — Java analyzer shipped with deterministic fixtures. - • Prereqs: — - • Current: DONE — Shared helpers live under Lang.Core and are consumed by Java/Node analyzers. - • Prereqs: — - • Current: DONE — Determinism harness + fixtures checked in; CI guard active. -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-005 — Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. - • Prereqs: — - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Models Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md` - 1. [TODO] NOTIFY-MODELS-15-101 — Define core Notify DTOs, validation helpers, canonical serialization. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-MODELS-15-102 — Publish schema docs and sample payloads for Notify. - • Prereqs: — - • Current: TODO - 3. [TODO] NOTIFY-MODELS-15-103 — Versioning/migration helpers for rules/templates/deliveries. - • Prereqs: — - • Current: TODO - - Team: Notify Storage Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md` - 1. [TODO] NOTIFY-STORAGE-15-201 — Mongo schemas/indexes for rules, channels, deliveries, digests, locks, audit. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-STORAGE-15-202 — Repositories with tenant scoping, soft delete, TTL, causal consistency options. - • Prereqs: — - • Current: TODO - 3. [TODO] NOTIFY-STORAGE-15-203 — Delivery history retention and query APIs. - • Prereqs: — - • Current: TODO - - Team: Notify WebService Guild - - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` - 1. [TODO] NOTIFY-WEB-15-101 — Minimal API host with Authority enforcement and plug-in loading. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-WEB-15-102 — Rules/channel/template CRUD with audit logging. - • Prereqs: — - • Current: TODO - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - 2. [BLOCKED] SCANNER-EVENTS-16-301 — Redis publisher integration tests once Notify queue adapter ships. - • Current: BLOCKED – waiting on Notify queue abstraction and Redis adapter deliverables for end-to-end validation. -- **Sprint 16** · Scheduler Intelligence - - - Team: Scheduler Storage Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` - 1. [TODO] SCHED-STORAGE-16-201 — Create Mongo collections (schedules, runs, impact_cursors, locks, audit) with indexes/migrations per architecture. - • Prereqs: SCHED-MODELS-16-101 (external/completed) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-101 — Bootstrap Minimal API host with Authority OpTok + DPoP, health endpoints, plug-in discovery per architecture §§1–2. - • Prereqs: SCHED-MODELS-16-101 (external/completed) - • Current: TODO -- **Sprint 18** · Launch Readiness - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LAUNCH-18-100 - Finalise production environment footprint (clusters, secrets, network overlays) for full-platform go-live. - • Prereqs: — - • Current: TODO - 2. [TODO] DEVOPS-LAUNCH-18-900 - Collect "full implementation" sign-off from module owners and consolidate the launch readiness checklist. - • Prereqs: Wave 0 completion - • Current: TODO - 3. [TODO] DEVOPS-LAUNCH-18-001 - Production launch cutover rehearsal and runbook publication. - • Prereqs: DEVOPS-LAUNCH-18-100, DEVOPS-LAUNCH-18-900 - • Current: TODO - - Team: Offline Kit Guild, UX Specialist - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-18-003 — Capture Angular workspace npm cache + Chromium bundle for Offline Kit distribution and document refresh cadence. - • Prereqs: DEVOPS-OFFLINE-14-002 (Wave 2) - • Current: TODO - -## Wave 1 — 45 task(s) ready after Wave 0 -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – MSRC - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-MS-01-003 — EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints - • Prereqs: EXCITITOR-CONN-MS-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-ORACLE-01-002 — EXCITITOR-CONN-ORACLE-01-002 – CSAF download & dedupe pipeline - • Prereqs: EXCITITOR-CONN-ORACLE-01-001 (Wave 0), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF documents with retry/backoff, checksum validation, revision deduplication, and raw persistence. - - Team: Team Excititor Connectors – SUSE - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` - 1. [TODO] EXCITITOR-CONN-SUSE-01-003 — EXCITITOR-CONN-SUSE-01-003 – Trust metadata & policy hints - • Prereqs: EXCITITOR-CONN-SUSE-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit provider trust configuration (signers, weight overrides) and attach provenance hints for consensus engine. - - Team: Team Excititor Connectors – Ubuntu - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-UBUNTU-01-003 — EXCITITOR-CONN-UBUNTU-01-003 – Trust metadata & provenance - • Prereqs: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit Ubuntu signing metadata (GPG fingerprints) plus provenance hints for policy weighting and diagnostics. - - Team: Team Excititor Worker - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-WORKER-01-003 — EXCITITOR-WORKER-01-003 – Verification & cache GC loops - • Prereqs: EXCITITOR-WORKER-01-001 (external/completed), EXCITITOR-ATTEST-01-003 (Wave 0), EXCITITOR-EXPORT-01-002 (external/completed) - • Current: TODO – Add scheduled attestation re-verification and cache pruning routines, surfacing metrics for export reuse ratios. -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0) - • Current: TODO – Attach `quietedBy` statement IDs, signers, and justification codes to exports/offline bundles, mirror metadata into attested manifest, and add regression fixtures. -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — RID-aware deps/runtimeconfig parser emitting deterministic NuGet components with tests landed. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE – Varint build-info decoder implemented with fixtures and determinism harness coverage. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-302C (Wave 0) - • Current: DONE — Node analyzer now reuses shared metadata/evidence helpers. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Python analyzer ingests METADATA/WHEEL/entry_points with deterministic ordering and UTF-8 normalization. Fixtures updated (`simple-venv`). - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Cargo metadata walker emits `pkg:cargo` components with provenance and deterministic fixtures. -- **Sprint 10** · Scanner Analyzers & SBOM - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - • Prereqs: SCANNER-EMIT-10-604 (Wave 0), POLICY-CORE-09-005 (Wave 0) - • Current: DONE — SBOM/attestation fixtures include scoring metadata and serialize deterministically. - - Team: Language Analyzer Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-301 (Wave 0) - • Current: DONE — Manifest published under `plugins/scanner/analyzers/lang/`, Worker loader wired, integration tests updated. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Rust analyzer emits cargo components with provenance and deterministic fallbacks. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Workspace/symlink coverage validated via determinism fixtures; metrics + lifecycle script evidence landed. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Buildinfo decoder + DWARF fallbacks captured; fixtures and benchmarks green. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — RID-aware deps/runtimeconfig parser emits deterministic NuGet components; tests landed. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Dist-info parser, RECORD verifier, editable install metadata, and entrypoint usage hints shipped with deterministic fixture/tests. -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI, QA Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-009 — CLI-RUNTIME-13-009 – Runtime policy smoke fixture - • Prereqs: CLI-RUNTIME-13-005 (Wave 0) - • Current: TODO – Build Spectre test harness exercising `runtime policy test` against a stubbed backend to lock output shape (table + `--json`) and guard regressions. Integrate into `dotnet test` suite. - - Team: UX Specialist, Angular Eng, DevEx - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: WEB1.TRIVY-SETTINGS-TESTS (Wave 0) - • Current: TODO – Capture deterministic lockfile flow, cache Puppeteer downloads, validate `npm test` from clean checkout offline, and update README. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-VEX-13-003 — Implement VEX explorer + policy editor with preview integration. - • Prereqs: EXCITITOR-CORE-02-001 (external/completed), EXCITITOR-EXPORT-01-005 (Wave 0) - • Current: TODO - 2. [TODO] UI-POLICY-13-007 — Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. - • Prereqs: POLICY-CORE-09-006 (Wave 0), SCANNER-WEB-09-103 (external/completed) - • Current: TODO - 3. [TODO] UI-ADMIN-13-004 — Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. - • Prereqs: AUTH-MTLS-11-002 (Wave 0) - • Current: TODO - • Prereqs: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0) - • Current: TODO - 5. [TODO] UI-SCANS-13-002 — Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. - • Prereqs: SCANNER-WEB-09-102 (external/completed), SIGNER-API-11-101 (Wave 0) - • Current: TODO - • Prereqs: NOTIFY-WEB-15-101 (Wave 0) - • Current: TODO - 7. [TODO] UI-SCHED-13-005 — Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks. - • Prereqs: SCHED-WEB-16-101 (Wave 0) - • Current: TODO -- **Sprint 13** · Platform Reliability - - Team: DevOps Guild, Platform Leads - - Path: `ops/devops/TASKS.md` - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: DOING – Mirror preview packages into Offline Kit/allowlisted feeds, update NuGet.config mapping, and refresh restore documentation. - 2. [TODO] DEVOPS-UI-13-006 — Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. - • Current: TODO – Extend release/offline pipelines to run `npm run test:e2e`, publish traces on failure, and ensure stub config assets ship alongside the UI bundle. -- **Sprint 14** · Release & Offline Ops - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [DOING 2025-10-23] DEVOPS-REL-14-001 — Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. - • Current: TODO - - Team: Licensing Guild - - Path: `ops/licensing/TASKS.md` - 1. [TODO] DEVOPS-LIC-14-004 — Implement registry token service tied to Authority (DPoP/mTLS), plan gating, revocation handling, and monitoring per architecture. - • Prereqs: AUTH-MTLS-11-002 (Wave 0) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [DOING (2025-10-24)] NOTIFY-ENGINE-15-301 — Rules evaluation core: tenant/kind filters, severity/delta gates, VEX gating, throttling, idempotency key generation. - • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) - • Current: DOING (2025-10-24) - - Team: Notify Queue Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` - • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) - • Current: DONE — Redis transport, queue contracts, and integration tests delivered (2025-10-23). - -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler ImpactIndex Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` - 1. [TODO] SCHED-IMPACT-16-301 — Implement ingestion of per-image BOM-Index sidecars into roaring bitmap store (contains/usedBy). - • Prereqs: SCANNER-EMIT-10-605 (Wave 0) - • Current: TODO - - - Team: Scheduler Storage Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` - 1. [TODO] SCHED-STORAGE-16-203 — Audit/logging pipeline + run stats materialized views for UI. - • Prereqs: SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - 2. [TODO] SCHED-STORAGE-16-202 — Implement repositories/services with tenant scoping, soft delete, TTL for completed runs, and causal consistency options. - • Prereqs: SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-104 — Webhook endpoints for Feedser/Vexer exports with mTLS/HMAC validation and rate limiting. - • Prereqs: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - 2. [TODO] SCHED-WEB-16-102 — Implement schedules CRUD (tenant-scoped) with cron validation, pause/resume, audit logging. - • Prereqs: SCHED-WEB-16-101 (Wave 0) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-201 — Planner loop (cron + event triggers) with lease management, fairness, and rate limiting (§6). - • Prereqs: SCHED-QUEUE-16-401 (Wave 0) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - 1. [TODO] SCANNER-EMIT-17-701 — Record GNU build-id for ELF components and surface it in inventory/usage SBOM plus diff payloads with deterministic ordering. - • Prereqs: SCANNER-EMIT-10-602 (Wave 0) - • Current: TODO - -## Wave 2 — 29 task(s) ready after Wave 1 -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-ORACLE-01-003 — EXCITITOR-CONN-ORACLE-01-003 – Trust metadata + provenance - • Prereqs: EXCITITOR-CONN-ORACLE-01-002 (Wave 1), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit Oracle signing metadata (PGP/cosign) and provenance hints for consensus weighting. -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-006 (Wave 1) - • Current: TODO – Create per-domain mirror bundles with consensus/score artifacts, publish signed index for downstream Excititor sync, and ensure deterministic digests + fixtures. -- **Sprint 9** · DevOps Foundations - - Team: DevOps Guild, Notify Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-SCANNER-09-205 — Add Notify smoke stage that tails the Redis stream and asserts `scanner.report.ready`/`scanner.scan.completed` reach Notify WebService in staging. - • Prereqs: DEVOPS-SCANNER-09-204 (Wave 1) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) - • Current: DONE — Assembly metadata now emits strong-name, file/product info, and optional Authenticode signals with deterministic fixtures/tests. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304A (Wave 1) - • Current: DONE — DWARF fallback parses vcs.* markers, cache reuses metadata keyed by file identity. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307N (Wave 1) - • Current: DONE — Harness + fixtures merged; benchmark CSV recorded under `src/Bench/StellaOps.Bench/Scanner.Analyzers`. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-303A (Wave 1) - • Current: DONE — Streaming SHA-256 verification with deterministic mismatch evidence; unsupported algorithms tracked; fixtures validated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-306A (Wave 1) - • Current: DONE — Heuristic classifier flags stripped binaries, regression tests guard false positives. -- **Sprint 10** · DevOps Perf - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - • Prereqs: BENCH-SCANNER-10-002 (Wave 1) - • Current: DONE (2025-10-23) -- **Sprint 10** · Samples - - Team: Samples Guild, Policy Guild - - Path: `samples/TASKS.md` - • Prereqs: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1) - • Current: DONE (2025-10-23) - - Team: UI Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: SAMPLES-13-004 (Wave 0) - • Current: DONE (2025-10-23) -- **Sprint 14** · Release & Offline Ops - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEVOPS-OPS-14-003 — Document and script upgrade/rollback flows, channel management, and compatibility matrices per architecture. - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: TODO - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-14-002 — Build offline kit packaging workflow (artifact bundling, manifest generation, signature verification). - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: TODO -- **Sprint 15** · Benchmarks - - Team: Bench Guild, Notify Team - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-NOTIFY-15-001 — Notify dispatch throughput bench (vary rule density) with results CSV. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-302 — Action planner + digest coalescer with window management and dedupe per architecture §4. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO - - Team: Notify Queue Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` - • Current: DONE — delivery queue + retry/dead-letter pipeline shipped with integration tests and metrics (2025-10-23). - • Current: DONE — JetStream transport, DI binding, health check, and integration tests delivered (2025-10-23). - - Team: Notify WebService Guild - - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` - 1. [TODO] NOTIFY-WEB-15-104 — Configuration binding for Mongo/queue/secrets; startup diagnostics. - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - • Current: DONE — worker leasing loop wired to queue adapters with retry/backoff telemetry (2025-10-23). - 2. [TODO] NOTIFY-WORKER-15-202 — Wire rules evaluation pipeline (tenant scoping, filters, throttles, digests, idempotency) with deterministic decisions. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO -- **Sprint 16** · Benchmarks - - Team: Bench Guild, Scheduler Team - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-IMPACT-16-001 — ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler ImpactIndex Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` - 1. [TODO] SCHED-IMPACT-16-303 — Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - 2. [TODO] SCHED-IMPACT-16-302 — Provide query APIs (ResolveByPurls, ResolveByVulns, ResolveAll, selectors) with tenant/namespace filters. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-103 — Runs API (list/detail/cancel), ad-hoc run POST, and impact preview endpoints. - • Prereqs: SCHED-WEB-16-102 (Wave 1) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-202 — Wire ImpactIndex targeting (ResolveByPurls/vulns), dedupe, shard planning. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - 2. [TODO] SCHED-WORKER-16-205 — Metrics/telemetry: run stats, queue depth, planner latency, delta counts. - • Prereqs: SCHED-WORKER-16-201 (Wave 1) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-REL-17-002 — Persist stripped-debug artifacts organised by GNU build-id and bundle them into release/offline kits with checksum manifests. - • Prereqs: DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1) - • Current: TODO - -## Wave 3 — 14 task(s) ready after Wave 2 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-007 (Wave 2) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) - • Current: DONE — Self-contained fixtures emit components with RID flags; EntryTrace usage hints preserved. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304B (Wave 2) - • Current: DONE — `bin:{sha256}` fallback + quiet provenance docs shipped with determinism fixtures. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308N (Wave 2) - • Current: DONE — Manifest shipped, Worker catalog integration complete, Offline Kit docs updated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-303B (Wave 2) - • Current: DONE — `direct_url.json` editable insights surfaced; EntryTrace usage hints mark console scripts; deterministic fixture covers editable vs wheel installs. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-306B (Wave 2) - • Current: DONE — Hash fallback wired through shared helpers; fixtures ensure deterministic output. -- **Sprint 13** · UX & CLI Experience - - - Team: DevEx/CLI, Scanner WebService Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-008 — CLI-RUNTIME-13-008 – Runtime policy contract sync - • Current: TODO – Once `/api/v1/scanner/policy/runtime` exits TODO, verify CLI output against final schema (field names, metadata) and update formatter/tests if the contract moves. Capture joint review notes in docs/09 and link Scanner task sign-off. -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-303 — Template rendering engine (Slack, Teams, Email, Webhook) with helpers and i18n support. - • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - 1. [TODO] NOTIFY-WORKER-15-203 — Channel dispatch orchestration: invoke connectors, manage retries/jitter, record delivery outcomes. - • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-203 — Runner execution: call Scanner `/reports` (analysis-only) or `/scans` when configured; collect deltas; handle retries. - • Prereqs: SCHED-WORKER-16-202 (Wave 2) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Zastava Observer Guild - - Path: `src/Zastava/StellaOps.Zastava.Observer/TASKS.md` - • Current: DONE — Build-id capture wired through RuntimeProcessCollector + RuntimeEventFactory; docs/runbook updated with debug-store workflow. - -## Wave 4 — 15 task(s) ready after Wave 3 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - 1. [TODO] EXCITITOR-CONN-STELLA-07-002 — Normalize mirror bundles into VexClaim sets referencing original provider metadata and mirror provenance. - • Prereqs: EXCITITOR-CONN-STELLA-07-001 (Wave 3) - • Current: TODO -- **Sprint 9** · Policy Foundations - - Team: Policy Guild, Scanner WebService Guild - - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305C (Wave 3) - • Current: DONE 2025-10-22 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304C (Wave 3) - • Current: DONE — Shared helpers integrated; concurrency tests verify buffer reuse. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-307P — Shared helper integration (license metadata, quiet provenance, component merging). - • Prereqs: SCANNER-ANALYZERS-LANG-10-303C (Wave 3) - • Current: TODO - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [DOING] SCANNER-ANALYZERS-LANG-10-307R — Finalize shared helper usage (license, usage flags) and concurrency-safe caches. - • Prereqs: SCANNER-ANALYZERS-LANG-10-306C (Wave 3) - • Current: TODO -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - • Prereqs: CLI-RUNTIME-13-005 (Wave 0), CLI-OFFLINE-13-006 (Wave 3) - • Current: TODO – Package non-core verbs as restart-time plug-ins (manifest + loader updates, tests ensuring no hot reload). -- **Sprint 15** · Notify Foundations - - Team: Notify Connectors Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` - 1. [TODO] NOTIFY-CONN-EMAIL-15-701 — Implement SMTP connector with STARTTLS/implicit TLS support, HTML+text rendering, attachment policy enforcement. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` - 1. [TODO] NOTIFY-CONN-SLACK-15-501 — Implement Slack connector with bot token auth, message rendering (blocks), rate limit handling, retries/backoff. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` - 1. [TODO] NOTIFY-CONN-TEAMS-15-601 — Implement Teams connector using Adaptive Cards 1.5, handle webhook auth, size limits, retries. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` - 1. [TODO] NOTIFY-CONN-WEBHOOK-15-801 — Implement webhook connector: JSON payload, signature (HMAC/Ed25519), retries/backoff, status code handling. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-304 — Test-send sandbox + preview utilities for WebService. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - 1. [TODO] NOTIFY-WORKER-15-204 — Metrics/telemetry: `notify.sent_total`, `notify.dropped_total`, latency histograms, tracing integration. - • Prereqs: NOTIFY-WORKER-15-203 (Wave 3) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-204 — Emit events (`scheduler.rescan.delta`, `scanner.report.ready`) for Notify/UI with summaries. - • Prereqs: SCHED-WORKER-16-203 (Wave 3) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-RUNTIME-17-004 — Document build-id workflows: SBOM exposure, runtime event payloads, debug-store layout, and operator guidance for symbol retrieval. - • Current: TODO - -## Wave 5 — 10 task(s) ready after Wave 4 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - 1. [TODO] EXCITITOR-CONN-STELLA-07-003 — Implement incremental cursor handling per-export digest, support resume, and document configuration for downstream Excititor mirrors. - • Prereqs: EXCITITOR-CONN-STELLA-07-002 (Wave 4) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307D (Wave 4) - • Current: DONE — fixtures + benchmarks merged 2025-10-23 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307G (Wave 4) - • Current: DONE — Fixtures and benchmark harness merged; perf delta captured vs competitor. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307P (Wave 4) - • Current: DONE — Fixtures `simple-venv`, `pip-cache`, `layered-editable` + hash throughput benchmarks merged 2025-10-23. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-308R — Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307R (Wave 4) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Connectors Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` - 1. [BLOCKED] NOTIFY-CONN-EMAIL-15-702 — Add DKIM signing optional support and health/test-send flows. - • Prereqs: NOTIFY-CONN-EMAIL-15-701 (Wave 4) - • Current: BLOCKED – waiting on base SMTP connector implementation (NOTIFY-CONN-EMAIL-15-701). - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` - 1. [DOING] NOTIFY-CONN-WEBHOOK-15-802 — Health/test-send support with signature validation hints and secret management. - • Prereqs: NOTIFY-CONN-WEBHOOK-15-801 (Wave 4) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - • Current: DONE — runtime events normalize digests/build IDs, policy responses/CLI emit `buildIds`, docs/tests updated for debug-store workflows. - -## Wave 6 — 8 task(s) ready after Wave 5 -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308D (Wave 5) - • Current: DONE — manifest + Offline Kit docs updated 2025-10-23 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308G (Wave 5) - • Current: DONE — Manifest copied, Worker DI registration verified, Offline Kit docs updated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308P (Wave 5) - • Current: DONE — Manifest copied, Worker integration verified, Offline Kit docs updated with Python plug-in guidance. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-309R — Package plug-in manifest + Offline Kit documentation; ensure Worker integration. - • Prereqs: SCANNER-ANALYZERS-LANG-10-308R (Wave 5) - • Current: TODO -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Normalization & Storage Backbone - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - • Prereqs: FEEDMERGE-ENGINE-07-001 (Wave 11) - • Current: TODO – Create `advisory_statements` (immutable) and `advisory_conflicts` collections, define `asOf`/`vulnerabilityKey` indexes, and document migration/rollback steps for event-sourced merge. - -## Wave 7 — 52 task(s) ready after Wave 6 -- **Sprint 20** · Policy Engine v2 - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-20-000 — New Policy Engine service host, DI bootstrap, Authority scaffolding. - • Prereqs: POLICY-AOC-19-001 (Wave 1) - • Current: TODO - 2. [TODO] POLICY-ENGINE-20-001 — `stella-dsl@1` parser + IR compiler with diagnostics/checksums. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 3. [TODO] POLICY-ENGINE-20-002 — Deterministic evaluator (priority/first-match, safe intrinsics). - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 4. [TODO] POLICY-ENGINE-20-005 — Determinism guard preventing wall-clock/network/RNG usage. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7) - • Current: TODO - 5. [TODO] POLICY-ENGINE-20-008 — Unit/property/golden/perf suites proving determinism + SLA. - • Prereqs: POLICY-ENGINE-20-002/003/004/005/006/007 (Wave 7) - • Current: TODO - 6. [TODO] POLICY-ENGINE-20-007 — Metrics/traces/log sampling for policy runs/rule hits. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7) - • Current: TODO - 7. [TODO] POLICY-ENGINE-20-009 — Mongo schemas/indexes + migrations for policies/runs/findings. - • Prereqs: POLICY-ENGINE-20-000 & POLICY-ENGINE-20-004 (Wave 7) - • Current: TODO - - Team: Policy Guild · Data Joiners - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-20-003 — SBOM↔advisory↔VEX joiners using linksets. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7), CONCELIER-POLICY-20-002 (Wave 7), EXCITITOR-POLICY-20-002 (Wave 7) - • Current: TODO - 2. [TODO] POLICY-ENGINE-20-004 — Materialization writer to `effective_finding_*` with append-only history. - • Prereqs: POLICY-ENGINE-20-003 (Wave 7), CONCELIER-POLICY-20-003 (Wave 7), EXCITITOR-POLICY-20-003 (Wave 7) - • Current: TODO - 3. [TODO] POLICY-ENGINE-20-006 — Incremental orchestrator reacting to change streams. - • Prereqs: POLICY-ENGINE-20-003/004 (Wave 7), SCHED-WORKER-20-301 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy API Surface - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-POLICY-20-001 — Policy CRUD/compile/run/simulate/findings/explain endpoints. - • Prereqs: POLICY-ENGINE-20-001/004 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] WEB-POLICY-20-002 — Pagination, filters, deterministic ordering. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 3. [TODO] WEB-POLICY-20-003 — Error mapping to `ERR_POL_*` with contract tests. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] WEB-POLICY-20-004 — Simulation rate limits + metrics/headers. - • Prereqs: WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy Console - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-POLICY-20-001 — Monaco editor with inline diagnostics/compliance checklist. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] UI-POLICY-20-002 — Simulation diff panel with virtualization + deltas. - • Prereqs: UI-POLICY-20-001 (Wave 7), WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO - 3. [TODO] UI-POLICY-20-003 — Submit/review/approve workflow with RBAC + audit log. - • Prereqs: UI-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] UI-POLICY-20-004 — Run viewer dashboards (rule heatmap, VEX wins, suppressions). - • Prereqs: POLICY-ENGINE-20-006/007 (Wave 7), WEB-POLICY-20-001 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy CLI - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-20-001 — `policy new|edit|submit|approve` commands. - • Prereqs: WEB-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] CLI-POLICY-20-002 — `policy simulate` with diff rendering + exit codes. - • Prereqs: CLI-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] CLI-POLICY-20-003 — `findings ls|get` policy-aware filters + explain output. - • Prereqs: WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy Selection Services - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-001 — Advisory selection endpoints for policy engine. - • Prereqs: CONCELIER-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-002 — Linkset enrichment with equivalence tables/ranges. - • Prereqs: CONCELIER-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - - Team: Concelier Storage Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-003 — Selection cursors + change-stream checkpoints. - • Prereqs: CONCELIER-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) - • Current: TODO - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-001 — VEX selection APIs (batch PURL/ID, tenant filters). - • Prereqs: EXCITITOR-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - - Team: Excititor Core Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-002 — Scope-aware linksets + version range handling. - • Prereqs: EXCITITOR-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - - Team: Excititor Storage Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-003 — Selection cursors + checkpoints for VEX change streams. - • Prereqs: EXCITITOR-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) - • Current: TODO -- **Sprint 20** · Scheduler Integration - - Team: Scheduler Models Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md` - 1. [TODO] SCHED-MODELS-20-001 — Policy run/diff DTOs + validation helpers. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-MODELS-20-002 — Schema docs/sample payloads for policy runs. - • Prereqs: SCHED-MODELS-20-001 (Wave 7) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-20-001 — Policy run scheduling APIs with `policy:run` enforcement. - • Prereqs: SCHED-WEB-16-101 (Wave 1), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-WEB-20-002 — Simulation trigger endpoint returning diff metadata. - • Prereqs: SCHED-WEB-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-20-301 — Trigger policy runs (full/incremental/simulate) via API. - • Prereqs: SCHED-WORKER-16-201 (Wave 1), POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-WORKER-20-302 — Delta targeting for policy reruns using change streams. - • Prereqs: SCHED-WORKER-20-301 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] SCHED-WORKER-20-303 — Metrics/logs for scheduled policy runs. - • Prereqs: SCHED-WORKER-20-301 (Wave 7) - • Current: TODO -- **Sprint 20** · Authority & Security - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-POLICY-20-001 — Introduce policy scopes (`policy:*`, `findings:read`, `effective:write`). - • Prereqs: AUTH-AOC-19-001 (Wave 1) - • Current: TODO - 2. [TODO] AUTH-POLICY-20-002 — Enforce Policy Engine identity + gateway scope checks. - • Prereqs: AUTH-POLICY-20-001 (Wave 7), AUTH-AOC-19-002 (Wave 1) - • Current: TODO - 3. [TODO] AUTH-POLICY-20-003 — Update Authority docs/config samples for new scopes. - • Prereqs: AUTH-POLICY-20-001 (Wave 7) - • Current: TODO -- **Sprint 20** · CI/CD & Observability - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-POLICY-20-001 — Integrate DSL lint/compile checks in CI. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 2. [TODO] DEVOPS-POLICY-20-002 — Run `stella policy simulate` stage on golden SBOMs. - • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] DEVOPS-POLICY-20-003 — Determinism CI diffing repeated policy runs. - • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) - • Current: TODO -- **Sprint 20** · Documentation - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-POLICY-20-001 — `/docs/policy/overview.md`. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] DOCS-POLICY-20-002 — `/docs/policy/dsl.md` grammar + examples. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 3. [TODO] DOCS-POLICY-20-003 — `/docs/policy/lifecycle.md` workflow/roles. - • Prereqs: AUTH-POLICY-20-001 (Wave 7), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] DOCS-POLICY-20-004 — `/docs/policy/runs.md` run modes + cursors. - • Prereqs: POLICY-ENGINE-20-006 (Wave 7), SCHED-WEB-20-001 (Wave 7) - • Current: TODO - 5. [TODO] DOCS-POLICY-20-005 — `/docs/api/policy.md` endpoints + schemas. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 6. [TODO] DOCS-POLICY-20-006 — `/docs/modules/cli/guides/policy.md` with command usage. - • Prereqs: CLI-POLICY-20-002 (Wave 7) - • Current: TODO - 7. [TODO] DOCS-POLICY-20-007 — `/docs/ui/policy-editor.md` flows + screenshots. - • Prereqs: UI-POLICY-20-001/002/003 (Wave 7) - • Current: TODO - 8. [TODO] DOCS-POLICY-20-008 — `/docs/architecture/policy-engine.md` with diagrams. - • Prereqs: POLICY-ENGINE-20-003/006 (Wave 7) - • Current: TODO - 9. [TODO] DOCS-POLICY-20-009 — `/docs/observability/policy.md` metrics/traces/logs. - • Prereqs: POLICY-ENGINE-20-007 (Wave 7), DEVOPS-POLICY-20-002 (Wave 7) - • Current: TODO - 10. [TODO] DOCS-POLICY-20-010 — `/docs/security/policy-governance.md` scopes/approvals. - • Prereqs: AUTH-POLICY-20-002 (Wave 7) - • Current: TODO - 11. [TODO] DOCS-POLICY-20-011 — `/docs/examples/policies/` sample policies + commentary. - • Prereqs: POLICY-ENGINE-20-001/002 (Wave 7) - • Current: TODO - 12. [TODO] DOCS-POLICY-20-012 — `/docs/faq/policy-faq.md` common pitfalls. - • Prereqs: WEB-POLICY-20-003 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) - • Current: TODO -- **Sprint 20** · Samples & Benchmarks - - Team: Samples Guild - - Path: `samples/TASKS.md` - 1. [TODO] SAMPLES-POLICY-20-001 — Baseline/serverless/internal-only policy samples + fixtures. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7), DOCS-POLICY-20-011 (Wave 7) - • Current: TODO - 2. [TODO] SAMPLES-POLICY-20-002 — Simulation diff fixtures for UI/CLI tests. - • Prereqs: UI-POLICY-20-002 (Wave 7) - • Current: TODO - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-POLICY-20-001 — Policy evaluation performance benchmark suite. - • Prereqs: POLICY-ENGINE-20-002/006 (Wave 7) - • Current: TODO - 2. [TODO] BENCH-POLICY-20-002 — Incremental run benchmark tracking delta SLA. - • Prereqs: BENCH-POLICY-20-001 (Wave 7), SCHED-WORKER-20-302 (Wave 7) - • Current: TODO - -## Wave 8 — 60 task(s) ready after Wave 7 -- **Sprint 21** · Graph Explorer v1 - - Team: Cartographer Guild - - Path: `src/Cartographer/StellaOps.Cartographer/TASKS.md` - 1. [TODO] CARTO-GRAPH-21-001/002/003/004 — Schema, projection reader, graph constructor, and layout tiling are ready once SBOM projections ship (Wave 7 prereqs). - 2. [TODO] CARTO-GRAPH-21-005/006/007/008/009 — Overlay worker, API surface, backfill/overlay jobs, testing, and deployment artefacts depend on Cartographer infrastructure plus Policy Engine 30-series work. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-SERVICE-21-001/002/003/004 — Normalized projection API, change events, entrypoint management, and observability unblock Cartographer’s ingestion. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-30-001/002/003 — Graph overlay contract, simulation bridge, and change events rely on Policy Engine v2 core (Wave 7) and feed Cartographer overlays. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-GRAPH-21-001..004 — Graph gateway routes, validation, exports, and simulation bridging activate once Cartographer endpoints exist. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-GRAPH-21-001..006 — Canvas, inspector, filters, paths, diff, and accessibility depend on Cartographer/Web graph APIs and Samples fixtures. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-GRAPH-21-001..003 — CLI commands, path/simulation options, and docs require Cartographer/Web readiness. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-GRAPH-21-001..003 — Graph scope issuance, enforcement, and documentation unblock service deployments. - - Team: Scheduler Guilds - - Paths: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`, `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`, `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-MODELS-21-001/002, SCHED-WEB-21-001/002, SCHED-WORKER-21-201..203 — Graph job DTOs, APIs, workers, and metrics coordinate Cartographer runs after SBOM change events. - - Team: Concelier Guild - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-GRAPH-21-001..004 — SBOM projection enrichment and entrypoint APIs feed SBOM Service/Cartographer. - - Team: Excititor Guild - - Paths: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-GRAPH-21-001..005 — Provide VEX inspector data, overlay enrichment, events, and indexes for Graph Explorer. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-GRAPH-21-001..003 — Perf tests, visual regression captures, and offline kit bundling align with Cartographer/SBOM readiness. - - Team: Docs/Samples/Bench Guilds - - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] DOCS-GRAPH-21-001..009, SAMPLES-GRAPH-21-001..002, BENCH-GRAPH-21-001..002 — Publish documentation set, sample assets, and benchmarks once API/UI stabilize. - - -## Wave 9 — 58 task(s) ready after Wave 8 -- **Sprint 22** · Link-Not-Merge v1 - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-001/002/003/004/005 — Observation schema, linkset builder, conflict annotator, merge removal, and event emission follow Graph wave completion and AOC guard readiness. - - Team: Concelier Storage Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-101/102/103 — Collections, backfill tooling, and blob storage wiring depend on core schema finalization. - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-201/202/203 — Advisory observation/linkset APIs and event publishing follow storage readiness. - - Team: BE-Merge - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` - 1. [TODO] MERGE-LNM-21-001/002/003 — Decommission merge pipeline once observation/linkset flow validated. - - Team: Excititor Core Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-001..005 — VEX observations/linksets, conflicts, merge removal, and events mirror advisory work. - - Team: Excititor Storage Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-101/102 — Collections and backfill for VEX data prepared after schema finalization. - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-201..203 — VEX observation/linkset APIs and event publishing. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-40-001..003 — Effective severity adjustments, VEX conflict handling, and consumer utilities once observation/linkset data shape is fixed. - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - 1. [TODO] SCANNER-LNM-21-001/002 — Report/runtime updates and evidence endpoint leveraging new linksets. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-LNM-21-001..003 — Gateway exposure for advisory/vex APIs and policy evidence combos. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-LNM-22-001..004 — Evidence panel, filters, VEX tab, permalinks after API readiness. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-LNM-22-001/002 — CLI support for observations/linksets and exports. - - Team: Authority Core Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-AOC-19-001 — Scope rollout (`advisory/vex ingest/read`) enabling new APIs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LNM-22-001..003 — Migration automation, monitoring, and SLA alerts for observation pipelines. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-LNM-22-001..008 — Publish aggregation philosophy, API docs, UI guides, migration playbook. - - Team: Samples Guild - - Path: `samples/TASKS.md` - 1. [TODO] SAMPLES-LNM-22-001/002 — Observation/linkset fixtures for advisories and VEX. - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-LNM-22-001/002 — Ingest/correlation performance benchmarks to enforce SLA. - - -## Wave 10 — 54 task(s) ready after Wave 9 -- **Sprint 23** · Policy Engine + Editor v1 - - Team: Policy Guild (Library) - - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` - 1. [TODO] POLICY-SPL-23-001..005 — SPL schema/canonicalizer/layering/explain model/migration tooling once Link-Not-Merge data model is stable. - - Team: Policy Engine Service - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-50-001..007 — Compiler, evaluator, observability, event pipeline, storage schemas, explainer persistence, worker orchestration. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-POLICY-23-001..004 — Policy pack CRUD, activation, simulation/evaluation, explain history APIs. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-POLICY-23-001..006 — Policy editor workspace, YAML builder, guided builder, approvals, simulator, explain view. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-23-004..006 — CLI lint/activate/history + explain commands aligned with new APIs. - - Team: Authority Core Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-POLICY-23-001..003 — Policy scopes, two-person activation, documentation. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-SERVICE-23-001/002 — Asset metadata projection + `sbom.asset.updated` events feeding evaluator. - - Team: Concelier & Excititor Guilds - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] CONCELIER-POLICY-23-001/002 and EXCITITOR-POLICY-23-001/002 plus CONCELIER/EXCITITOR-LNM-21-201..203 — Evidence indexes, enriched events, observation/linkset APIs supporting policy runtime. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-23-101/102 — Policy re-evaluation worker + reconciliation job post activation. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LNM-22-001..003 (migration/monitoring) and future policy deployment automation for SPL bundles. - - Team: Docs Guild, Samples, Bench - - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] DOCS-POLICY-23-001..010, SAMPLES-LNM-22-001/002, BENCH-LNM-22-001/002 — Documentation set, policy fixtures, performance benchmarks. - - -## Wave 11 — 1 task(s) ready after Wave 10 -- **Sprint 32** · Orchestrator Dashboard Phase 1 (Foundations) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-32-001..005 — Stand up the orchestrator service (schema, scheduler, read-only APIs, SSE, worker endpoints). Coordinate with DevOps (DEVOPS-ORCH-32-001) for Postgres + message bus availability before enabling progression. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-32-001/002, WORKER-PY-32-001/002 — Deliver baseline job claim/heartbeat libraries. These unblock Concelier/Excititor/SBOM adoption tasks and should validate against ORCH-SVC-32-005 contract. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-32-001/002 — Register sources and embed SDK hooks in ingestion loops. Depends on Worker SDK handshake and orchestrator read APIs. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-32-001 — Adopt worker SDK for VEX ingestion. Requires ORCH-SVC-32-005 and Worker SDK readiness. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-32-001 — Emit orchestrator job metadata and artifact hashes for SBOM ingest/index jobs; depends on orchestrator schema finalization. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-32-101 — Define `policy_eval` job contract and enqueue hooks so orchestrator DAGs can plan downstream work. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-32-001 — Surface read-only orchestrator APIs through the gateway with tenant scoping once service endpoints exist. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-32-001 — Introduce `orch:read` scope and `Orch.Viewer` role so CLI/Console work can proceed safely. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-32-001 — Provide read-only `stella orch` listings after gateway routes/scopes are available; validate against imposed rule requirement. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-32-001/002 — Overview + Sources pages (read-only) rely on SSE stream, viewer scope, and CLI/gateway parity. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-32-001/002 — Publish overview/architecture docs (each closing with imposed rule statement) to align cross-team implementation. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-32-001 — Stand up Postgres/message bus environments and seed Grafana dashboards; prerequisite for orchestrator integration workstreams. -- **Sprint 33** · Orchestrator Dashboard Phase 2 (Controls & Recovery) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-33-001..004 — Add control actions, adaptive rate limiter, watermark/backfill manager, and dead-letter replay. Requires Phase 1 completion and Worker SDK control hooks. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-33-001/002, WORKER-PY-33-001/002 — Provide artifact upload, idempotency guards, and error classification so orchestrator controls function safely. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-33-001 — Honor orchestrator throttles and retry semantics; unblocker for circuit breaker work in Sprint 34. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-33-001 — Surface error classes and throttling compliance; depends on Worker SDK error helpers. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-33-001 — Report backpressure metrics and respect orchestrator pause/backfill signals. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-33-101 — Implement orchestrator-driven evaluation workers with SLO metrics; prerequisites: ORCH-SVC-32-003/005 and Worker SDK upgrades. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-ORCH-33-001 — Register `consensus_compute` job type and worker integration so orchestrator can schedule consensus batches. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-33-001 — Wire control/backfill endpoints through gateway with proper error mapping and SSE bridging; relies on AUTH-ORCH-33-001. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-33-001 — Add `Orch.Operator` role/scopes and enforce reason strings; prerequisite for CLI/Console control surfaces. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-33-001 — Implement action verbs (`pause|resume|test`, `retry|cancel`, `jobs tail`) with streaming output and scope enforcement. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-33-001/002 — Runs timeline/DAG and Jobs tail views with action buttons. Requires SSE, operator scopes, and orchestrator control endpoints. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-33-001..003 — Publish API, Console, and CLI guides (each reiterating imposed rule) once control endpoints stabilize. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-33-001 — Deliver Grafana dashboards/alerts (rate limiter, queue depth, error clustering) gated by orchestrator metrics. -- **Sprint 34** · Orchestrator Dashboard Phase 3 (Backfills, Quotas, GA) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-34-001..004 — Quotas/SLOs, audit ledger export, scale tests, and packaging. Requires Phase 2 controls plus DevOps support for perf/load validation. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-34-001, WORKER-PY-34-001 — Backfill range execution and dedupe verification; prerequisites: ORCH-SVC-33-003 and service artifact schemas. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-34-001 — Execute orchestrator-driven backfills with ledger linkage; ensure idempotency before GA sign-off. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-34-001 — Backfill + circuit breaker reset logic; depends on Worker SDK backfill support. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-34-001 — Watermark reconciliation and coverage metrics for sbom backfills. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-34-101 — Surface run ledger exports and SLO burn metrics to orchestrator; coordinates with Findings Ledger. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-ORCH-34-001 — Emit consensus completion events into orchestrator ledger + provenance chain. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-34-101 — Consume orchestrator ledger entries for provenance exports; must align with ORCH-SVC-34-002 hashing. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-34-001 — Route quotas/backfill/error clustering APIs; prerequisite for CLI/Console GA features. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-34-001 — Add `Orch.Admin` role, quota scopes, and audit reason enforcement; required before exposing admin controls. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-34-001 — Implement backfill/quota commands with dry-run preview; depends on ORCH-SVC-34-001/003 and AUTH-ORCH-34-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-34-001..003 — Queues/backpressure dashboard, backfill wizard, and error clustering view; align with API + metrics outputs. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-34-001..005 — Final documentation set (run ledger, secrets handling, runbook, schema, SLO) — each must restate imposed rule and cross-link to services adopting orchestrator. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-34-001 — Harden production dashboards/alerts and synthetic probes prior to GA. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-ORCH-34-001 — Package orchestrator Helm/Compose, scaling defaults, offline guidance; depends on ORCH-SVC-34-004. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-34-006 — Bundle orchestrator service artifacts, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. -- **Sprint 35** · Export Center Phase 1 (Foundations) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-35-001..006 — Bootstrap exporter service, planner, JSON/mirror adapters, manifests/signing, and download APIs. Blocks downstream integrations (Findings Ledger, Policy, VEX Lens, Web, CLI, Console). - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-35-101 — Register export job type, quotas, and telemetry to support exporter workers. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-EXPORT-35-001 — Provide streaming endpoints for advisories/VEX/SBOM/findings filtered per export scopes. Required before planner work can complete. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-35-201 — Supply deterministic policy snapshot + evaluated findings endpoint for policy-aware exports. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-EXPORT-35-001 — Produce consensus snapshot API consumed by mirror bundles. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-35-001 — Route export APIs and downloads through gateway once exporter endpoints are live. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXPORT-35-001 — Publish Export Viewer/Operator/Admin scopes and issuer templates before Console/CLI ship. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-35-001 — Read-only CLI commands for profiles/runs/downloads; depends on WEB-EXPORT-35-001 and AUTH-EXPORT-35-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-35-001 — Profiles + overview UI; requires gateway routes and scopes. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-35-001..003 — Publish overview, architecture, and profiles docs with imposed rule reminders to align teams. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-35-001 — Establish exporter CI/perf smoke and dashboards; prerequisite for later alerting. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-EXPORT-35-001 — Package exporter service/worker Helm overlays for download-only phase. -- **Sprint 36** · Export Center Phase 2 (Trivy + Distribution) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-36-001..004 — Trivy adapters, OCI/object storage distribution, planner updates. Trivy bundles require DEVOPS-EXPORT-36-001 validation. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-36-101 — Extend orchestrator telemetry/retention fields for export runs. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-36-001 — Distribution endpoints must land before CLI/Console actions move forward. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-36-001 — Distribute/download resume features depend on WEB-EXPORT-36-001 and AUTH scopes. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-36-001 — Runs detail + distribution UI after API support exists. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-36-004..006 — API/CLI/Trivy docs to support rollout; each must restate imposed rule. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-36-001 — CI validation for Trivy compatibility and OCI pushes. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-EXPORT-36-001 — Document registry credentials and automation for distributions. -- **Sprint 37** · Export Center Phase 3 (Delta, Encryption, Scheduling, GA) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-37-001..004 — Mirror delta/encryption, scheduling+retention, verification API. Depends on DEVOPS-EXPORT-37-001 for chaos/alert readiness. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-37-101 — Scheduling + retention hooks required for exporter automation. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-37-001 — Surface scheduling, retention, verification, encryption parameters once exporter endpoints exist. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXPORT-37-001 — Admin scope enforcement for scheduling, retention, encryption. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-37-001 — Scheduling and verification commands with signature/hash checks; relies on WEB-EXPORT-37-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-37-001 — Verification panel, scheduling UI, retention controls, encryption workflows. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-37-001..004 — Mirror bundles, provenance & signing, operations runbook, security hardening docs (all reiterate imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-37-001 — Finalize dashboards/alerts, chaos testing, retention monitoring. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-37-001 — Bundle export tooling and sample mirror bundles into Offline Kit. -- **Sprint 38** · Notifications Studio Phase 1 (Foundations) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-38-001..004 — Bootstrap notifier service, migrations, ingestion, templates, channel adapters, initial APIs. Requires orchestrator event envelope updates and policy violation enrichment. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-38-101 — Standardize event publication (policy/export/job lifecycle) with idempotency keys for notifier. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-38-201 — Emit enriched policy violation events (decision rationale IDs) for notifier ingestion. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-38-001 — Gateway routing for notifier APIs with tenant RBAC. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-NOTIFY-38-001 — Publish Notify Viewer/Operator/Admin scopes and issuer templates. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-38-001 — CLI commands for rules/templates/incidents. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-38-001 — Studio home, rule editor, incidents UI (phase 1). - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-38-001 — Overview + architecture docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-38-001 — Notifier CI pipeline, base dashboards. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-NOTIFY-38-001 — Helm overlays and rollout guide for notifier foundations. -- **Sprint 39** · Notifications Studio Phase 2 (Correlation, Digests, Simulation) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-39-001..004 — Correlation, throttling, quiet hours, digest generator, simulation engine. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-NOTIFY-39-001 — Digest query optimization endpoints. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-39-001 — Gateway updates for digests, simulation, throttles. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-39-001 — CLI simulation/digest commands. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-39-001 — Template editor, digest profiles, quiet calendar, storm banner. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-39-002 — Rules/templates/digests docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-39-002 — Throttle/quiet/digest dashboards. -- **Sprint 40** · Notifications Studio Phase 3 (Escalations, Localization, Hardening) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-40-001..004 — Escalations, ack bridge, PagerDuty/OpsGenie adapters, localization, security hardening, chaos tests. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-NOTIFY-40-001 — Ack token signing/rotation, webhook allowlists, admin enforcement. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-40-001 — Expose escalation/localization/channel health endpoints. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-40-001 — Ack redemption, escalation management, localization previews. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-40-001 — Escalation settings, on-call schedules, localization UI, incident Kanban enhancements. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-40-001 — Channels, escalations, API, runbook, security docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-40-001 — Escalation/ack latency dashboards, chaos tooling. -- **Sprint 41** · CLI Parity & Task Packs Phase 1 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-CORE-41-001, CLI-PARITY-41-001/002 — Implement CLI core config/auth/output foundations and initial parity command groups. - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-41-001 — Bootstrap Task Runner service, run API, local executor, approvals pause, artifact capture. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-41-001 — Registry API, signature verification, provenance storage, RBAC. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-41-101 — Register `pack-run` job type, integrate logs/artifacts, expose metadata. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-PACKS-41-001 — Define CLI/pack scopes, discovery metadata, offline defaults. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CLI-41-001 — Publish CLI overview/config/output docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-41-001 — Multi-platform build pipeline, SBOM/checksums, parity CI gate. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-CLI-41-001 — Package CLI release artifacts and distribution docs. -- **Sprint 42** · CLI Parity & Task Packs Phase 2 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-PARITY-41-001/002, CLI-PACKS-42-001 — Close remaining parity gaps and ship Task Pack CLI commands. - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-42-001 — Loops, conditionals, simulation mode, policy gates. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-42-001 — Version lifecycle, allowlists, provenance export, signature rotation. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-42-101 — Stream pack run logs, expose manifolds, enforce quotas. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-42-201 — Stable rationale IDs/APIs for CLI `--explain` and packs. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-PACKS-42-001 — Snapshot/time-travel APIs for pack simulation. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-CLI-42-001 — Copy CLI buttons, parity hints, pack browser. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CLI-42-001 — Parity matrix & command guides; DOCS-PACKS-43-001 groundwork. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-42-001 — CLI golden outputs, parity diff automation, pack run CI harness. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-PACKS-42-001 — Deploy packs registry/task runner with secrets templates. -- **Sprint 43** · CLI Parity & Task Packs Phase 3 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-PACKS-43-001 — Advanced pack features (approvals pause/resume, secrets, localization, man pages). - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-43-001 — Approvals workflow, notifications integration, chaos resilience. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-43-001 — Mirroring, signing policies, attestation integration. - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-35-005, EXPORT-SVC-37-001 — Include pack run manifests in exports. - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-40-001 — Emit pack run notifications. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-PACKS-43-001 — Enforce pack signing/approval policies, CLI CI scopes. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-PACKS-43-001 — Task Pack spec/authoring/registry/runbook/security/release docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-43-001 — Final release automation, SBOM signing, parity gating, chaos tests. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-PACKS-43-001 — Remote execution rollout guidance, Offline kit instructions. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] CLI-PACKS-43-002 — Bundle CLI, pack samples, registry mirror into Offline Kit with manifests. -- **Sprint 47-49** · Authority-Backed Scopes & Tenancy - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-TEN-47-001 — JWT/OIDC alignment, scope grammar, tenant/project claims. - 2. [TODO] AUTH-TEN-49-001 — Service accounts, delegation, quotas, audit streaming. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-TEN-47-001/48-001/49-001 — Middleware enforcement, tenant context propagation, ABAC overlay, audit API. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-TEN-47-001/49-001 — Auth CLI flows, tenant switching, service tokens, delegation. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-TEN-48-001/49-001 — Tenant switcher, admin screens, audit viewer. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-TEN-48-001 — Tenant-aware policy storage, RLS, rationale IDs. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-TEN-48-001 — Tenant partitioning and RLS. - - Team: Exporter/Notifications/Orchestrator/Task Runner/Concelier/Excititor Guilds - - Paths: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md`, `src/Notifier/StellaOps.Notifier/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator/TASKS.md`, `src/TaskRunner/StellaOps.TaskRunner/TASKS.md`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] Export/Notify tasks (EXPORT-TEN-48-001, NOTIFY-TEN-48-001) — Tenant stamping. - 2. [TODO] ORCH-TEN-48-001, TASKRUN-TEN-48-001 — Job context enforcement. - 3. [TODO] CONCELIER/EXCITITOR-TEN-48-001 — Tenant-aware linking with aggregation-only guarantee. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-TEN-47-001/48-001/49-001 — Tenancy docs suite (overview, operations, authentication, ABAC). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-TEN-47-001/48-001/49-001 — JWKS caching, RLS tests, audit pipeline, chaos tests. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY updates (if needed) for tenant configuration. +# Execution Tree for Open Backlog +Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster tasks by dependency depth; Wave 0 has no unresolved blockers and later waves depend on earlier ones. + +## Wave Instructions +### Wave 0 +- Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (DONE 2025-10-20), AUTH-MTLS-11-002 (DONE 2025-10-23). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team DevEx/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-002 (TODO), CLI-RUNTIME-13-005 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001) before starting and report status in module TASKS.md. +- Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (DONE 2025-10-20); Wave 0A prerequisites reconfirmed so remediation work may proceed. Keep module TASKS.md/Sprints in sync as patches land. +- Team Diff Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md`. SCANNER-DIFF-10-501/502/503 all closed on 2025-10-19; keep determinism fixtures green and sync downstream consumers as Emit/Diff integration tickets arise. +- Team Docs Guild, Plugin Team: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOC4.AUTH-PDG (REVIEW). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Docs/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001) before starting and report status in module TASKS.md. +- Team Emit Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. Sprint 10 composition milestones (10-601..10-606) wrapped 2025-10-22 and SCANNER-EMIT-10-607 completed alongside; remaining watch item is SCANNER-EMIT-17-701 (Wave 1) with build-id enrichment. +- Team EntryTrace Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md`. SCANNER-ENTRYTRACE-10-401..407 landed 2025-10-19; continue monitoring determinism harness outputs and raise follow-ups if new interpreter cases appear. +- Team Language Analyzer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Java, shared helpers, determinism harness, and the Sprint 10 analyzers (10-301..10-309) are DONE (latest 2025-10-22); keep fixture refresh notes current and pivot to Wave 1 benchmarking/packaging follow-ups. +- Team Notify Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md`. Focus on NOTIFY-MODELS-15-101 (TODO), NOTIFY-MODELS-15-102 (TODO), NOTIFY-MODELS-15-103 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Notify Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md`. Focus on NOTIFY-STORAGE-15-201 (TODO), NOTIFY-STORAGE-15-202 (TODO), NOTIFY-STORAGE-15-203 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Notify WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-101 (TODO), NOTIFY-WEB-15-102 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Platform Events Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on PLATFORM-EVENTS-09-401 (TODO). Confirm prerequisites (external: DOCS-EVENTS-09-003) before starting and report status in module TASKS.md. +- Team Plugin Platform Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-002.COORD (DONE 2025-10-20), PLUGIN-DI-08-002 (DONE 2025-10-20), PLUGIN-DI-08-003 (DONE 2025-10-20), PLUGIN-DI-08-004 (DONE 2025-10-20), and PLUGIN-DI-08-005 (DONE 2025-10-20). Confirm prerequisites (PLUGIN-DI-08-001) before starting and report status in module TASKS.md. +- Team Plugin Platform Guild, Authority Core: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Coordination session for PLUGIN-DI-08-002 implementation completed on 2025-10-20 15:00–16:05 UTC and scoped-service changes have shipped with regression coverage; subsequent tasks (PLUGIN-DI-08-003/004/005) remain green. +- Team Policy Guild: Sprint 9 core tasks (POLICY-CORE-09-004/005/006) closed on 2025-10-19; ensure downstream consumers refresh against the published scoring config + quiet/unknown outputs and raise follow-up tasks if additional polish is required. +- Team Runtime Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on RUNTIME-GUILD-09-402 (TODO). Confirm prerequisites (external: SCANNER-POLICY-09-107) before starting and report status in module TASKS.md. +- Team Scanner WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-15-201 (DONE 2025-10-20). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-300 (DONE 2025-10-20) and ensure the temporary stub removal note stays tracked. Confirm prerequisites (external: SAMPLES-10-001) before starting and report status in module TASKS.md. +- Team Scheduler Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`. SCHED-MODELS-16-103 completed (2025-10-20); ensure downstream teams consume the migration helpers and log upgrade warnings. +- Team Scheduler Queue Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-401 completed (2025-10-20); proceed with Wave 1 queue enhancements. +- Team Scheduler Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-201 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. +- Team Scheduler WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-101 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. +- Team Signer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Signer/StellaOps.Signer/TASKS.md`. Focus on SIGNER-API-11-101 (DONE 2025-10-21), SIGNER-REF-11-102 (DONE 2025-10-21), SIGNER-QUOTA-11-103 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`. Focus on SCANNER-ANALYZERS-LANG-10-302C (TODO). Confirm prerequisites (external: SCANNER-ANALYZERS-LANG-10-302B) before starting and report status in module TASKS.md. +- Team Team Connector Resumption – CERT/RedHat: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md`. Focus on FEEDCONN-REDHAT-02-001 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Team Excititor Attestation: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md`. Focus on EXCITITOR-ATTEST-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-ATTEST-01-002) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – Cisco: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-CISCO-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-CISCO-01-002, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-MS-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-001 (DOING). Confirm prerequisites (external: EXCITITOR-CONN-ABS-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-SUSE-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-UBUNTU-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. +- Team Team Excititor Export: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-005 (DONE 2025-10-21). Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-EXPORT-01-004) before starting and report status in module TASKS.md. +- Team Team Excititor Formats: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md`. Focus on EXCITITOR-FMT-CSAF-01-002 (TODO), EXCITITOR-FMT-CSAF-01-003 (TODO), EXCITITOR-FMT-CYCLONE-01-002 (TODO), EXCITITOR-FMT-CYCLONE-01-003 (TODO), EXCITITOR-FMT-OPENVEX-01-002 (TODO), EXCITITOR-FMT-OPENVEX-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-EXPORT-01-001, EXCITITOR-FMT-CSAF-01-001, EXCITITOR-FMT-CYCLONE-01-001, EXCITITOR-FMT-OPENVEX-01-001, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Storage: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Focus on EXCITITOR-STORAGE-MONGO-08-001 (DONE 2025-10-19), EXCITITOR-STORAGE-03-001 (TODO). Confirm prerequisites (external: EXCITITOR-STORAGE-01-003, EXCITITOR-STORAGE-02-001) before starting and report status in module TASKS.md. +- Team Team Excititor WebService: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-01-002 (DONE 2025-10-20), EXCITITOR-WEB-01-003 (TODO), EXCITITOR-WEB-01-004 (DONE 2025-10-20). Confirm prerequisites (external: EXCITITOR-ATTEST-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-WEB-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Worker: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-004 (DONE 2025-10-21); EXCITITOR-WORKER-01-002 (DONE 2025-10-21) and EXCITITOR-WORKER-02-001 (DONE 2025-10-21) recorded. Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. +- Team Team Merge & QA Enforcement: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. Focus on FEEDMERGE-COORD-02-900 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. **2025-10-19:** Coordination refreshed; connector owners notified and TASKS.md entries updated. **2025-10-20:** Coordination matrix + rollout dashboard refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) and escalation plan logged. +- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Team WebService & Authority: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on SEC2.PLG (DOING), SEC3.PLG (DOING), SEC5.PLG (DOING), PLG4-6.CAPABILITIES (BLOCKED), PLG6.DIAGRAM (TODO), PLG7.RFC (REVIEW), FEEDWEB-DOCS-01-001 (DOING), FEEDWEB-OPS-01-006 (TODO), FEEDWEB-OPS-01-007 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team Tools Guild, BE-Conn-MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md`. Focus on FEEDCONN-SHARED-STATE-003 (**TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. +- Team UX Specialist, Angular Eng: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Focus on WEB1.TRIVY-SETTINGS (DONE 2025-10-21), WEB1.TRIVY-SETTINGS-TESTS (DONE 2025-10-21), and WEB1.DEPS-13-001 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. + +### Wave 1 +- Team Concelier WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on CONCELIER-WEB-AOC-19-001/002/003/004 (TODO). Confirm prerequisites (WEB-AOC-19-001, CONCELIER-CORE-AOC-19-001, CONCELIER-STORE-AOC-19-001) before starting and record progress in TASKS.md. +- Team Concelier Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on CONCELIER-CORE-AOC-19-001/002/003/004 (TODO). Coordinate with Policy team on derived-data removal. +- Team Concelier Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Prioritise CONCELIER-STORE-AOC-19-001/002/003/004 (TODO) and align validator rollout with DevOps. +- Team Excititor WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-AOC-19-001/002/003/004 (TODO). Ensure parity with Concelier ingestion guard. +- Team Excititor Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`. Focus on EXCITITOR-CORE-AOC-19-001/002/003/004 (TODO). +- Team Excititor Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Work on EXCITITOR-STORE-AOC-19-001/002/003/004 (TODO) with migration dry-run plans. +- Team Excititor Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-AOC-19-001/002/003 (TODO) coordinating signature enforcement with storage guard. +- Team BE-Base Platform Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Deliver WEB-AOC-19-001/002/003 (TODO) to unblock ingestion services. +- Team Policy Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`. Work on POLICY-AOC-19-001/002/003/004 (TODO) to keep derived data policy-only. +- Team Authority Core & Security Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Prioritise AUTH-AOC-19-001/002/003 (TODO) for new scopes + tenancy. +- Team DevEx/CLI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-AOC-19-001/002/003 (TODO) and sync exit codes with services. +- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Execute UI-AOC-19-001/002/003 (TODO) using new verify endpoints. +- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Implement DEVOPS-AOC-19-001/002/003 (TODO) to gate CI with new guards. +- Team Docs Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `docs/TASKS.md`. Cover DOCS-AOC-19-001..008 (TODO) aligning docs with new ingestion contract. +- Team Bench Guild, Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-SCANNER-10-002 (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-301 (Wave 0)) before starting and report status in module TASKS.md. +- Team DevEx/CLI, QA Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-RUNTIME-13-009 (TODO). Confirm prerequisites (internal: CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. +- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-REL-14-001 (DOING 2025-10-23). Confirm prerequisites (internal: SIGNER-API-11-101 (Wave 0)) before starting and report status in module TASKS.md. +- Team DevOps Guild, Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-204 (TODO). Confirm prerequisites (internal: SCANNER-EVENTS-15-201 (Wave 0)) before starting and report status in module TASKS.md. +- Team Emit Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. SCANNER-EMIT-10-607 shipped 2025-10-22; remaining focus is SCANNER-EMIT-17-701 (build-id enrichment). Confirm prerequisites (internal: POLICY-CORE-09-005 (Wave 0), SCANNER-EMIT-10-602 (Wave 0), SCANNER-EMIT-10-604 (Wave 0)) before starting and report status in module TASKS.md. +- Team Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Sprint 10 language analyzers (10-303..10-306) wrapped by 2025-10-22; shift to Wave 1 benchmarking/packaging follow-ups (10-308+/309 variants) and ensure shared helpers stay stable. Node stream (tasks 10-302/309) closed on 2025-10-21; verify prereqs SCANNER-ANALYZERS-LANG-10-301/307 remain satisfied before new work. +- Team Licensing Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/licensing/TASKS.md`. Focus on DEVOPS-LIC-14-004 (TODO). Confirm prerequisites (internal: AUTH-MTLS-11-002 (Wave 0)) before starting and report status in module TASKS.md. +- Team Notify Engine Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-301 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md. +- Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (DONE). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md. +- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-301 (TODO). Confirm prerequisites (internal: SCANNER-EMIT-10-605 (Wave 0)) before starting and report status in module TASKS.md. +- Team Scheduler Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-402 completed (2025-10-20); next focus is SCHED-QUEUE-16-403. +- Team Scheduler Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-203 (TODO), SCHED-STORAGE-16-202 (TODO). Confirm prerequisites (internal: SCHED-STORAGE-16-201 (Wave 0)) before starting and report status in module TASKS.md. +- Team Scheduler WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-104 (TODO), SCHED-WEB-16-102 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0), SCHED-WEB-16-101 (Wave 0)) before starting and report status in module TASKS.md. +- Team Scheduler Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-201 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0)) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305A/304A/303A/306A all closed by 2025-10-22; use this slot to review cross-language fixture hygiene and prep Wave 1 benchmarking tickets. Node add-ons 10-307N/10-308N/10-309N remain DONE with restart-time packaging verified 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-302C (Wave 0), SCANNER-ANALYZERS-LANG-10-307 (Wave 0)) before starting any new follow-ups and report status in module TASKS.md. +- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-MS-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-001 (Wave 0); external: EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-SUSE-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Export: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-006 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0)) before starting and report status in module TASKS.md. +- Team Team Excititor Worker: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-ATTEST-01-003 (Wave 0); external: EXCITITOR-EXPORT-01-002, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. +- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Focus on UI-SCANS-13-002 (TODO), UI-VEX-13-003 (TODO), UI-ADMIN-13-004 (TODO), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md. + +### Wave 2 +- Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Deployment Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/deployment/TASKS.md`. Focus on DEVOPS-OPS-14-003 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1)) before starting and report status in module TASKS.md. +- Team DevOps Guild, Notify Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-205 (TODO). Confirm prerequisites (internal: DEVOPS-SCANNER-09-204 (Wave 1)) before starting and report status in module TASKS.md. +- Team Notify Engine Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-302 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Offline Kit Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/offline-kit/TASKS.md`. Focus on DEVOPS-OFFLINE-14-002 (TODO), DEVOPS-OFFLINE-18-003 (TODO), and DEVOPS-OFFLINE-18-005 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1), DEVOPS-REL-14-004 (Wave 2)) before starting and report status in module TASKS.md. +- Team Samples Guild, Policy Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `samples/TASKS.md`. Focus on SAMPLES-13-004 (TODO). Confirm prerequisites (internal: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1)) before starting and report status in module TASKS.md. +- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-303 (TODO), SCHED-IMPACT-16-302 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Scheduler WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-103 (TODO). Confirm prerequisites (internal: SCHED-WEB-16-102 (Wave 1)) before starting and report status in module TASKS.md. +- Team Scheduler Worker Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-202 (TODO), SCHED-WORKER-16-205 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1), SCHED-WORKER-16-201 (Wave 1)) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305B/304B/303B/306B wrapped on 2025-10-22; next focus moves to `10-307*` shared helper integration and Wave 2 benchmark polish. Node packaging milestone 10-308N closed 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303A (Wave 1), SCANNER-ANALYZERS-LANG-10-304A (Wave 1), SCANNER-ANALYZERS-LANG-10-305A (Wave 1), SCANNER-ANALYZERS-LANG-10-306A (Wave 1), SCANNER-ANALYZERS-LANG-10-307N (Wave 1)) before starting new work and report status in module TASKS.md. +- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-002 (Wave 1); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. +- Team Team Excititor Export: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-007 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-006 (Wave 1)) before starting and report status in module TASKS.md. + +### Wave 3 +- Team DevEx/CLI: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-OFFLINE-13-006 (DONE 2025-10-21). Confirm prerequisites (internal: DEVOPS-OFFLINE-14-002 (Wave 2)) before starting and report status in module TASKS.md. +- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-001 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-007 (Wave 2)) before starting and report status in module TASKS.md. +- Team Notify Engine Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-303 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. +- Team Notify Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-203 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. +- Team Scheduler Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-203 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-202 (Wave 2)) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305C/304C/309N/303C/306C are all DONE (latest 2025-10-22); remaining Wave 3 attention shifts to 10-307* helper consolidation and subsequent benchmarking tickets. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303B (Wave 2), SCANNER-ANALYZERS-LANG-10-304B (Wave 2), SCANNER-ANALYZERS-LANG-10-305B (Wave 2), SCANNER-ANALYZERS-LANG-10-306B (Wave 2), SCANNER-ANALYZERS-LANG-10-308N (Wave 2)) before scheduling new work and report status in module TASKS.md. + +### Wave 4 +- Team DevEx/CLI: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-PLUGIN-13-007 (DONE 2025-10-22). Confirm prerequisites (internal: CLI-OFFLINE-13-006 (Wave 3), CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. +- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-001 (Wave 3)) before starting and report status in module TASKS.md. +- Team Notify Connectors Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-501 (TODO), NOTIFY-CONN-TEAMS-15-601 (TODO), NOTIFY-CONN-EMAIL-15-701 (TODO), NOTIFY-CONN-WEBHOOK-15-801 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. +- Team Notify Engine Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-304 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. +- Team Notify Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-204 (TODO). Confirm prerequisites (internal: NOTIFY-WORKER-15-203 (Wave 3)) before starting and report status in module TASKS.md. +- Team Scheduler Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-204 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-203 (Wave 3)) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-307D/G/P are DONE (latest 2025-10-23); remaining focus is SCANNER-ANALYZERS-LANG-10-307R (DOING). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303C (Wave 3), SCANNER-ANALYZERS-LANG-10-304C (Wave 3), SCANNER-ANALYZERS-LANG-10-305C (Wave 3), SCANNER-ANALYZERS-LANG-10-306C (Wave 3)) before progressing and report status in module TASKS.md. + +### Wave 5 +- **Sprint 23-28** · StellaOps Console, Policy Studio, Graph Explorer + - Team: Policy Registry Guild + - Path: `src/Policy/StellaOps.Policy.Registry/TASKS.md` + 1. [TODO] REGISTRY-API-27-001..010 — Deliver Registry service (OpenAPI, workspace storage, compile/sim integration, review workflow, publish/attest, promotion, telemetry, testing). Coordinate closely with Policy Engine, Scheduler, Authority, Console, CLI, Docs, and DevOps. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-29-001..009 — Stand up immutable ledger, projector, workflow handlers, hashing/Merkle anchoring, and deployment tooling powering Vuln Explorer. + - Team: VEX Lens Guild + - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-30-001..011 — Build VEX normalization, mapping, trust weighting, consensus projection, APIs, simulation, telemetry, and deployment. + - Team: Issuer Directory Guild + - Path: `src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md` + 1. [TODO] ISSUER-30-001..006 — Provide issuer/key management, trust overrides, integration with VEX Lens, telemetry, and deployment guidance. + - Team: Advisory AI Guild + - Path: `src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md` + 1. [TODO] AIAI-31-001..009 — Implement retrievers, deterministics, guardrails, APIs, telemetry, and deployment for Advisory AI summaries/conflict explain/remediation. + - Team: Graph Indexer Guild + - Path: `src/Graph/StellaOps.Graph.Indexer/TASKS.md` + 1. [TODO] GRAPH-INDEX-28-001..010 — Build graph ingestion (SBOM, advisory, VEX, policy overlays), snapshots, clustering, incremental updates, and deployment artifacts. Maintain deterministic identity + tenant isolation. + - Team: Graph API Guild + - Path: `src/Graph/StellaOps.Graph.Api/TASKS.md` + 1. [TODO] GRAPH-API-28-001..011 — Ship streaming query/search/paths/diff/export endpoints with cost enforcement, overlays, RBAC, telemetry, and deployment docs. + - Team: Vuln Explorer API Guild + - Path: `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md` + 1. [TODO] VULN-API-29-001..011 — Provide policy-aware list/detail/workflow/simulation/export APIs atop the ledger with deterministic outputs and auditable telemetry. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-CORE-23-001..CONSOLE-REL-23-303, CONSOLE-DOC-23-501/502, TELEMETRY-CONSOLE-23-001 — Bootstrap the Next.js workspace, build shell/navigation, deliver feature modules (Dashboard, SBOM, Advisories/VEX, Findings, Policies, Runs, Reports, Admin, Downloads), wire telemetry, QA (Playwright, Storybook a11y, Lighthouse), release artifacts, and support docs/parity automation. Sequence: finish core scaffolding (23-001..005) before picking up feature modules; hold Reports/Downloads until backend export + manifest tasks signal ready. + 2. [TODO] CONSOLE-STUDIO-27-001..007, CONSOLE-GRAPH-28-001..008, TELEMETRY-CONSOLE-27-001 — Deliver Policy Studio editor experience and Graph Explorer WebGL module (semantic zoom, overlays, diff, exports, saved queries, accessibility, telemetry). + 3. [TODO] CONSOLE-VULN-29-001..007 — Ship Vuln Explorer UI enhancements (list/detail/workflow/simulation/export) with telemetry and accessibility. + 4. [TODO] CONSOLE-VEX-30-001..005 — Provide VEX Lens console experience with quorum/conflict visualization and telemetry. + 5. [TODO] CONSOLE-AIAI-31-001..005 — Build Advisory AI side panel (summary/conflict/remediation) with copy-as-ticket, a11y, and telemetry integration. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-CONSOLE-23-001..005 — Stand up `/console/*` aggregates, SSE proxy, export orchestrator, global search, and downloads manifest endpoints. Coordinate closely with Policy, Scheduler, Concelier, Excititor, SBOM services to validate payloads. + 2. [TODO] WEB-GRAPH-24-001..004 — Route `/graph/*` APIs to Graph service, enforce scopes, provide overlay/export proxies, and aggregate telemetry. + 3. [TODO] WEB-VULN-29-001..004 — Provide Vuln Explorer routing, ledger proxying, simulation/export orchestration, and telemetry. + 4. [TODO] WEB-AIAI-31-001..003 — Route Advisory AI endpoints, batch orchestration, and telemetry/audit pipelines. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-CONSOLE-23-001..003 — Register Console OIDC client, expose tenant/profile endpoints, refresh security docs. PKCE + short-lived tokens must land before Console auth wiring can start. + 2. [TODO] AUTH-POLICY-27-001..003, AUTH-GRAPH-21-001..003 — Roll out Policy Studio scopes + signing enforcement and ensure Graph scopes/RBAC stay in sync. + 3. [TODO] AUTH-VULN-29-001..003 — Deliver Vuln Explorer scopes, CSRF enforcement, attachment signing, and documentation. + 4. [TODO] AUTH-AIAI-31-001..002 — Define Advisory AI scopes/consent controls and enforce anonymized logging/audit flows. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-CONSOLE-23-001/002, EXPORT-CONSOLE-23-001 — Optimize findings/explain APIs, expose simulation diff + approvals metadata, and deliver evidence bundle generator feeding Web gateway + Console Reports. + 2. [TODO] POLICY-ENGINE-27-001..004, POLICY-ENGINE-30-001..003 — Provide Studio compile metadata, simulation enhancements, complexity limits, and graph overlay contracts/events. + 3. [TODO] POLICY-ENGINE-29-001..004 — Supply batch evaluation/simulation for Vuln Explorer and consensus overlays with telemetry. + 4. [TODO] POLICY-ENGINE-31-001..002 — Surface Advisory AI parameters and policy context endpoints consumed by the assistant. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-CONSOLE-23-001/002 — Provide Console catalog + component lookup endpoints (filters, overlays, raw projections). Coordinate caching hints with Web + Console teams. + 2. [TODO] SBOM-GRAPH-24-001..004 — Maintain graph node/edge collections, builders, diff events, and caches feeding Graph Explorer. + 3. [TODO] SBOM-VULN-29-001/002 — Emit enriched inventory evidence (scope/runtime/path/safe versions) and resolver feeds for Vuln Explorer. + 4. [TODO] SBOM-AIAI-31-001/002 — Deliver path/timeline APIs and telemetry for Advisory AI remediation hints. + - Team: Concelier WebService Guild + - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-CONSOLE-23-001..003 — Deliver advisory aggregation views, delta metrics feed, and search helpers backing Dashboard/Search modules. + 2. [TODO] CONCELIER-VULN-29-001..004 — Normalize advisory keys, expose raw evidence, publish safe fix hints, and instrument metrics for Vuln Explorer. + 3. [TODO] CONCELIER-AIAI-31-001..003 — Provide paragraph anchors, structured fields, and telemetry required by Advisory AI. + - Team: Excititor WebService Guild + - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-CONSOLE-23-001..003 — Provide VEX aggregation, override deltas, and search helpers for Console UX. + 2. [TODO] EXCITITOR-GRAPH-24-101/102 — Supply VEX summaries for Graph Explorer overlays and inspectors. + 3. [TODO] EXCITITOR-VULN-29-001..004 — Canonicalize VEX keys, surface evidence APIs, suppression metadata, and telemetry for Vuln Explorer. + 4. [TODO] EXCITITOR-AIAI-31-001..003 — Serve VEX chunks/justifications/signature metadata and telemetry for Advisory AI. + - Team: Scheduler WebService Guild + - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-CONSOLE-23-001 — Extend runs API with SSE progress stream, queue lag summaries, RBAC-gated actions. + 2. [TODO] SCHED-CONSOLE-27-001/002, SCHED-WEB-21-001/002 — Surface policy batch sim orchestration and graph build/overlay monitoring endpoints. + 3. [TODO] SCHED-VULN-29-001/002 — Provide resolver job APIs and lag metrics for Vulnerability Explorer recomputation. + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-CONSOLE-23-201/202 — Publish run progress events and coordinate evidence bundle jobs consumed by Console + gateway. + 2. [TODO] SCHED-WORKER-27-301..303, SCHED-WORKER-21-201..203 — Execute policy batch simulation sharding/reduction and graph build/overlay workers with telemetry + security controls. + 3. [TODO] SCHED-WORKER-29-001..003 — Run vulnerability resolver/evaluation workers and monitoring to keep projections fresh. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CONSOLE-23-001/002 — Add console CI workflow (pnpm lint/test/Playwright/Lighthouse) and produce `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. + 2. [TODO] DEVOPS-POLICY-27-001..004 — Wire policy lint/compile/test jobs, optional batch simulation CI, signing key management, and telemetry dashboards/alerts. + 3. [TODO] DEVOPS-GRAPH-28-001..003 — Stand up graph perf/load tests, rate limiting/backpressure controls, and observability dashboards/alerts. + 4. [TODO] DEVOPS-VULN-29-001..003 — Establish ledger CI/backups/anchoring, Vuln Explorer performance dashboards/alerts, and telemetry privacy safeguards. + 5. [TODO] DEVOPS-VEX-30-001 — Provision CI/perf/dashboards/alerts for VEX Lens & Issuer Directory. + 6. [TODO] DEVOPS-AIAI-31-001 — Provide CI, inference monitoring, privacy review, perf dashboards, and alerts for Advisory AI service. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DOWNLOADS-CONSOLE-23-001 — Maintain signed downloads manifest pipeline used by Console `/downloads` and docs parity checks. + 2. [TODO] DEPLOY-POLICY-27-001/002 — Provide Policy Registry deployment overlays and publish policy rollout/rollback runbook. + 3. [TODO] DEPLOY-GRAPH-28-001 — Create deployment/offline instructions for Graph Indexer/API (including cache seeds). + 4. [TODO] DEPLOY-VULN-29-001/002 — Package Findings Ledger and Vuln Explorer API deployments with migrations/backups/offline guidance. + 5. [TODO] DEPLOY-VEX-30-001/002 — Provide deployments/offline instructions for VEX Lens and Issuer Directory. + 6. [TODO] DEPLOY-AIAI-31-001 — Deliver Advisory AI deployment manifests, GPU toggle guidance, and offline kit instructions. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CONSOLE-23-001..017 — Publish the Console doc suite (overview, navigation, module guides, deploy/install, security, observability, parity matrix, accessibility, UI tours). Coordinate media capture with Console Guild. + 2. [TODO] DOCS-POLICY-27-001..014 — Deliver Policy Studio documentation set (overview, authoring, versioning, simulation, review, promotion, CLI/API/security/observability/runbooks/templates/AOC guardrails). + 3. [TODO] DOCS-GRAPH-28-001..012 — Produce Graph Explorer documentation (overview, console usage, query language, API, CLI, overlays, advisory/VEX integration, architecture, telemetry, runbooks, security). + 4. [TODO] DOCS-VULN-29-001..013 — Author Vulnerability Explorer documents (overview, console usage, API/CLI, ledger, policy mapping, advisory/VEX integration, SBOM resolution, telemetry, security, runbooks, install updates). + 5. [TODO] DOCS-VEX-30-001..009 — Publish VEX Lens documentation set (overview, algorithm, issuer directory, APIs, console, policy trust model, mapping, signatures, runbooks). + 6. [TODO] DOCS-AIAI-31-001..009 — Publish Advisory AI documentation suite (overview, architecture, APIs, console, CLI, policy parameters, guardrails, remediation heuristics, ops runbook). + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-27-001..005 — Implement Policy Studio CLI lifecycle (init→lint→simulate→submit→approve→publish→promote/rollback), enhance simulation reporting, and update documentation with CI-friendly outputs. + 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. + 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. + 4. [TODO] CLI-VEX-30-001..004 — Provide VEX Lens CLI commands (consensus list/show/simulate/export). + 5. [TODO] CLI-AIAI-31-001..004 — Implement Advisory AI CLI commands (`stella advise *`) with docs and tests. + 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. + 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. +- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-002 (Wave 4)) before starting and report status in module TASKS.md. +- Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (DONE), NOTIFY-CONN-TEAMS-15-602 (DONE), NOTIFY-CONN-EMAIL-15-702 (BLOCKED 2025-10-20), NOTIFY-CONN-WEBHOOK-15-802 (BLOCKED 2025-10-20). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md. +- Team TBD: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-308D/G/P completed (2025-10-23/2025-10-22/2025-10-23); pending items are SCANNER-ANALYZERS-LANG-10-308R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-307D (Wave 4), SCANNER-ANALYZERS-LANG-10-307G (Wave 4), SCANNER-ANALYZERS-LANG-10-307P (Wave 4), SCANNER-ANALYZERS-LANG-10-307R (Wave 4)) before starting and report status in module TASKS.md. + +### Wave 6 +- Team Notify Connectors Guild: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-503 (DONE), NOTIFY-CONN-TEAMS-15-603 (DONE), NOTIFY-CONN-EMAIL-15-703 (DONE), NOTIFY-CONN-WEBHOOK-15-803 (DONE). Confirm packaging outputs remain deterministic while upstream implementation tasks (15-702/802) stay blocked. +- Team TBD: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-309D/G/P completed (2025-10-23/2025-10-22/2025-10-23); remaining item is SCANNER-ANALYZERS-LANG-10-309R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-308D (Wave 5), SCANNER-ANALYZERS-LANG-10-308G (Wave 5), SCANNER-ANALYZERS-LANG-10-308P (Wave 5), SCANNER-ANALYZERS-LANG-10-308R (Wave 5)) before starting and report status in module TASKS.md. + +### Wave 7 +- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 7 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDSTORAGE-DATA-07-001 (Wave 10)) before starting and report status in module TASKS.md. + +### Wave 8 +- Team Team Core Engine & Data Science: read EXECPLAN.md Wave 8 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-002 (DONE 2025-10-21). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. + +### Wave 9 +- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 9 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. FEEDCORE-ENGINE-07-003 marked DONE (2025-10-21); share ledger heuristics with Policy when integrating confidence decay. + +### Wave 10 +- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 10 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-DATA-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDMERGE-ENGINE-07-001 (Wave 11)) before starting and report status in module TASKS.md. + +### Wave 11 — 48 task(s) ready after Wave 10 +- **Sprint 25** · Exceptions v1 + - Team: Policy Guild + - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-EXC-25-001, POLICY-ENGINE-70-001..005 — SPL updates, evaluation layer, storage, cache, observability, worker hooks. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXC-25-001..003 — Exceptions API workflow, policy integration, events/notifications. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-EXC-25-001..005 — Exception Center, creation wizard, inline flows, badges, accessibility. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXC-25-001/002 — CLI workflow commands and simulation overrides. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXC-25-001/002 — Exception scopes, routing matrix, docs. + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-25-101/102 — Exception lifecycle + expiring notification jobs. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXC-25-001..007 — Governance, approvals, API, policy effects, UI, CLI, migration docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] (future) exception monitoring/notifications integration if needed (track under DEVOPS-LNM-22-003 extension). + +- Team BE-Merge: read EXECPLAN.md Wave 11 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. FEEDMERGE-ENGINE-07-001 marked DONE (2025-10-20); share conflict explainer rollout notes with Storage before Wave 10 resumes. + +### Wave 12 — 40 task(s) ready after Wave 11 +- **Sprint 26** · Reachability v1 + - Team: Signals Guild + - Path: `src/Signals/StellaOps.Signals/TASKS.md` + 1. [TODO] SIGNALS-24-001..005 — Signals service API, parsers, runtime ingest, scoring, caching/events. + - Team: Policy Guild + - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-SPL-24-001, POLICY-ENGINE-80-001..004 — SPL updates, evaluation integration, cache optimization, metrics. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-SIG-26-001..003 — Signals endpoints, reachability joins, simulation overrides. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-SIG-26-001..004 — Reachability columns/overlays, explain drawer, center. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-SIG-26-001/002 — CLI commands for reachability upload/list/simulate. + - Team: Authority Core + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-SIG-26-001 — Signals scopes/roles with AOC requirements. + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-26-201/202 — Reachability joiner and staleness monitor jobs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-SIG-26-001/002 — Deployment pipelines and observability for Signals. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-SIG-26-001..008 — Reachability concepts, formats, runtime, policy weighting, UI, CLI, API, migration docs. + - Team: Concelier/Excititor Guilds + - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] CONCELIER-SIG-26-001, EXCITITOR-SIG-26-001 — Provide symbol/exploitability metadata to Signals. + - Team: Bench Guild + - Path: `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-SIG-26-001/002 — Performance benchmarks for Signals and policy evaluation overhead. + +- Team Concelier Export Guild: read EXECPLAN.md Wave 12 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md`. Focus on CONCELIER-EXPORT-08-201 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. + +### Wave 13 +- Team Concelier Export Guild: read EXECPLAN.md Wave 13 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`. Focus on CONCELIER-EXPORT-08-202 (DONE 2025-10-19). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. + +### Wave 14 +- Team Concelier WebService Guild: read EXECPLAN.md Wave 14 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. CONCELIER-WEB-08-201 closed (2025-10-20); coordinate with DevOps for mirror smoke before promoting to stable. + +### Wave 15 +- Team BE-Conn-Stella: read EXECPLAN.md Wave 15 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-001 (DONE 2025-10-20). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. + +### Wave 16 +- Team BE-Conn-Stella: read EXECPLAN.md Wave 16 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. FEEDCONN-STELLA-08-002 completed (2025-10-20) with canonical DTO mapper + provenance fixtures. + +### Wave 17 +- Team BE-Conn-Stella: read EXECPLAN.md Wave 17 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-003 (TODO). Confirm prerequisites (internal: FEEDCONN-STELLA-08-002 (Wave 16)) before starting and report status in module TASKS.md. + +## Wave 0 — 98 task(s) ready now +- **Sprint 1** · Backlog + - Team: UX Specialist, Angular Eng + - Path: `src/Web/StellaOps.Web/TASKS.md` + • Prereqs: WEB1.TRIVY-SETTINGS + • Current: DONE (2025-10-21) – ChromeHeadless launcher + README updates merged; dependency hardening completed via WEB1.DEPS-13-001. + • Prereqs: WEB1.TRIVY-SETTINGS-TESTS + • Current: DONE (2025-10-21) – Lockfile generated via `npm ci`, Chromium auto-detection/verification scripts added, and deterministic install guide published for offline runners. +- **Sprint 1** · Developer Tooling + - Team: DevEx/CLI + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] EXCITITOR-CLI-01-002 — EXCITITOR-CLI-01-002 – Export download & attestation UX + • Prereqs: EXCITITOR-CLI-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed) + • Current: TODO – Display export metadata (sha256, size, Rekor link), support optional artifact download path, and handle cache hits gracefully. + - Team: Docs/CLI + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] EXCITITOR-CLI-01-003 — EXCITITOR-CLI-01-003 – CLI docs & examples for Excititor + • Prereqs: EXCITITOR-CLI-01-001 (external/completed) + • Current: TODO – Update docs/09_API_CLI_REFERENCE.md and quickstart snippets to cover Excititor verbs, offline guidance, and attestation verification workflow. +- **Sprint 1** · Stabilize In-Progress Foundations + - Team: Team Connector Resumption – CERT/RedHat + - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md` + 1. [DOING] FEEDCONN-REDHAT-02-001 — Fixture validation sweep — Instructions to work: — Regenerating RHSA fixtures awaits remaining range provenance patches; review snapshot diffs and update docs once upstream helpers land. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. + • Prereqs: — + • Current: DOING (2025-10-10) + - Team: Team WebService & Authority + - Path: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md` + 1. [DOING] SEC2.PLG — Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`; Serilog enrichment complete, storage durability tests in flight. + • Prereqs: — + • Current: DOING (2025-10-14) + 2. [DOING] SEC3.PLG — Ensure lockout responses carry rate-limit metadata through plugin logs/events; retry-after propagation and limiter tests underway. + • Prereqs: — + • Current: DOING (2025-10-14) + 3. [DOING] SEC5.PLG — Address plugin-specific mitigations in threat model backlog; mitigation items tracked, docs updates pending. + • Prereqs: — + • Current: DOING (2025-10-14) + 4. [BLOCKED] PLG4-6.CAPABILITIES — Finalise capability metadata exposure and docs once Authority rate-limiter stream (CORE8/SEC3) is stable; awaiting dependency unblock. + • Prereqs: — + • Current: BLOCKED (2025-10-12) + 5. [TODO] PLG6.DIAGRAM — Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. + • Prereqs: — + • Current: TODO + 6. [REVIEW] PLG7.RFC — Socialize LDAP plugin RFC and capture guild feedback; awaiting final review sign-off and follow-up issue tracking. + • Prereqs: — + • Current: REVIEW (2025-10-13) + - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` + 1. [DOING] FEEDWEB-DOCS-01-001 — Document authority toggle & scope requirements — Quickstart updates are staged; awaiting Docs guild review before publishing operator guide refresh. + • Prereqs: — + • Current: DOING (2025-10-10) + 3. [BLOCKED] FEEDWEB-OPS-01-007 — Authority resilience adoption — Roll out retry/offline knobs to deployment docs and align CLI parity once LIB5 resilience options land; unblock when library release is available and docs review completes. + • Prereqs: — + • Current: BLOCKED (2025-10-10) +- **Sprint 2** · Connector & Data Implementation Wave + - Team: Docs Guild, Plugin Team + - Path: `docs/TASKS.md` + 1. [REVIEW] DOC4.AUTH-PDG — Copy-edit `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, export lifecycle diagram, add LDAP RFC cross-link. + • Prereqs: — + • Current: REVIEW + - Team: Team Merge & QA Enforcement + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` + 1. [DOING] FEEDMERGE-COORD-02-900 — Range primitives rollout coordination — Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) to emit canonical range primitives with provenance tags; fixtures tracked in `RANGE_PRIMITIVES_COORDINATION.md`. + • Prereqs: — + • Current: DOING (2025-10-20) – Coordination docs refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24); escalation plan defined if deadlines slip. +- **Sprint 3** · Backlog + - Team: Tools Guild, BE-Conn-MSRC + - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md` + 1. [**TODO] FEEDCONN-SHARED-STATE-003 — FEEDCONN-SHARED-STATE-003 Source state seeding helper + • Prereqs: — + • Current: **TODO (2025-10-15)** – Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. +- **Sprint 5** · Excititor Core Foundations + - Team: Team Excititor Attestation + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md` + 1. [TODO] EXCITITOR-ATTEST-01-003 — EXCITITOR-ATTEST-01-003 – Verification suite & observability + • Prereqs: EXCITITOR-ATTEST-01-002 (external/completed) + • Current: TODO – Add verification helpers for Worker/WebService, metrics/logging hooks, and negative-path regression tests. + - Team: Team Excititor WebService + - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` + 2. [TODO] EXCITITOR-WEB-01-003 — EXCITITOR-WEB-01-003 – Export & verify endpoints + • Prereqs: EXCITITOR-WEB-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-ATTEST-01-001 (external/completed) + • Current: TODO – Add `/excititor/export`, `/excititor/export/{id}`, `/excititor/export/{id}/download`, `/excititor/verify`, returning artifact + attestation metadata with cache awareness. +- **Sprint 6** · Excititor Ingest & Formats + - Team: Team Excititor Connectors – Cisco + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-CISCO-01-003 — EXCITITOR-CONN-CISCO-01-003 – Provider trust metadata + • Prereqs: EXCITITOR-CONN-CISCO-01-002 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) + • Current: TODO – Emit cosign/PGP trust metadata and advisory provenance hints for policy weighting. + - Team: Team Excititor Connectors – MSRC + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-MS-01-002 — EXCITITOR-CONN-MS-01-002 – CSAF download pipeline + • Prereqs: EXCITITOR-CONN-MS-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) + • Current: TODO – Fetch CSAF packages with retry/backoff, checksum verification, and raw document persistence plus quarantine for schema failures. + - Team: Team Excititor Connectors – Oracle + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` + 1. [DOING] EXCITITOR-CONN-ORACLE-01-001 — EXCITITOR-CONN-ORACLE-01-001 – Oracle CSAF catalogue discovery + • Prereqs: EXCITITOR-CONN-ABS-01-001 (external/completed) + • Current: DOING (2025-10-17) – Implement catalogue discovery, CPU calendar awareness, and offline snapshot import for Oracle CSAF feeds. + - Team: Team Excititor Connectors – SUSE + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` + 1. [TODO] EXCITITOR-CONN-SUSE-01-002 — EXCITITOR-CONN-SUSE-01-002 – Checkpointed event ingestion + • Prereqs: EXCITITOR-CONN-SUSE-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) + • Current: TODO – Process hub events with resume checkpoints, deduplication, and quarantine path for malformed payloads. + - Team: Team Excititor Connectors – Ubuntu + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-UBUNTU-01-002 — EXCITITOR-CONN-UBUNTU-01-002 – Incremental fetch & deduplication + • Prereqs: EXCITITOR-CONN-UBUNTU-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) + • Current: TODO – Fetch CSAF bundles with ETag handling, checksum validation, deduplication, and raw persistence. + - Team: Team Excititor Formats + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md` + 1. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-002 — EXCITITOR-FMT-CSAF-01-002 – Status/justification mapping + • Prereqs: EXCITITOR-FMT-CSAF-01-001 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) + • Current: DONE – Normalizer now emits policy-safe status/justification mappings and flags unsupported or missing evidence for audit diagnostics. + 2. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-003 — EXCITITOR-FMT-CSAF-01-003 – CSAF export adapter + • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CSAF-01-001 (external/completed) + • Current: DONE – CSAF exporter produces deterministic documents with reconciled product tree, vulnerability statuses, and export metadata. + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md` + 1. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-002 — EXCITITOR-FMT-CYCLONE-01-002 – Component reference reconciliation + • Prereqs: EXCITITOR-FMT-CYCLONE-01-001 (external/completed) + • Current: DONE – Component reconciler issues stable bom-refs, aggregates identifiers, and records diagnostics for missing SBOM linkage. + 2. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-003 — EXCITITOR-FMT-CYCLONE-01-003 – CycloneDX export serializer + • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CYCLONE-01-001 (external/completed) + • Current: DONE – CycloneDX exporter delivers canonical VEX payloads with reconciled components, per-claim analyses, and metadata for caching. + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md` + 1. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-002 — EXCITITOR-FMT-OPENVEX-01-002 – Statement merge utilities + • Prereqs: EXCITITOR-FMT-OPENVEX-01-001 (external/completed) + • Current: DONE – Merge utilities combine statements deterministically, highlight conflicts, and preserve source diagnostics for policy checks. + 2. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-003 — EXCITITOR-FMT-OPENVEX-01-003 – OpenVEX export writer + • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-OPENVEX-01-001 (external/completed) + • Current: DONE – OpenVEX exporter serializes merged statements with canonical ordering, provenance metadata, and deterministic digests. + +- **Sprint 7** · Contextual Truth Foundations + - Team: Team Excititor Export + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` + • Prereqs: EXCITITOR-EXPORT-01-004 (external/completed), EXCITITOR-CORE-02-001 (external/completed) + • Current: TODO – Emit consensus+score envelopes in export manifests, include policy/scoring digests, and update offline bundle/ORAS layouts to carry signed VEX responses. + +- **Sprint 9** · Docs & Governance + + - Team: Runtime Guild + - Path: `docs/TASKS.md` + 1. [TODO] RUNTIME-GUILD-09-402 — Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. + • Prereqs: SCANNER-POLICY-09-107 (external/completed) + • Current: TODO +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-302B (external/completed) + • Current: DONE — Telemetry counter wired, lifecycle script evidence emitted; see Node analyzer fixtures. +- **Sprint 10** · Scanner Analyzers & SBOM + - Team: Diff Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md` + • Prereqs: — + • Current: DONE — Diff engine produces deterministic add/remove/version deltas; regression suite covers warm/cold path parity. + • Prereqs: — + • Current: DONE — Layer attribution recorded on every change; fixtures assert provenance integrity. + • Prereqs: — + • Current: DONE — JSON serializer emits stable ordering; golden outputs locked in tests. + - Team: Emit Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` + • Prereqs: — + • Current: DONE — Inventory builder validated against CycloneDX schema; deterministic fixtures added. + • Prereqs: — + • Current: DONE — Usage view toggles wired; tests confirm subset alignment with EntryTrace signals. + • Prereqs: — + • Current: DONE — BOM Index format published with roaring bitmap helpers; golden fixtures locked. + • Prereqs: — + • Current: DONE — Export packaging deterministic; integration test with storage succeeds. + • Prereqs: — + • Current: DONE — `bom-index@1` schema + fixtures published; Scheduler notes updated. + • Prereqs: — + • Current: DONE — EntryTrace usage bits round-trip in BOM Index; regression harness verified. + - Team: EntryTrace Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md` + • Prereqs: — + • Current: DONE — Parser emits stable AST; determinism tests captured. + • Prereqs: — + • Current: DONE — Resolver walks layered PATH with provenance evidence; fixtures validate. + • Prereqs: — + • Current: DONE — Interpreter tracer resolves Python/Node/Java hand-offs; golden graphs updated. + • Prereqs: — + • Current: DONE — Python analyzer surfaces venv/module details; usage flag propagated. + • Prereqs: — + • Current: DONE — Node/Java launchers traced end-to-end; evidence attached for each hop. + • Prereqs: — + • Current: DONE — Diagnostics enumerated, metrics emitted via `EntryTraceMetrics`. + • Prereqs: — + • Current: DONE — Plug-in manifests under `plugins/scanner/entrytrace`; restart-only guard documented. + - Team: Language Analyzer Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md` + • Prereqs: — + • Current: DONE — Implementation plan captured per language with progress notes through 2025-10-22. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` + • Prereqs: — + • Current: DONE — Java analyzer shipped with deterministic fixtures. + • Prereqs: — + • Current: DONE — Shared helpers live under Lang.Core and are consumed by Java/Node analyzers. + • Prereqs: — + • Current: DONE — Determinism harness + fixtures checked in; CI guard active. +- **Sprint 13** · UX & CLI Experience + - Team: DevEx/CLI + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-RUNTIME-13-005 — Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. + • Prereqs: — + • Current: TODO +- **Sprint 15** · Notify Foundations + - Team: Notify Models Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md` + 1. [TODO] NOTIFY-MODELS-15-101 — Define core Notify DTOs, validation helpers, canonical serialization. + • Prereqs: — + • Current: TODO + 2. [TODO] NOTIFY-MODELS-15-102 — Publish schema docs and sample payloads for Notify. + • Prereqs: — + • Current: TODO + 3. [TODO] NOTIFY-MODELS-15-103 — Versioning/migration helpers for rules/templates/deliveries. + • Prereqs: — + • Current: TODO + - Team: Notify Storage Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md` + 1. [TODO] NOTIFY-STORAGE-15-201 — Mongo schemas/indexes for rules, channels, deliveries, digests, locks, audit. + • Prereqs: — + • Current: TODO + 2. [TODO] NOTIFY-STORAGE-15-202 — Repositories with tenant scoping, soft delete, TTL, causal consistency options. + • Prereqs: — + • Current: TODO + 3. [TODO] NOTIFY-STORAGE-15-203 — Delivery history retention and query APIs. + • Prereqs: — + • Current: TODO + - Team: Notify WebService Guild + - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` + 1. [TODO] NOTIFY-WEB-15-101 — Minimal API host with Authority enforcement and plug-in loading. + • Prereqs: — + • Current: TODO + 2. [TODO] NOTIFY-WEB-15-102 — Rules/channel/template CRUD with audit logging. + • Prereqs: — + • Current: TODO + - Team: Scanner WebService Guild + - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` + 2. [BLOCKED] SCANNER-EVENTS-16-301 — Redis publisher integration tests once Notify queue adapter ships. + • Current: BLOCKED – waiting on Notify queue abstraction and Redis adapter deliverables for end-to-end validation. +- **Sprint 16** · Scheduler Intelligence + + - Team: Scheduler Storage Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` + 1. [TODO] SCHED-STORAGE-16-201 — Create Mongo collections (schedules, runs, impact_cursors, locks, audit) with indexes/migrations per architecture. + • Prereqs: SCHED-MODELS-16-101 (external/completed) + • Current: TODO + - Team: Scheduler WebService Guild + - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-WEB-16-101 — Bootstrap Minimal API host with Authority OpTok + DPoP, health endpoints, plug-in discovery per architecture §§1–2. + • Prereqs: SCHED-MODELS-16-101 (external/completed) + • Current: TODO +- **Sprint 18** · Launch Readiness + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-LAUNCH-18-100 - Finalise production environment footprint (clusters, secrets, network overlays) for full-platform go-live. + • Prereqs: — + • Current: TODO + 2. [TODO] DEVOPS-LAUNCH-18-900 - Collect "full implementation" sign-off from module owners and consolidate the launch readiness checklist. + • Prereqs: Wave 0 completion + • Current: TODO + 3. [TODO] DEVOPS-LAUNCH-18-001 - Production launch cutover rehearsal and runbook publication. + • Prereqs: DEVOPS-LAUNCH-18-100, DEVOPS-LAUNCH-18-900 + • Current: TODO + - Team: Offline Kit Guild, UX Specialist + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-18-003 — Capture Angular workspace npm cache + Chromium bundle for Offline Kit distribution and document refresh cadence. + • Prereqs: DEVOPS-OFFLINE-14-002 (Wave 2) + • Current: TODO + +## Wave 1 — 45 task(s) ready after Wave 0 +- **Sprint 6** · Excititor Ingest & Formats + - Team: Team Excititor Connectors – MSRC + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-MS-01-003 — EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints + • Prereqs: EXCITITOR-CONN-MS-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) + • Current: TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. + - Team: Team Excititor Connectors – Oracle + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-ORACLE-01-002 — EXCITITOR-CONN-ORACLE-01-002 – CSAF download & dedupe pipeline + • Prereqs: EXCITITOR-CONN-ORACLE-01-001 (Wave 0), EXCITITOR-STORAGE-01-003 (external/completed) + • Current: TODO – Fetch CSAF documents with retry/backoff, checksum validation, revision deduplication, and raw persistence. + - Team: Team Excititor Connectors – SUSE + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` + 1. [TODO] EXCITITOR-CONN-SUSE-01-003 — EXCITITOR-CONN-SUSE-01-003 – Trust metadata & policy hints + • Prereqs: EXCITITOR-CONN-SUSE-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) + • Current: TODO – Emit provider trust configuration (signers, weight overrides) and attach provenance hints for consensus engine. + - Team: Team Excititor Connectors – Ubuntu + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-UBUNTU-01-003 — EXCITITOR-CONN-UBUNTU-01-003 – Trust metadata & provenance + • Prereqs: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) + • Current: TODO – Emit Ubuntu signing metadata (GPG fingerprints) plus provenance hints for policy weighting and diagnostics. + - Team: Team Excititor Worker + - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-WORKER-01-003 — EXCITITOR-WORKER-01-003 – Verification & cache GC loops + • Prereqs: EXCITITOR-WORKER-01-001 (external/completed), EXCITITOR-ATTEST-01-003 (Wave 0), EXCITITOR-EXPORT-01-002 (external/completed) + • Current: TODO – Add scheduled attestation re-verification and cache pruning routines, surfacing metrics for export reuse ratios. +- **Sprint 7** · Contextual Truth Foundations + - Team: Team Excititor Export + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` + • Prereqs: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0) + • Current: TODO – Attach `quietedBy` statement IDs, signers, and justification codes to exports/offline bundles, mirror metadata into attested manifest, and add regression fixtures. +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — RID-aware deps/runtimeconfig parser emitting deterministic NuGet components with tests landed. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE – Varint build-info decoder implemented with fixtures and determinism harness coverage. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-302C (Wave 0) + • Current: DONE — Node analyzer now reuses shared metadata/evidence helpers. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Python analyzer ingests METADATA/WHEEL/entry_points with deterministic ordering and UTF-8 normalization. Fixtures updated (`simple-venv`). + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Cargo metadata walker emits `pkg:cargo` components with provenance and deterministic fixtures. +- **Sprint 10** · Scanner Analyzers & SBOM + - Team: Emit Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` + • Prereqs: SCANNER-EMIT-10-604 (Wave 0), POLICY-CORE-09-005 (Wave 0) + • Current: DONE — SBOM/attestation fixtures include scoring metadata and serialize deterministically. + - Team: Language Analyzer Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-301 (Wave 0) + • Current: DONE — Manifest published under `plugins/scanner/analyzers/lang/`, Worker loader wired, integration tests updated. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Rust analyzer emits cargo components with provenance and deterministic fallbacks. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Workspace/symlink coverage validated via determinism fixtures; metrics + lifecycle script evidence landed. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Buildinfo decoder + DWARF fallbacks captured; fixtures and benchmarks green. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — RID-aware deps/runtimeconfig parser emits deterministic NuGet components; tests landed. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) + • Current: DONE — Dist-info parser, RECORD verifier, editable install metadata, and entrypoint usage hints shipped with deterministic fixture/tests. +- **Sprint 13** · UX & CLI Experience + - Team: DevEx/CLI, QA Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-RUNTIME-13-009 — CLI-RUNTIME-13-009 – Runtime policy smoke fixture + • Prereqs: CLI-RUNTIME-13-005 (Wave 0) + • Current: TODO – Build Spectre test harness exercising `runtime policy test` against a stubbed backend to lock output shape (table + `--json`) and guard regressions. Integrate into `dotnet test` suite. + - Team: UX Specialist, Angular Eng, DevEx + - Path: `src/Web/StellaOps.Web/TASKS.md` + • Prereqs: WEB1.TRIVY-SETTINGS-TESTS (Wave 0) + • Current: TODO – Capture deterministic lockfile flow, cache Puppeteer downloads, validate `npm test` from clean checkout offline, and update README. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-VEX-13-003 — Implement VEX explorer + policy editor with preview integration. + • Prereqs: EXCITITOR-CORE-02-001 (external/completed), EXCITITOR-EXPORT-01-005 (Wave 0) + • Current: TODO + 2. [TODO] UI-POLICY-13-007 — Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. + • Prereqs: POLICY-CORE-09-006 (Wave 0), SCANNER-WEB-09-103 (external/completed) + • Current: TODO + 3. [TODO] UI-ADMIN-13-004 — Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. + • Prereqs: AUTH-MTLS-11-002 (Wave 0) + • Current: TODO + • Prereqs: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0) + • Current: TODO + 5. [TODO] UI-SCANS-13-002 — Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. + • Prereqs: SCANNER-WEB-09-102 (external/completed), SIGNER-API-11-101 (Wave 0) + • Current: TODO + • Prereqs: NOTIFY-WEB-15-101 (Wave 0) + • Current: TODO + 7. [TODO] UI-SCHED-13-005 — Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks. + • Prereqs: SCHED-WEB-16-101 (Wave 0) + • Current: TODO +- **Sprint 13** · Platform Reliability + - Team: DevOps Guild, Platform Leads + - Path: `ops/devops/TASKS.md` + • Prereqs: DEVOPS-REL-14-001 (Wave 1) + • Current: DOING – Mirror preview packages into Offline Kit/allowlisted feeds, update NuGet.config mapping, and refresh restore documentation. + 2. [TODO] DEVOPS-UI-13-006 — Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. + • Current: TODO – Extend release/offline pipelines to run `npm run test:e2e`, publish traces on failure, and ensure stub config assets ship alongside the UI bundle. +- **Sprint 14** · Release & Offline Ops + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [DOING 2025-10-23] DEVOPS-REL-14-001 — Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. + • Current: TODO + - Team: Licensing Guild + - Path: `ops/licensing/TASKS.md` + 1. [TODO] DEVOPS-LIC-14-004 — Implement registry token service tied to Authority (DPoP/mTLS), plan gating, revocation handling, and monitoring per architecture. + • Prereqs: AUTH-MTLS-11-002 (Wave 0) + • Current: TODO +- **Sprint 15** · Notify Foundations + - Team: Notify Engine Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` + 1. [DOING (2025-10-24)] NOTIFY-ENGINE-15-301 — Rules evaluation core: tenant/kind filters, severity/delta gates, VEX gating, throttling, idempotency key generation. + • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) + • Current: DOING (2025-10-24) + - Team: Notify Queue Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` + • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) + • Current: DONE — Redis transport, queue contracts, and integration tests delivered (2025-10-23). + +- **Sprint 16** · Scheduler Intelligence + - Team: Scheduler ImpactIndex Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` + 1. [TODO] SCHED-IMPACT-16-301 — Implement ingestion of per-image BOM-Index sidecars into roaring bitmap store (contains/usedBy). + • Prereqs: SCANNER-EMIT-10-605 (Wave 0) + • Current: TODO + + - Team: Scheduler Storage Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` + 1. [TODO] SCHED-STORAGE-16-203 — Audit/logging pipeline + run stats materialized views for UI. + • Prereqs: SCHED-STORAGE-16-201 (Wave 0) + • Current: TODO + 2. [TODO] SCHED-STORAGE-16-202 — Implement repositories/services with tenant scoping, soft delete, TTL for completed runs, and causal consistency options. + • Prereqs: SCHED-STORAGE-16-201 (Wave 0) + • Current: TODO + - Team: Scheduler WebService Guild + - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-WEB-16-104 — Webhook endpoints for Feedser/Vexer exports with mTLS/HMAC validation and rate limiting. + • Prereqs: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0) + • Current: TODO + 2. [TODO] SCHED-WEB-16-102 — Implement schedules CRUD (tenant-scoped) with cron validation, pause/resume, audit logging. + • Prereqs: SCHED-WEB-16-101 (Wave 0) + • Current: TODO + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-16-201 — Planner loop (cron + event triggers) with lease management, fairness, and rate limiting (§6). + • Prereqs: SCHED-QUEUE-16-401 (Wave 0) + • Current: TODO +- **Sprint 17** · Symbol Intelligence & Forensics + - Team: Emit Guild + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` + 1. [TODO] SCANNER-EMIT-17-701 — Record GNU build-id for ELF components and surface it in inventory/usage SBOM plus diff payloads with deterministic ordering. + • Prereqs: SCANNER-EMIT-10-602 (Wave 0) + • Current: TODO + +## Wave 2 — 29 task(s) ready after Wave 1 +- **Sprint 6** · Excititor Ingest & Formats + - Team: Team Excititor Connectors – Oracle + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` + 1. [TODO] EXCITITOR-CONN-ORACLE-01-003 — EXCITITOR-CONN-ORACLE-01-003 – Trust metadata + provenance + • Prereqs: EXCITITOR-CONN-ORACLE-01-002 (Wave 1), EXCITITOR-POLICY-01-001 (external/completed) + • Current: TODO – Emit Oracle signing metadata (PGP/cosign) and provenance hints for consensus weighting. +- **Sprint 7** · Contextual Truth Foundations + - Team: Team Excititor Export + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` + • Prereqs: EXCITITOR-EXPORT-01-006 (Wave 1) + • Current: TODO – Create per-domain mirror bundles with consensus/score artifacts, publish signed index for downstream Excititor sync, and ensure deterministic digests + fixtures. +- **Sprint 9** · DevOps Foundations + - Team: DevOps Guild, Notify Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-SCANNER-09-205 — Add Notify smoke stage that tails the Redis stream and asserts `scanner.report.ready`/`scanner.scan.completed` reach Notify WebService in staging. + • Prereqs: DEVOPS-SCANNER-09-204 (Wave 1) + • Current: TODO +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) + • Current: DONE — Assembly metadata now emits strong-name, file/product info, and optional Authenticode signals with deterministic fixtures/tests. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-304A (Wave 1) + • Current: DONE — DWARF fallback parses vcs.* markers, cache reuses metadata keyed by file identity. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307N (Wave 1) + • Current: DONE — Harness + fixtures merged; benchmark CSV recorded under `src/Bench/StellaOps.Bench/Scanner.Analyzers`. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-303A (Wave 1) + • Current: DONE — Streaming SHA-256 verification with deterministic mismatch evidence; unsupported algorithms tracked; fixtures validated. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-306A (Wave 1) + • Current: DONE — Heuristic classifier flags stripped binaries, regression tests guard false positives. +- **Sprint 10** · DevOps Perf + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + • Prereqs: BENCH-SCANNER-10-002 (Wave 1) + • Current: DONE (2025-10-23) +- **Sprint 10** · Samples + - Team: Samples Guild, Policy Guild + - Path: `samples/TASKS.md` + • Prereqs: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1) + • Current: DONE (2025-10-23) + - Team: UI Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + • Prereqs: SAMPLES-13-004 (Wave 0) + • Current: DONE (2025-10-23) +- **Sprint 14** · Release & Offline Ops + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEVOPS-OPS-14-003 — Document and script upgrade/rollback flows, channel management, and compatibility matrices per architecture. + • Prereqs: DEVOPS-REL-14-001 (Wave 1) + • Current: TODO + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-14-002 — Build offline kit packaging workflow (artifact bundling, manifest generation, signature verification). + • Prereqs: DEVOPS-REL-14-001 (Wave 1) + • Current: TODO +- **Sprint 15** · Benchmarks + - Team: Bench Guild, Notify Team + - Path: `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-NOTIFY-15-001 — Notify dispatch throughput bench (vary rule density) with results CSV. + • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) + • Current: TODO +- **Sprint 15** · Notify Foundations + - Team: Notify Engine Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` + 1. [TODO] NOTIFY-ENGINE-15-302 — Action planner + digest coalescer with window management and dedupe per architecture §4. + • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) + • Current: TODO + - Team: Notify Queue Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` + • Current: DONE — delivery queue + retry/dead-letter pipeline shipped with integration tests and metrics (2025-10-23). + • Current: DONE — JetStream transport, DI binding, health check, and integration tests delivered (2025-10-23). + - Team: Notify WebService Guild + - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` + 1. [TODO] NOTIFY-WEB-15-104 — Configuration binding for Mongo/queue/secrets; startup diagnostics. + • Current: TODO + - Team: Notify Worker Guild + - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` + • Current: DONE — worker leasing loop wired to queue adapters with retry/backoff telemetry (2025-10-23). + 2. [TODO] NOTIFY-WORKER-15-202 — Wire rules evaluation pipeline (tenant scoping, filters, throttles, digests, idempotency) with deterministic decisions. + • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) + • Current: TODO +- **Sprint 16** · Benchmarks + - Team: Bench Guild, Scheduler Team + - Path: `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-IMPACT-16-001 — ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. + • Prereqs: SCHED-IMPACT-16-301 (Wave 1) + • Current: TODO +- **Sprint 16** · Scheduler Intelligence + - Team: Scheduler ImpactIndex Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` + 1. [TODO] SCHED-IMPACT-16-303 — Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. + • Prereqs: SCHED-IMPACT-16-301 (Wave 1) + • Current: TODO + 2. [TODO] SCHED-IMPACT-16-302 — Provide query APIs (ResolveByPurls, ResolveByVulns, ResolveAll, selectors) with tenant/namespace filters. + • Prereqs: SCHED-IMPACT-16-301 (Wave 1) + • Current: TODO + - Team: Scheduler WebService Guild + - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-WEB-16-103 — Runs API (list/detail/cancel), ad-hoc run POST, and impact preview endpoints. + • Prereqs: SCHED-WEB-16-102 (Wave 1) + • Current: TODO + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-16-202 — Wire ImpactIndex targeting (ResolveByPurls/vulns), dedupe, shard planning. + • Prereqs: SCHED-IMPACT-16-301 (Wave 1) + • Current: TODO + 2. [TODO] SCHED-WORKER-16-205 — Metrics/telemetry: run stats, queue depth, planner latency, delta counts. + • Prereqs: SCHED-WORKER-16-201 (Wave 1) + • Current: TODO +- **Sprint 17** · Symbol Intelligence & Forensics + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-REL-17-002 — Persist stripped-debug artifacts organised by GNU build-id and bundle them into release/offline kits with checksum manifests. + • Prereqs: DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1) + • Current: TODO + +## Wave 3 — 14 task(s) ready after Wave 2 +- **Sprint 7** · Contextual Truth Foundations + - Team: Excititor Connectors – Stella + - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` + • Prereqs: EXCITITOR-EXPORT-01-007 (Wave 2) + • Current: TODO +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) + • Current: DONE — Self-contained fixtures emit components with RID flags; EntryTrace usage hints preserved. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-304B (Wave 2) + • Current: DONE — `bin:{sha256}` fallback + quiet provenance docs shipped with determinism fixtures. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-308N (Wave 2) + • Current: DONE — Manifest shipped, Worker catalog integration complete, Offline Kit docs updated. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-303B (Wave 2) + • Current: DONE — `direct_url.json` editable insights surfaced; EntryTrace usage hints mark console scripts; deterministic fixture covers editable vs wheel installs. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-306B (Wave 2) + • Current: DONE — Hash fallback wired through shared helpers; fixtures ensure deterministic output. +- **Sprint 13** · UX & CLI Experience + + - Team: DevEx/CLI, Scanner WebService Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-RUNTIME-13-008 — CLI-RUNTIME-13-008 – Runtime policy contract sync + • Current: TODO – Once `/api/v1/scanner/policy/runtime` exits TODO, verify CLI output against final schema (field names, metadata) and update formatter/tests if the contract moves. Capture joint review notes in docs/09 and link Scanner task sign-off. +- **Sprint 15** · Notify Foundations + - Team: Notify Engine Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` + 1. [TODO] NOTIFY-ENGINE-15-303 — Template rendering engine (Slack, Teams, Email, Webhook) with helpers and i18n support. + • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) + • Current: TODO + - Team: Notify Worker Guild + - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` + 1. [TODO] NOTIFY-WORKER-15-203 — Channel dispatch orchestration: invoke connectors, manage retries/jitter, record delivery outcomes. + • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) + • Current: TODO +- **Sprint 16** · Scheduler Intelligence + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-16-203 — Runner execution: call Scanner `/reports` (analysis-only) or `/scans` when configured; collect deltas; handle retries. + • Prereqs: SCHED-WORKER-16-202 (Wave 2) + • Current: TODO +- **Sprint 17** · Symbol Intelligence & Forensics + - Team: Zastava Observer Guild + - Path: `src/Zastava/StellaOps.Zastava.Observer/TASKS.md` + • Current: DONE — Build-id capture wired through RuntimeProcessCollector + RuntimeEventFactory; docs/runbook updated with debug-store workflow. + +## Wave 4 — 15 task(s) ready after Wave 3 +- **Sprint 7** · Contextual Truth Foundations + - Team: Excititor Connectors – Stella + - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` + 1. [TODO] EXCITITOR-CONN-STELLA-07-002 — Normalize mirror bundles into VexClaim sets referencing original provider metadata and mirror provenance. + • Prereqs: EXCITITOR-CONN-STELLA-07-001 (Wave 3) + • Current: TODO +- **Sprint 9** · Policy Foundations + - Team: Policy Guild, Scanner WebService Guild + - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` + • Current: TODO +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-305C (Wave 3) + • Current: DONE 2025-10-22 + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-304C (Wave 3) + • Current: DONE — Shared helpers integrated; concurrency tests verify buffer reuse. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + 1. [TODO] SCANNER-ANALYZERS-LANG-10-307P — Shared helper integration (license metadata, quiet provenance, component merging). + • Prereqs: SCANNER-ANALYZERS-LANG-10-303C (Wave 3) + • Current: TODO + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + 1. [DOING] SCANNER-ANALYZERS-LANG-10-307R — Finalize shared helper usage (license, usage flags) and concurrency-safe caches. + • Prereqs: SCANNER-ANALYZERS-LANG-10-306C (Wave 3) + • Current: TODO +- **Sprint 13** · UX & CLI Experience + - Team: DevEx/CLI + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + • Prereqs: CLI-RUNTIME-13-005 (Wave 0), CLI-OFFLINE-13-006 (Wave 3) + • Current: TODO – Package non-core verbs as restart-time plug-ins (manifest + loader updates, tests ensuring no hot reload). +- **Sprint 15** · Notify Foundations + - Team: Notify Connectors Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` + 1. [TODO] NOTIFY-CONN-EMAIL-15-701 — Implement SMTP connector with STARTTLS/implicit TLS support, HTML+text rendering, attachment policy enforcement. + • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) + • Current: TODO + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` + 1. [TODO] NOTIFY-CONN-SLACK-15-501 — Implement Slack connector with bot token auth, message rendering (blocks), rate limit handling, retries/backoff. + • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) + • Current: TODO + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` + 1. [TODO] NOTIFY-CONN-TEAMS-15-601 — Implement Teams connector using Adaptive Cards 1.5, handle webhook auth, size limits, retries. + • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) + • Current: TODO + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` + 1. [TODO] NOTIFY-CONN-WEBHOOK-15-801 — Implement webhook connector: JSON payload, signature (HMAC/Ed25519), retries/backoff, status code handling. + • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) + • Current: TODO + - Team: Notify Engine Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` + 1. [TODO] NOTIFY-ENGINE-15-304 — Test-send sandbox + preview utilities for WebService. + • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) + • Current: TODO + - Team: Notify Worker Guild + - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` + 1. [TODO] NOTIFY-WORKER-15-204 — Metrics/telemetry: `notify.sent_total`, `notify.dropped_total`, latency histograms, tracing integration. + • Prereqs: NOTIFY-WORKER-15-203 (Wave 3) + • Current: TODO +- **Sprint 16** · Scheduler Intelligence + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-16-204 — Emit events (`scheduler.rescan.delta`, `scanner.report.ready`) for Notify/UI with summaries. + • Prereqs: SCHED-WORKER-16-203 (Wave 3) + • Current: TODO +- **Sprint 17** · Symbol Intelligence & Forensics + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-RUNTIME-17-004 — Document build-id workflows: SBOM exposure, runtime event payloads, debug-store layout, and operator guidance for symbol retrieval. + • Current: TODO + +## Wave 5 — 10 task(s) ready after Wave 4 +- **Sprint 7** · Contextual Truth Foundations + - Team: Excititor Connectors – Stella + - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` + 1. [TODO] EXCITITOR-CONN-STELLA-07-003 — Implement incremental cursor handling per-export digest, support resume, and document configuration for downstream Excititor mirrors. + • Prereqs: EXCITITOR-CONN-STELLA-07-002 (Wave 4) + • Current: TODO +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307D (Wave 4) + • Current: DONE — fixtures + benchmarks merged 2025-10-23 + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307G (Wave 4) + • Current: DONE — Fixtures and benchmark harness merged; perf delta captured vs competitor. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-307P (Wave 4) + • Current: DONE — Fixtures `simple-venv`, `pip-cache`, `layered-editable` + hash throughput benchmarks merged 2025-10-23. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + 1. [TODO] SCANNER-ANALYZERS-LANG-10-308R — Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. + • Prereqs: SCANNER-ANALYZERS-LANG-10-307R (Wave 4) + • Current: TODO +- **Sprint 15** · Notify Foundations + - Team: Notify Connectors Guild + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` + 1. [BLOCKED] NOTIFY-CONN-EMAIL-15-702 — Add DKIM signing optional support and health/test-send flows. + • Prereqs: NOTIFY-CONN-EMAIL-15-701 (Wave 4) + • Current: BLOCKED – waiting on base SMTP connector implementation (NOTIFY-CONN-EMAIL-15-701). + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` + - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` + 1. [DOING] NOTIFY-CONN-WEBHOOK-15-802 — Health/test-send support with signature validation hints and secret management. + • Prereqs: NOTIFY-CONN-WEBHOOK-15-801 (Wave 4) + • Current: TODO +- **Sprint 17** · Symbol Intelligence & Forensics + - Team: Scanner WebService Guild + - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` + • Current: DONE — runtime events normalize digests/build IDs, policy responses/CLI emit `buildIds`, docs/tests updated for debug-store workflows. + +## Wave 6 — 8 task(s) ready after Wave 5 +- **Sprint 10** · Backlog + - Team: TBD + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-308D (Wave 5) + • Current: DONE — manifest + Offline Kit docs updated 2025-10-23 + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-308G (Wave 5) + • Current: DONE — Manifest copied, Worker DI registration verified, Offline Kit docs updated. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` + • Prereqs: SCANNER-ANALYZERS-LANG-10-308P (Wave 5) + • Current: DONE — Manifest copied, Worker integration verified, Offline Kit docs updated with Python plug-in guidance. + - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` + 1. [TODO] SCANNER-ANALYZERS-LANG-10-309R — Package plug-in manifest + Offline Kit documentation; ensure Worker integration. + • Prereqs: SCANNER-ANALYZERS-LANG-10-308R (Wave 5) + • Current: TODO +- **Sprint 7** · Contextual Truth Foundations + - Team: Team Normalization & Storage Backbone + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` + • Prereqs: FEEDMERGE-ENGINE-07-001 (Wave 11) + • Current: TODO – Create `advisory_statements` (immutable) and `advisory_conflicts` collections, define `asOf`/`vulnerabilityKey` indexes, and document migration/rollback steps for event-sourced merge. + +## Wave 7 — 52 task(s) ready after Wave 6 +- **Sprint 20** · Policy Engine v2 + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-20-000 — New Policy Engine service host, DI bootstrap, Authority scaffolding. + • Prereqs: POLICY-AOC-19-001 (Wave 1) + • Current: TODO + 2. [TODO] POLICY-ENGINE-20-001 — `stella-dsl@1` parser + IR compiler with diagnostics/checksums. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 3. [TODO] POLICY-ENGINE-20-002 — Deterministic evaluator (priority/first-match, safe intrinsics). + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 4. [TODO] POLICY-ENGINE-20-005 — Determinism guard preventing wall-clock/network/RNG usage. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7) + • Current: TODO + 5. [TODO] POLICY-ENGINE-20-008 — Unit/property/golden/perf suites proving determinism + SLA. + • Prereqs: POLICY-ENGINE-20-002/003/004/005/006/007 (Wave 7) + • Current: TODO + 6. [TODO] POLICY-ENGINE-20-007 — Metrics/traces/log sampling for policy runs/rule hits. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7) + • Current: TODO + 7. [TODO] POLICY-ENGINE-20-009 — Mongo schemas/indexes + migrations for policies/runs/findings. + • Prereqs: POLICY-ENGINE-20-000 & POLICY-ENGINE-20-004 (Wave 7) + • Current: TODO + - Team: Policy Guild · Data Joiners + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-20-003 — SBOM↔advisory↔VEX joiners using linksets. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7), CONCELIER-POLICY-20-002 (Wave 7), EXCITITOR-POLICY-20-002 (Wave 7) + • Current: TODO + 2. [TODO] POLICY-ENGINE-20-004 — Materialization writer to `effective_finding_*` with append-only history. + • Prereqs: POLICY-ENGINE-20-003 (Wave 7), CONCELIER-POLICY-20-003 (Wave 7), EXCITITOR-POLICY-20-003 (Wave 7) + • Current: TODO + 3. [TODO] POLICY-ENGINE-20-006 — Incremental orchestrator reacting to change streams. + • Prereqs: POLICY-ENGINE-20-003/004 (Wave 7), SCHED-WORKER-20-301 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy API Surface + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-POLICY-20-001 — Policy CRUD/compile/run/simulate/findings/explain endpoints. + • Prereqs: POLICY-ENGINE-20-001/004 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] WEB-POLICY-20-002 — Pagination, filters, deterministic ordering. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 3. [TODO] WEB-POLICY-20-003 — Error mapping to `ERR_POL_*` with contract tests. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] WEB-POLICY-20-004 — Simulation rate limits + metrics/headers. + • Prereqs: WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy Console + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-POLICY-20-001 — Monaco editor with inline diagnostics/compliance checklist. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] UI-POLICY-20-002 — Simulation diff panel with virtualization + deltas. + • Prereqs: UI-POLICY-20-001 (Wave 7), WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO + 3. [TODO] UI-POLICY-20-003 — Submit/review/approve workflow with RBAC + audit log. + • Prereqs: UI-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] UI-POLICY-20-004 — Run viewer dashboards (rule heatmap, VEX wins, suppressions). + • Prereqs: POLICY-ENGINE-20-006/007 (Wave 7), WEB-POLICY-20-001 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy CLI + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-20-001 — `policy new|edit|submit|approve` commands. + • Prereqs: WEB-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] CLI-POLICY-20-002 — `policy simulate` with diff rendering + exit codes. + • Prereqs: CLI-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] CLI-POLICY-20-003 — `findings ls|get` policy-aware filters + explain output. + • Prereqs: WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy Selection Services + - Team: Concelier WebService Guild + - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-001 — Advisory selection endpoints for policy engine. + • Prereqs: CONCELIER-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + - Team: Concelier Core Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-002 — Linkset enrichment with equivalence tables/ranges. + • Prereqs: CONCELIER-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + - Team: Concelier Storage Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-003 — Selection cursors + change-stream checkpoints. + • Prereqs: CONCELIER-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) + • Current: TODO + - Team: Excititor WebService Guild + - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-001 — VEX selection APIs (batch PURL/ID, tenant filters). + • Prereqs: EXCITITOR-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + - Team: Excititor Core Guild + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-002 — Scope-aware linksets + version range handling. + • Prereqs: EXCITITOR-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + - Team: Excititor Storage Guild + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-003 — Selection cursors + checkpoints for VEX change streams. + • Prereqs: EXCITITOR-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) + • Current: TODO +- **Sprint 20** · Scheduler Integration + - Team: Scheduler Models Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md` + 1. [TODO] SCHED-MODELS-20-001 — Policy run/diff DTOs + validation helpers. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-MODELS-20-002 — Schema docs/sample payloads for policy runs. + • Prereqs: SCHED-MODELS-20-001 (Wave 7) + • Current: TODO + - Team: Scheduler WebService Guild + - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-WEB-20-001 — Policy run scheduling APIs with `policy:run` enforcement. + • Prereqs: SCHED-WEB-16-101 (Wave 1), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-WEB-20-002 — Simulation trigger endpoint returning diff metadata. + • Prereqs: SCHED-WEB-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-20-301 — Trigger policy runs (full/incremental/simulate) via API. + • Prereqs: SCHED-WORKER-16-201 (Wave 1), POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-WORKER-20-302 — Delta targeting for policy reruns using change streams. + • Prereqs: SCHED-WORKER-20-301 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] SCHED-WORKER-20-303 — Metrics/logs for scheduled policy runs. + • Prereqs: SCHED-WORKER-20-301 (Wave 7) + • Current: TODO +- **Sprint 20** · Authority & Security + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-POLICY-20-001 — Introduce policy scopes (`policy:*`, `findings:read`, `effective:write`). + • Prereqs: AUTH-AOC-19-001 (Wave 1) + • Current: TODO + 2. [TODO] AUTH-POLICY-20-002 — Enforce Policy Engine identity + gateway scope checks. + • Prereqs: AUTH-POLICY-20-001 (Wave 7), AUTH-AOC-19-002 (Wave 1) + • Current: TODO + 3. [TODO] AUTH-POLICY-20-003 — Update Authority docs/config samples for new scopes. + • Prereqs: AUTH-POLICY-20-001 (Wave 7) + • Current: TODO +- **Sprint 20** · CI/CD & Observability + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-POLICY-20-001 — Integrate DSL lint/compile checks in CI. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 2. [TODO] DEVOPS-POLICY-20-002 — Run `stella policy simulate` stage on golden SBOMs. + • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] DEVOPS-POLICY-20-003 — Determinism CI diffing repeated policy runs. + • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) + • Current: TODO +- **Sprint 20** · Documentation + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-POLICY-20-001 — `/docs/policy/overview.md`. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] DOCS-POLICY-20-002 — `/docs/policy/dsl.md` grammar + examples. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 3. [TODO] DOCS-POLICY-20-003 — `/docs/policy/lifecycle.md` workflow/roles. + • Prereqs: AUTH-POLICY-20-001 (Wave 7), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] DOCS-POLICY-20-004 — `/docs/policy/runs.md` run modes + cursors. + • Prereqs: POLICY-ENGINE-20-006 (Wave 7), SCHED-WEB-20-001 (Wave 7) + • Current: TODO + 5. [TODO] DOCS-POLICY-20-005 — `/docs/api/policy.md` endpoints + schemas. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 6. [TODO] DOCS-POLICY-20-006 — `/docs/modules/cli/guides/policy.md` with command usage. + • Prereqs: CLI-POLICY-20-002 (Wave 7) + • Current: TODO + 7. [TODO] DOCS-POLICY-20-007 — `/docs/ui/policy-editor.md` flows + screenshots. + • Prereqs: UI-POLICY-20-001/002/003 (Wave 7) + • Current: TODO + 8. [TODO] DOCS-POLICY-20-008 — `/docs/architecture/policy-engine.md` with diagrams. + • Prereqs: POLICY-ENGINE-20-003/006 (Wave 7) + • Current: TODO + 9. [TODO] DOCS-POLICY-20-009 — `/docs/observability/policy.md` metrics/traces/logs. + • Prereqs: POLICY-ENGINE-20-007 (Wave 7), DEVOPS-POLICY-20-002 (Wave 7) + • Current: TODO + 10. [TODO] DOCS-POLICY-20-010 — `/docs/security/policy-governance.md` scopes/approvals. + • Prereqs: AUTH-POLICY-20-002 (Wave 7) + • Current: TODO + 11. [TODO] DOCS-POLICY-20-011 — `/docs/examples/policies/` sample policies + commentary. + • Prereqs: POLICY-ENGINE-20-001/002 (Wave 7) + • Current: TODO + 12. [TODO] DOCS-POLICY-20-012 — `/docs/faq/policy-faq.md` common pitfalls. + • Prereqs: WEB-POLICY-20-003 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) + • Current: TODO +- **Sprint 20** · Samples & Benchmarks + - Team: Samples Guild + - Path: `samples/TASKS.md` + 1. [TODO] SAMPLES-POLICY-20-001 — Baseline/serverless/internal-only policy samples + fixtures. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7), DOCS-POLICY-20-011 (Wave 7) + • Current: TODO + 2. [TODO] SAMPLES-POLICY-20-002 — Simulation diff fixtures for UI/CLI tests. + • Prereqs: UI-POLICY-20-002 (Wave 7) + • Current: TODO + - Team: Bench Guild + - Path: `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-POLICY-20-001 — Policy evaluation performance benchmark suite. + • Prereqs: POLICY-ENGINE-20-002/006 (Wave 7) + • Current: TODO + 2. [TODO] BENCH-POLICY-20-002 — Incremental run benchmark tracking delta SLA. + • Prereqs: BENCH-POLICY-20-001 (Wave 7), SCHED-WORKER-20-302 (Wave 7) + • Current: TODO + +## Wave 8 — 60 task(s) ready after Wave 7 +- **Sprint 21** · Graph Explorer v1 + - Team: Cartographer Guild + - Path: `src/Cartographer/StellaOps.Cartographer/TASKS.md` + 1. [TODO] CARTO-GRAPH-21-001/002/003/004 — Schema, projection reader, graph constructor, and layout tiling are ready once SBOM projections ship (Wave 7 prereqs). + 2. [TODO] CARTO-GRAPH-21-005/006/007/008/009 — Overlay worker, API surface, backfill/overlay jobs, testing, and deployment artefacts depend on Cartographer infrastructure plus Policy Engine 30-series work. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-SERVICE-21-001/002/003/004 — Normalized projection API, change events, entrypoint management, and observability unblock Cartographer’s ingestion. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-30-001/002/003 — Graph overlay contract, simulation bridge, and change events rely on Policy Engine v2 core (Wave 7) and feed Cartographer overlays. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-GRAPH-21-001..004 — Graph gateway routes, validation, exports, and simulation bridging activate once Cartographer endpoints exist. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-GRAPH-21-001..006 — Canvas, inspector, filters, paths, diff, and accessibility depend on Cartographer/Web graph APIs and Samples fixtures. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-GRAPH-21-001..003 — CLI commands, path/simulation options, and docs require Cartographer/Web readiness. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-GRAPH-21-001..003 — Graph scope issuance, enforcement, and documentation unblock service deployments. + - Team: Scheduler Guilds + - Paths: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`, `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`, `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-MODELS-21-001/002, SCHED-WEB-21-001/002, SCHED-WORKER-21-201..203 — Graph job DTOs, APIs, workers, and metrics coordinate Cartographer runs after SBOM change events. + - Team: Concelier Guild + - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-GRAPH-21-001..004 — SBOM projection enrichment and entrypoint APIs feed SBOM Service/Cartographer. + - Team: Excititor Guild + - Paths: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-GRAPH-21-001..005 — Provide VEX inspector data, overlay enrichment, events, and indexes for Graph Explorer. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-GRAPH-21-001..003 — Perf tests, visual regression captures, and offline kit bundling align with Cartographer/SBOM readiness. + - Team: Docs/Samples/Bench Guilds + - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] DOCS-GRAPH-21-001..009, SAMPLES-GRAPH-21-001..002, BENCH-GRAPH-21-001..002 — Publish documentation set, sample assets, and benchmarks once API/UI stabilize. + + +## Wave 9 — 58 task(s) ready after Wave 8 +- **Sprint 22** · Link-Not-Merge v1 + - Team: Concelier Core Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-001/002/003/004/005 — Observation schema, linkset builder, conflict annotator, merge removal, and event emission follow Graph wave completion and AOC guard readiness. + - Team: Concelier Storage Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-101/102/103 — Collections, backfill tooling, and blob storage wiring depend on core schema finalization. + - Team: Concelier WebService Guild + - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-201/202/203 — Advisory observation/linkset APIs and event publishing follow storage readiness. + - Team: BE-Merge + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` + 1. [TODO] MERGE-LNM-21-001/002/003 — Decommission merge pipeline once observation/linkset flow validated. + - Team: Excititor Core Guild + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-001..005 — VEX observations/linksets, conflicts, merge removal, and events mirror advisory work. + - Team: Excititor Storage Guild + - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-101/102 — Collections and backfill for VEX data prepared after schema finalization. + - Team: Excititor WebService Guild + - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-201..203 — VEX observation/linkset APIs and event publishing. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-40-001..003 — Effective severity adjustments, VEX conflict handling, and consumer utilities once observation/linkset data shape is fixed. + - Team: Scanner WebService Guild + - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` + 1. [TODO] SCANNER-LNM-21-001/002 — Report/runtime updates and evidence endpoint leveraging new linksets. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-LNM-21-001..003 — Gateway exposure for advisory/vex APIs and policy evidence combos. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-LNM-22-001..004 — Evidence panel, filters, VEX tab, permalinks after API readiness. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-LNM-22-001/002 — CLI support for observations/linksets and exports. + - Team: Authority Core Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-AOC-19-001 — Scope rollout (`advisory/vex ingest/read`) enabling new APIs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-LNM-22-001..003 — Migration automation, monitoring, and SLA alerts for observation pipelines. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-LNM-22-001..008 — Publish aggregation philosophy, API docs, UI guides, migration playbook. + - Team: Samples Guild + - Path: `samples/TASKS.md` + 1. [TODO] SAMPLES-LNM-22-001/002 — Observation/linkset fixtures for advisories and VEX. + - Team: Bench Guild + - Path: `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-LNM-22-001/002 — Ingest/correlation performance benchmarks to enforce SLA. + + +## Wave 10 — 54 task(s) ready after Wave 9 +- **Sprint 23** · Policy Engine + Editor v1 + - Team: Policy Guild (Library) + - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` + 1. [TODO] POLICY-SPL-23-001..005 — SPL schema/canonicalizer/layering/explain model/migration tooling once Link-Not-Merge data model is stable. + - Team: Policy Engine Service + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-50-001..007 — Compiler, evaluator, observability, event pipeline, storage schemas, explainer persistence, worker orchestration. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-POLICY-23-001..004 — Policy pack CRUD, activation, simulation/evaluation, explain history APIs. + - Team: UI Guild + - Path: `src/UI/StellaOps.UI/TASKS.md` + 1. [TODO] UI-POLICY-23-001..006 — Policy editor workspace, YAML builder, guided builder, approvals, simulator, explain view. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-23-004..006 — CLI lint/activate/history + explain commands aligned with new APIs. + - Team: Authority Core Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-POLICY-23-001..003 — Policy scopes, two-person activation, documentation. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-SERVICE-23-001/002 — Asset metadata projection + `sbom.asset.updated` events feeding evaluator. + - Team: Concelier & Excititor Guilds + - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] CONCELIER-POLICY-23-001/002 and EXCITITOR-POLICY-23-001/002 plus CONCELIER/EXCITITOR-LNM-21-201..203 — Evidence indexes, enriched events, observation/linkset APIs supporting policy runtime. + - Team: Scheduler Worker Guild + - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-23-101/102 — Policy re-evaluation worker + reconciliation job post activation. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-LNM-22-001..003 (migration/monitoring) and future policy deployment automation for SPL bundles. + - Team: Docs Guild, Samples, Bench + - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` + 1. [TODO] DOCS-POLICY-23-001..010, SAMPLES-LNM-22-001/002, BENCH-LNM-22-001/002 — Documentation set, policy fixtures, performance benchmarks. + + +## Wave 11 — 1 task(s) ready after Wave 10 +- **Sprint 32** · Orchestrator Dashboard Phase 1 (Foundations) + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-32-001..005 — Stand up the orchestrator service (schema, scheduler, read-only APIs, SSE, worker endpoints). Coordinate with DevOps (DEVOPS-ORCH-32-001) for Postgres + message bus availability before enabling progression. + - Team: Worker SDK Guild + - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-32-001/002, WORKER-PY-32-001/002 — Deliver baseline job claim/heartbeat libraries. These unblock Concelier/Excititor/SBOM adoption tasks and should validate against ORCH-SVC-32-005 contract. + - Team: Concelier Core Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-32-001/002 — Register sources and embed SDK hooks in ingestion loops. Depends on Worker SDK handshake and orchestrator read APIs. + - Team: Excititor Worker Guild + - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-32-001 — Adopt worker SDK for VEX ingestion. Requires ORCH-SVC-32-005 and Worker SDK readiness. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-32-001 — Emit orchestrator job metadata and artifact hashes for SBOM ingest/index jobs; depends on orchestrator schema finalization. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-32-101 — Define `policy_eval` job contract and enqueue hooks so orchestrator DAGs can plan downstream work. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-32-001 — Surface read-only orchestrator APIs through the gateway with tenant scoping once service endpoints exist. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-32-001 — Introduce `orch:read` scope and `Orch.Viewer` role so CLI/Console work can proceed safely. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-32-001 — Provide read-only `stella orch` listings after gateway routes/scopes are available; validate against imposed rule requirement. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-32-001/002 — Overview + Sources pages (read-only) rely on SSE stream, viewer scope, and CLI/gateway parity. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-32-001/002 — Publish overview/architecture docs (each closing with imposed rule statement) to align cross-team implementation. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-32-001 — Stand up Postgres/message bus environments and seed Grafana dashboards; prerequisite for orchestrator integration workstreams. +- **Sprint 33** · Orchestrator Dashboard Phase 2 (Controls & Recovery) + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-33-001..004 — Add control actions, adaptive rate limiter, watermark/backfill manager, and dead-letter replay. Requires Phase 1 completion and Worker SDK control hooks. + - Team: Worker SDK Guild + - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-33-001/002, WORKER-PY-33-001/002 — Provide artifact upload, idempotency guards, and error classification so orchestrator controls function safely. + - Team: Concelier Core Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-33-001 — Honor orchestrator throttles and retry semantics; unblocker for circuit breaker work in Sprint 34. + - Team: Excititor Worker Guild + - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-33-001 — Surface error classes and throttling compliance; depends on Worker SDK error helpers. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-33-001 — Report backpressure metrics and respect orchestrator pause/backfill signals. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-33-101 — Implement orchestrator-driven evaluation workers with SLO metrics; prerequisites: ORCH-SVC-32-003/005 and Worker SDK upgrades. + - Team: VEX Lens Guild + - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-ORCH-33-001 — Register `consensus_compute` job type and worker integration so orchestrator can schedule consensus batches. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-33-001 — Wire control/backfill endpoints through gateway with proper error mapping and SSE bridging; relies on AUTH-ORCH-33-001. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-33-001 — Add `Orch.Operator` role/scopes and enforce reason strings; prerequisite for CLI/Console control surfaces. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-33-001 — Implement action verbs (`pause|resume|test`, `retry|cancel`, `jobs tail`) with streaming output and scope enforcement. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-33-001/002 — Runs timeline/DAG and Jobs tail views with action buttons. Requires SSE, operator scopes, and orchestrator control endpoints. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-33-001..003 — Publish API, Console, and CLI guides (each reiterating imposed rule) once control endpoints stabilize. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-33-001 — Deliver Grafana dashboards/alerts (rate limiter, queue depth, error clustering) gated by orchestrator metrics. +- **Sprint 34** · Orchestrator Dashboard Phase 3 (Backfills, Quotas, GA) + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-34-001..004 — Quotas/SLOs, audit ledger export, scale tests, and packaging. Requires Phase 2 controls plus DevOps support for perf/load validation. + - Team: Worker SDK Guild + - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-34-001, WORKER-PY-34-001 — Backfill range execution and dedupe verification; prerequisites: ORCH-SVC-33-003 and service artifact schemas. + - Team: Concelier Core Guild + - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-34-001 — Execute orchestrator-driven backfills with ledger linkage; ensure idempotency before GA sign-off. + - Team: Excititor Worker Guild + - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-34-001 — Backfill + circuit breaker reset logic; depends on Worker SDK backfill support. + - Team: SBOM Service Guild + - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-34-001 — Watermark reconciliation and coverage metrics for sbom backfills. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-34-101 — Surface run ledger exports and SLO burn metrics to orchestrator; coordinates with Findings Ledger. + - Team: VEX Lens Guild + - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-ORCH-34-001 — Emit consensus completion events into orchestrator ledger + provenance chain. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-34-101 — Consume orchestrator ledger entries for provenance exports; must align with ORCH-SVC-34-002 hashing. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-34-001 — Route quotas/backfill/error clustering APIs; prerequisite for CLI/Console GA features. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-34-001 — Add `Orch.Admin` role, quota scopes, and audit reason enforcement; required before exposing admin controls. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-34-001 — Implement backfill/quota commands with dry-run preview; depends on ORCH-SVC-34-001/003 and AUTH-ORCH-34-001. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-34-001..003 — Queues/backpressure dashboard, backfill wizard, and error clustering view; align with API + metrics outputs. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-34-001..005 — Final documentation set (run ledger, secrets handling, runbook, schema, SLO) — each must restate imposed rule and cross-link to services adopting orchestrator. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-34-001 — Harden production dashboards/alerts and synthetic probes prior to GA. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-ORCH-34-001 — Package orchestrator Helm/Compose, scaling defaults, offline guidance; depends on ORCH-SVC-34-004. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-34-006 — Bundle orchestrator service artifacts, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. +- **Sprint 35** · Export Center Phase 1 (Foundations) + - Team: Exporter Service Guild + - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-35-001..006 — Bootstrap exporter service, planner, JSON/mirror adapters, manifests/signing, and download APIs. Blocks downstream integrations (Findings Ledger, Policy, VEX Lens, Web, CLI, Console). + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-35-101 — Register export job type, quotas, and telemetry to support exporter workers. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-EXPORT-35-001 — Provide streaming endpoints for advisories/VEX/SBOM/findings filtered per export scopes. Required before planner work can complete. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-35-201 — Supply deterministic policy snapshot + evaluated findings endpoint for policy-aware exports. + - Team: VEX Lens Guild + - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-EXPORT-35-001 — Produce consensus snapshot API consumed by mirror bundles. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-35-001 — Route export APIs and downloads through gateway once exporter endpoints are live. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXPORT-35-001 — Publish Export Viewer/Operator/Admin scopes and issuer templates before Console/CLI ship. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-35-001 — Read-only CLI commands for profiles/runs/downloads; depends on WEB-EXPORT-35-001 and AUTH-EXPORT-35-001. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-35-001 — Profiles + overview UI; requires gateway routes and scopes. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-35-001..003 — Publish overview, architecture, and profiles docs with imposed rule reminders to align teams. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-35-001 — Establish exporter CI/perf smoke and dashboards; prerequisite for later alerting. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-EXPORT-35-001 — Package exporter service/worker Helm overlays for download-only phase. +- **Sprint 36** · Export Center Phase 2 (Trivy + Distribution) + - Team: Exporter Service Guild + - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-36-001..004 — Trivy adapters, OCI/object storage distribution, planner updates. Trivy bundles require DEVOPS-EXPORT-36-001 validation. + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-36-101 — Extend orchestrator telemetry/retention fields for export runs. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-36-001 — Distribution endpoints must land before CLI/Console actions move forward. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-36-001 — Distribute/download resume features depend on WEB-EXPORT-36-001 and AUTH scopes. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-36-001 — Runs detail + distribution UI after API support exists. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-36-004..006 — API/CLI/Trivy docs to support rollout; each must restate imposed rule. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-36-001 — CI validation for Trivy compatibility and OCI pushes. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-EXPORT-36-001 — Document registry credentials and automation for distributions. +- **Sprint 37** · Export Center Phase 3 (Delta, Encryption, Scheduling, GA) + - Team: Exporter Service Guild + - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-37-001..004 — Mirror delta/encryption, scheduling+retention, verification API. Depends on DEVOPS-EXPORT-37-001 for chaos/alert readiness. + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-37-101 — Scheduling + retention hooks required for exporter automation. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-37-001 — Surface scheduling, retention, verification, encryption parameters once exporter endpoints exist. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXPORT-37-001 — Admin scope enforcement for scheduling, retention, encryption. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-37-001 — Scheduling and verification commands with signature/hash checks; relies on WEB-EXPORT-37-001. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-37-001 — Verification panel, scheduling UI, retention controls, encryption workflows. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-37-001..004 — Mirror bundles, provenance & signing, operations runbook, security hardening docs (all reiterate imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-37-001 — Finalize dashboards/alerts, chaos testing, retention monitoring. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-37-001 — Bundle export tooling and sample mirror bundles into Offline Kit. +- **Sprint 38** · Notifications Studio Phase 1 (Foundations) + - Team: Notifications Service Guild + - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-38-001..004 — Bootstrap notifier service, migrations, ingestion, templates, channel adapters, initial APIs. Requires orchestrator event envelope updates and policy violation enrichment. + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-38-101 — Standardize event publication (policy/export/job lifecycle) with idempotency keys for notifier. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-38-201 — Emit enriched policy violation events (decision rationale IDs) for notifier ingestion. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-38-001 — Gateway routing for notifier APIs with tenant RBAC. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-NOTIFY-38-001 — Publish Notify Viewer/Operator/Admin scopes and issuer templates. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-38-001 — CLI commands for rules/templates/incidents. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-38-001 — Studio home, rule editor, incidents UI (phase 1). + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-38-001 — Overview + architecture docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-38-001 — Notifier CI pipeline, base dashboards. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-NOTIFY-38-001 — Helm overlays and rollout guide for notifier foundations. +- **Sprint 39** · Notifications Studio Phase 2 (Correlation, Digests, Simulation) + - Team: Notifications Service Guild + - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-39-001..004 — Correlation, throttling, quiet hours, digest generator, simulation engine. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-NOTIFY-39-001 — Digest query optimization endpoints. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-39-001 — Gateway updates for digests, simulation, throttles. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-39-001 — CLI simulation/digest commands. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-39-001 — Template editor, digest profiles, quiet calendar, storm banner. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-39-002 — Rules/templates/digests docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-39-002 — Throttle/quiet/digest dashboards. +- **Sprint 40** · Notifications Studio Phase 3 (Escalations, Localization, Hardening) + - Team: Notifications Service Guild + - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-40-001..004 — Escalations, ack bridge, PagerDuty/OpsGenie adapters, localization, security hardening, chaos tests. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-NOTIFY-40-001 — Ack token signing/rotation, webhook allowlists, admin enforcement. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-40-001 — Expose escalation/localization/channel health endpoints. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-40-001 — Ack redemption, escalation management, localization previews. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-40-001 — Escalation settings, on-call schedules, localization UI, incident Kanban enhancements. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-40-001 — Channels, escalations, API, runbook, security docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-40-001 — Escalation/ack latency dashboards, chaos tooling. +- **Sprint 41** · CLI Parity & Task Packs Phase 1 + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-CORE-41-001, CLI-PARITY-41-001/002 — Implement CLI core config/auth/output foundations and initial parity command groups. + - Team: Task Runner Guild + - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-41-001 — Bootstrap Task Runner service, run API, local executor, approvals pause, artifact capture. + - Team: Packs Registry Guild + - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-41-001 — Registry API, signature verification, provenance storage, RBAC. + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-41-101 — Register `pack-run` job type, integrate logs/artifacts, expose metadata. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-PACKS-41-001 — Define CLI/pack scopes, discovery metadata, offline defaults. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CLI-41-001 — Publish CLI overview/config/output docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-41-001 — Multi-platform build pipeline, SBOM/checksums, parity CI gate. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-CLI-41-001 — Package CLI release artifacts and distribution docs. +- **Sprint 42** · CLI Parity & Task Packs Phase 2 + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-PARITY-41-001/002, CLI-PACKS-42-001 — Close remaining parity gaps and ship Task Pack CLI commands. + - Team: Task Runner Guild + - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-42-001 — Loops, conditionals, simulation mode, policy gates. + - Team: Packs Registry Guild + - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-42-001 — Version lifecycle, allowlists, provenance export, signature rotation. + - Team: Orchestrator Service Guild + - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-42-101 — Stream pack run logs, expose manifolds, enforce quotas. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-42-201 — Stable rationale IDs/APIs for CLI `--explain` and packs. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-PACKS-42-001 — Snapshot/time-travel APIs for pack simulation. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-CLI-42-001 — Copy CLI buttons, parity hints, pack browser. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CLI-42-001 — Parity matrix & command guides; DOCS-PACKS-43-001 groundwork. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-42-001 — CLI golden outputs, parity diff automation, pack run CI harness. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-PACKS-42-001 — Deploy packs registry/task runner with secrets templates. +- **Sprint 43** · CLI Parity & Task Packs Phase 3 + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-PACKS-43-001 — Advanced pack features (approvals pause/resume, secrets, localization, man pages). + - Team: Task Runner Guild + - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-43-001 — Approvals workflow, notifications integration, chaos resilience. + - Team: Packs Registry Guild + - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-43-001 — Mirroring, signing policies, attestation integration. + - Team: Exporter Service Guild + - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-35-005, EXPORT-SVC-37-001 — Include pack run manifests in exports. + - Team: Notifications Service Guild + - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-40-001 — Emit pack run notifications. + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-PACKS-43-001 — Enforce pack signing/approval policies, CLI CI scopes. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-PACKS-43-001 — Task Pack spec/authoring/registry/runbook/security/release docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-43-001 — Final release automation, SBOM signing, parity gating, chaos tests. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-PACKS-43-001 — Remote execution rollout guidance, Offline kit instructions. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] CLI-PACKS-43-002 — Bundle CLI, pack samples, registry mirror into Offline Kit with manifests. +- **Sprint 47-49** · Authority-Backed Scopes & Tenancy + - Team: Authority Core & Security Guild + - Path: `src/Authority/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-TEN-47-001 — JWT/OIDC alignment, scope grammar, tenant/project claims. + 2. [TODO] AUTH-TEN-49-001 — Service accounts, delegation, quotas, audit streaming. + - Team: BE-Base Platform Guild + - Path: `src/Web/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-TEN-47-001/48-001/49-001 — Middleware enforcement, tenant context propagation, ABAC overlay, audit API. + - Team: DevEx/CLI Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-TEN-47-001/49-001 — Auth CLI flows, tenant switching, service tokens, delegation. + - Team: Console Guild + - Path: `src/Cli/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-TEN-48-001/49-001 — Tenant switcher, admin screens, audit viewer. + - Team: Policy Guild + - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-TEN-48-001 — Tenant-aware policy storage, RLS, rationale IDs. + - Team: Findings Ledger Guild + - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-TEN-48-001 — Tenant partitioning and RLS. + - Team: Exporter/Notifications/Orchestrator/Task Runner/Concelier/Excititor Guilds + - Paths: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md`, `src/Notifier/StellaOps.Notifier/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator/TASKS.md`, `src/TaskRunner/StellaOps.TaskRunner/TASKS.md`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] Export/Notify tasks (EXPORT-TEN-48-001, NOTIFY-TEN-48-001) — Tenant stamping. + 2. [TODO] ORCH-TEN-48-001, TASKRUN-TEN-48-001 — Job context enforcement. + 3. [TODO] CONCELIER/EXCITITOR-TEN-48-001 — Tenant-aware linking with aggregation-only guarantee. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-TEN-47-001/48-001/49-001 — Tenancy docs suite (overview, operations, authentication, ABAC). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-TEN-47-001/48-001/49-001 — JWKS caching, RLS tests, audit pipeline, chaos tests. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY updates (if needed) for tenant configuration. diff --git a/docs/implplan/SPRINTS.md b/docs/implplan/SPRINTS.md index 1604f101..e9ff6e50 100644 --- a/docs/implplan/SPRINTS.md +++ b/docs/implplan/SPRINTS.md @@ -1,1096 +1,1096 @@ -This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). - -| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | -| --- | --- | --- | --- | --- | --- | --- | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DOING (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-201 | Planner loop (cron/event triggers, leases, fairness). | -| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-004 | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. | -| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-REL-17-004 | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | -> DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance. -> DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs. -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. | -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | -| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. | -| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | -| Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. | -> 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up. -| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | -| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | -| Sprint 20 | Policy Engine v2 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | -| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | -| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | -| Sprint 20 | Policy Engine v2 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | -| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | -| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | -| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). | -| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). | -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | -> Blocked by `CONCELIER-LNM-21-001..003`; draft doc exists but final alignment waits for schema/API delivery. -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | -> Blocked by `EXCITITOR-LNM-21-001..003`; draft doc staged pending observation/linkset implementation. -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | -> Blocked by `UI-LNM-22-001..003`; need shipping UI to capture screenshots and finalize guidance. -| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | -| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | -| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | -| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | -| Sprint 22 | Link-Not-Merge v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. | -| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | -| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | -| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | -| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | -| Sprint 22 | Link-Not-Merge v1 | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | -| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | -| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | -| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. | -| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | -| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | -| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | -| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | -| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | -| Sprint 23 | StellaOps Console | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | -| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | -| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (`vuln:read`) and signed permalinks. | -> 2025-10-27: Scope enforcement spike paused; no production change landed. -| Sprint 24 | Graph & Vuln Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | -> 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO. -| Sprint 24 | Graph & Vuln Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | -| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | -| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | -| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | -| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | -| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | -| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | -| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | -| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | -| Sprint 26 | Reachability v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | -| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | -| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | -| Sprint 26 | Reachability v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | -| Sprint 26 | Reachability v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | -| Sprint 26 | Reachability v1 | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | -| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | -| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | -> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; revisit once spec and compile enrichments land. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | -> Blocked by `CONSOLE-STUDIO-27-001` pending; waiting on Studio authoring UX. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. | -> Blocked by `REGISTRY-API-27-007` pending publish/sign pipeline. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | -> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` pending batch simulation. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. | -> Blocked by `REGISTRY-API-27-006` review workflow outstanding. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. | -> Blocked by `REGISTRY-API-27-008` promotion APIs not ready. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. | -> Blocked by `CLI-POLICY-27-001..004` CLI commands missing. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | -> Blocked by Registry OpenAPI (`REGISTRY-API-27-001..008`) incomplete. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. | -> Blocked by `AUTH-POLICY-27-002` signing integration pending. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. | -> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` not delivered. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. | -> Blocked by `DEVOPS-POLICY-27-004` observability work outstanding. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. | -> Blocked by `DEPLOY-POLICY-27-002` ops playbooks pending. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md`. | -> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | -> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented. -| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | -| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | -| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | -| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. | -| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | -| Sprint 28 | Graph Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | -| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | -| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | -| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | -| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | -| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. | -| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | -| Sprint 30 | VEX Lens | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | -| Sprint 30 | VEX Lens | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | -| Sprint 30 | VEX Lens | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | -| Sprint 30 | VEX Lens | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | -| Sprint 30 | VEX Lens | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | -| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | -| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | -| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | -| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | -| Sprint 31 | Advisory AI | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. | -| Sprint 31 | Advisory AI | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | -| Sprint 31 | Advisory AI | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | -| Sprint 31 | Advisory AI | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | -| Sprint 31 | Advisory AI | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | -| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | -| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | -| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | -| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | -| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | -| Sprint 32 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | -| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | -| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | -| Sprint 32 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | -| Sprint 32 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | -| Sprint 32 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | -| Sprint 32 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | +This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). + +| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | +| --- | --- | --- | --- | --- | --- | --- | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DOING (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-201 | Planner loop (cron/event triggers, leases, fairness). | +| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-004 | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. | +| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-REL-17-004 | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | +> DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance. +> DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs. +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DOING (2025-10-28) | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. | +| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | +| Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. | +> 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up. +| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | +| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | +| Sprint 20 | Policy Engine v2 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | +| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | +| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | +| Sprint 20 | Policy Engine v2 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | +| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | +| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | +| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). | +| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). | +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | +> Blocked by `CONCELIER-LNM-21-001..003`; draft doc exists but final alignment waits for schema/API delivery. +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | +> Blocked by `EXCITITOR-LNM-21-001..003`; draft doc staged pending observation/linkset implementation. +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | +> Blocked by `UI-LNM-22-001..003`; need shipping UI to capture screenshots and finalize guidance. +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | +| Sprint 22 | Link-Not-Merge v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. | +| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | +| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | +| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | +| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | +| Sprint 22 | Link-Not-Merge v1 | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | +| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | +| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | +| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. | +| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | +| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | +| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | +| Sprint 23 | StellaOps Console | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | +| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | +| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (`vuln:read`) and signed permalinks. | +> 2025-10-27: Scope enforcement spike paused; no production change landed. +| Sprint 24 | Graph & Vuln Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | +> 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO. +| Sprint 24 | Graph & Vuln Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | +| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | +| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | +| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | +| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | +| Sprint 26 | Reachability v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | +| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | +| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | +| Sprint 26 | Reachability v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | +| Sprint 26 | Reachability v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | +| Sprint 26 | Reachability v1 | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | +| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | +| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | +> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; revisit once spec and compile enrichments land. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | +> Blocked by `CONSOLE-STUDIO-27-001` pending; waiting on Studio authoring UX. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. | +> Blocked by `REGISTRY-API-27-007` pending publish/sign pipeline. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | +> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` pending batch simulation. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. | +> Blocked by `REGISTRY-API-27-006` review workflow outstanding. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. | +> Blocked by `REGISTRY-API-27-008` promotion APIs not ready. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. | +> Blocked by `CLI-POLICY-27-001..004` CLI commands missing. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | +> Blocked by Registry OpenAPI (`REGISTRY-API-27-001..008`) incomplete. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. | +> Blocked by `AUTH-POLICY-27-002` signing integration pending. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. | +> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` not delivered. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. | +> Blocked by `DEVOPS-POLICY-27-004` observability work outstanding. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. | +> Blocked by `DEPLOY-POLICY-27-002` ops playbooks pending. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md`. | +> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | +> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented. +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | +| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | +| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. | +| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | +| Sprint 28 | Graph Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | +| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | +| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | +| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. | +| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | +| Sprint 30 | VEX Lens | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | +| Sprint 30 | VEX Lens | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | +| Sprint 30 | VEX Lens | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | +| Sprint 30 | VEX Lens | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | +| Sprint 30 | VEX Lens | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | +| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | +| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | +| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | +| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | +| Sprint 31 | Advisory AI | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. | +| Sprint 31 | Advisory AI | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | +| Sprint 31 | Advisory AI | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | +| Sprint 31 | Advisory AI | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | +| Sprint 31 | Advisory AI | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | +| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | +| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | +| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | +| Sprint 32 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | +| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | +| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | +| Sprint 32 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | +| Sprint 32 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | +| Sprint 32 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | +| Sprint 32 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | | Sprint 33 | Governance & Rules | ops/devops/TASKS.md | REVIEW (2025-10-30) | DevOps Guild, Platform Leads | DEVOPS-RULES-33-001 | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). | -| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | -| Sprint 33 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | -| Sprint 33 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | -| Sprint 33 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | -| Sprint 33 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | -| Sprint 33 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | -| Sprint 33 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | -| Sprint 33 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | -| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | -| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | -| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | -| Sprint 34 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | -| Sprint 34 | Orchestrator Dashboard | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | -| Sprint 34 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | -| Sprint 34 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | -| Sprint 34 | Orchestrator Dashboard | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | -| Sprint 34 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | -| Sprint 34 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | -| Sprint 34 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | -| Sprint 34 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/modules/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/modules/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/modules/export-center/profiles.md` covering schemas, examples, and compatibility. | -| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | -| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | -| Sprint 35 | Export Center Phase 1 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | -| Sprint 35 | Export Center Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | -| Sprint 35 | Export Center Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | -| Sprint 35 | Export Center Phase 1 | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | -| Sprint 35 | Export Center Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | -| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | -| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/modules/export-center/api.md` with endpoint examples and imposed rule note. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/modules/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/modules/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | -| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | -| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | -| Sprint 36 | Export Center Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | -| Sprint 36 | Export Center Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | -| Sprint 36 | Export Center Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/modules/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/modules/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | -| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | -| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | -| Sprint 37 | Export Center Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | -| Sprint 37 | Export Center Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | -| Sprint 37 | Export Center Phase 3 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | -| Sprint 37 | Export Center Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | -| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | -| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | -| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | -| Sprint 38 | Notifications Studio Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | -| Sprint 38 | Notifications Studio Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | -| Sprint 38 | Notifications Studio Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | -| Sprint 38 | Notifications Studio Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | DONE | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | -| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | -| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | -| Sprint 39 | Notifications Studio Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | -| Sprint 39 | Notifications Studio Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | -| Sprint 39 | Notifications Studio Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | -| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | -| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | -| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | -| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | -| Sprint 40 | Notifications Studio Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | -| Sprint 40 | Notifications Studio Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | -| Sprint 40 | Notifications Studio Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/modules/cli/guides/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/modules/cli/guides/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | -| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | -| Sprint 44 | Containerized Distribution Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | -| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | -| Sprint 45 | Containerized Distribution Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | -| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | -| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | -| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | -| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | -| Sprint 46 | Containerized Distribution Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | -> Staging rollout plan recorded in `docs/modules/telemetry/operations/storage.md`; waiting on Authority-issued tokens and namespace bootstrap. -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | +| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | +| Sprint 33 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | +| Sprint 33 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | +| Sprint 33 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | +| Sprint 33 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | +| Sprint 33 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | +| Sprint 33 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | +| Sprint 33 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | +| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | +| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | +| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | +| Sprint 34 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | +| Sprint 34 | Orchestrator Dashboard | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | +| Sprint 34 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | +| Sprint 34 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | +| Sprint 34 | Orchestrator Dashboard | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | +| Sprint 34 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | +| Sprint 34 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | +| Sprint 34 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | +| Sprint 34 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/modules/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/modules/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/modules/export-center/profiles.md` covering schemas, examples, and compatibility. | +| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | +| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | +| Sprint 35 | Export Center Phase 1 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | +| Sprint 35 | Export Center Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | +| Sprint 35 | Export Center Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | +| Sprint 35 | Export Center Phase 1 | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | +| Sprint 35 | Export Center Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | +| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | +| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/modules/export-center/api.md` with endpoint examples and imposed rule note. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/modules/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/modules/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | +| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | +| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | +| Sprint 36 | Export Center Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | +| Sprint 36 | Export Center Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | +| Sprint 36 | Export Center Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/modules/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/modules/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | +| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | +| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | +| Sprint 37 | Export Center Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | +| Sprint 37 | Export Center Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | +| Sprint 37 | Export Center Phase 3 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | +| Sprint 37 | Export Center Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | +| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | +| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | +| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | +| Sprint 38 | Notifications Studio Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | +| Sprint 38 | Notifications Studio Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | +| Sprint 38 | Notifications Studio Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | +| Sprint 38 | Notifications Studio Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | DONE | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | +| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | +| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | +| Sprint 39 | Notifications Studio Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | +| Sprint 39 | Notifications Studio Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | +| Sprint 39 | Notifications Studio Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | +| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | +| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | +| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | +| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | +| Sprint 40 | Notifications Studio Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | +| Sprint 40 | Notifications Studio Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | +| Sprint 40 | Notifications Studio Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/modules/cli/guides/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/modules/cli/guides/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | +| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | +| Sprint 44 | Containerized Distribution Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | +| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | +| Sprint 45 | Containerized Distribution Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | +| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | +| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | +| Sprint 46 | Containerized Distribution Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | +> Staging rollout plan recorded in `docs/modules/telemetry/operations/storage.md`; waiting on Authority-issued tokens and namespace bootstrap. +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | | Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. | -| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | -| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | | Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE (2025-10-30) | KMS Guild | KMS-72-002 | CLI support for key import/export. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | -| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | -| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | -| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | +| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. | diff --git a/docs/implplan/SPRINTS_PRIOR_20251019.md b/docs/implplan/SPRINTS_PRIOR_20251019.md index c40bd458..481b5d0e 100644 --- a/docs/implplan/SPRINTS_PRIOR_20251019.md +++ b/docs/implplan/SPRINTS_PRIOR_20251019.md @@ -1,208 +1,208 @@ -Closed sprint tasks archived from SPRINTS.md on 2025-10-19. - -| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | -| --- | --- | --- | --- | --- | --- | --- | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-001 | SemVer primitive range-style metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-002 | Provenance decision rationale field
Instructions to work:
AdvisoryProvenance now carries `decisionReason` and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/Concelier/__Libraries/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-003 | Normalized version rules collection
Instructions to work:
`AffectedPackage.NormalizedVersions` and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-02-900 | Range primitives for SemVer/EVR/NEVRA metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new `NormalizedVersions` representation so connectors finishing in Sprint 2 can emit consistent metadata. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
Shared `SemVerRangeRuleBuilder` now outputs primitives + normalized rules per `FASTER_MODELING_AND_NORMALIZATION.md`; CVE/GHSA connectors consuming the API have verified fixtures. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
AdvisoryStore dual-writes flattened `normalizedVersions` when `concelier.storage.enableSemVerStyle` is set; migration `20251011-semver-style-backfill` updates historical records and docs outline the rollout. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence
Storage now persists `provenance.decisionReason` for advisories and merge events; tests cover round-trips. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Bootstrapper seeds compound/sparse indexes for flattened normalized rules and `docs/dev/mongo_indices.md` documents query guidance. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Updated constructors/tests keep storage suites passing with the new feature flag defaults. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-ENGINE-01-002 | Plumb Authority client resilience options
WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Operator guides now call out `route/status/subject/clientId/scopes/bypass/remote` audit fields and SIEM triggers. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.HOST | Rate limiter policy binding
Authority host now applies configuration-driven fixed windows to `/token`, `/authorize`, and `/internal/*`; integration tests assert 429 + `Retry-After` headers; docs/config samples refreshed for Docs guild diagrams. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.BUILD | Authority rate-limiter follow-through
`Security.RateLimiting` now fronts token/authorize/internal limiters; Authority + Configuration matrices (`dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln`, `dotnet test src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) passed on 2025-10-11; awaiting #authority-core broadcast. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES | Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so `dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.sln` returns success. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | PLG6.DOC | Plugin developer guide polish
Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-001 | Fetch pipeline & state tracking
Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.
Team instructions: Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-002 | VINCE note detail fetcher
Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-003 | DTO & parser implementation
Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-004 | Canonical mapping & range primitives
VINCE DTO aggregate flows through `CertCcMapper`, emitting vendor range primitives + normalized version rules that persist via `_advisoryStore`. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-005 | Deterministic fixtures/tests
Snapshot harness refreshed 2025-10-12; `certcc-*.snapshot.json` regenerated and regression suite green without UPDATE flag drift. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-006 | Telemetry & documentation
`CertCcDiagnostics` publishes summary/detail/parse/map metrics (meter `StellaOps.Concelier.Connector.CertCc`), README documents instruments, and log guidance captured for Ops on 2025-10-12. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-007 | Connector test harness remediation
Harness now wires `AddSourceCommon`, resets `FakeTimeProvider`, and passes canned-response regression run dated 2025-10-12. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-008 | Snapshot coverage handoff
Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-012 | Schema sync & snapshot regen follow-up
Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-009 | Detail/map reintegration plan
Staged reintegration plan published in `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md`; coordinates enablement with FEEDCONN-CERTCC-02-004. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-010 | Partial-detail graceful degradation
Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-REDHAT-02-001 | Fixture validation sweep
Instructions to work:
Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-001 | Canonical mapping & range primitives
Mapper emits SemVer rules (`scheme=apple:*`); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-002 | Deterministic fixtures/tests
Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-003 | Telemetry & documentation
Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-004 | Live HTML regression sweep
Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-005 | Fixture regeneration tooling
`UPDATE_APPLE_FIXTURES=1` flow fetches & rewrites fixtures; README documents usage.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-CVE-02-003 | CVE normalized versions uplift | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-KEV-02-003 | KEV normalized versions propagation | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-04-003 | OSV parity fixture refresh | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-10) | Team WebService & Authority | FEEDWEB-DOCS-01-001 | Document authority toggle & scope requirements
Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint). | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption
Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). | -| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). | -| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-13) | Team Authority Platform & Security Guild | AUTHSEC-DOCS-01-002 | SEC3.B — Published `docs/security/rate-limits.md` with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide. | -| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHSEC-CRYPTO-02-001 | SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements. | -| Sprint 1 | Bootstrap & Replay Hardening | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Security Guild | AUTHSEC-CRYPTO-02-004 | SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration. | -| Sprint 1 | Developer Tooling | src/Cli/StellaOps.Cli/TASKS.md | DONE (2025-10-15) | DevEx/CLI | AUTHCLI-DIAG-01-001 | Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.
CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in `StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests`. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHPLUG-DOCS-01-001 | PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-12) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
`SemVerRangeRuleBuilder` shipped 2025-10-12 with comparator/`||` support and fixtures aligning to `FASTER_MODELING_AND_NORMALIZATION.md`. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDMERGE-ENGINE-02-002 | Normalized versions union & dedupe
Affected package resolver unions/dedupes normalized rules, stamps merge provenance with `decisionReason`, and tests cover the rollout. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-004 | GHSA credits & ecosystem severity mapping | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-005 | GitHub quota monitoring & retries | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-006 | Production credential & scheduler rollout | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-007 | Credit parity regression fixtures | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-004 | NVD CVSS & CWE precedence payloads | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-005 | NVD merge/export parity regression | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-004 | OSV references & credits alignment | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-005 | Fixture updater workflow
Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit `purl`; conflict fixtures unchanged for invalid npm names. Verified via `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd.Tests`, and backbone normalization/storage suites. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Acsc/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ACSC-02-001 … 02-008 | Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed). | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cccs/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CCCS-02-001 … 02-008 | Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under `docs/modules/concelier/operations/connectors/cccs.md` with fixtures validating EN/FR list handling. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertBund/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CERTBUND-02-001 … 02-008 | Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook `docs/modules/concelier/operations/connectors/certbund.md` captures locale guidance and offline packaging. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kisa/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-KISA-02-001 … 02-007 | Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in `docs/dev/kisa_connector_notes.md` complete rollout. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-RUBDU-02-001 … 02-008 | Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md | DONE (2025-10-13) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-NKCKI-02-001 … 02-008 | Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ICSCISA-02-001 … 02-011 | Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CISCO-02-001 … 02-007 | OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed). | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-MSRC-02-001 … 02-008 | Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in `docs/modules/concelier/operations/connectors/msrc.md`. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-15) | Team Connector Support & Monitoring | FEEDCONN-CVE-02-001 … 02-002 | CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from `seed-data/cve/` until live CVE Services credentials arrive. | -| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Support & Monitoring | FEEDCONN-KEV-02-001 … 02-002 | KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published. | -| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-01-001 | Canonical schema docs refresh
Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes. | -| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-001 | Concelier-SemVer Playbook
Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist. | -| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-002 | Normalized versions query guide
Delivered Mongo index/query addendum with `$unwind` recipes, dedupe checks, and operational checklist.
Instructions to work:
DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-001 | Canonical merger implementation
`CanonicalMerger` ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-002 | Field precedence and tie-breaker map
Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.
Instructions to work:
Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-03-001 | Merge event provenance audit prep
Merge events now persist `fieldDecisions` and analytics-ready provenance snapshots. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
Dual-write/backfill flag delivered; migration + options validated in tests. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Storage tests adjusted for normalized versions/decision reasons.
Instructions to work:
Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for `NormalizedVersions` + `decisionReason` so connectors can roll out safely. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-001 | GHSA/NVD/OSV conflict rules
Merge pipeline consumes `CanonicalMerger` output prior to precedence merge. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-002 | Override metrics instrumentation
Merge events capture per-field decisions; counters/logs align with conflict rules. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-003 | Reference & credit union pipeline
Canonical merge preserves unions with updated tests. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-QA-04-001 | End-to-end conflict regression suite
Added regression tests (`AdvisoryMergeServiceTests`) covering canonical + precedence flow.
Instructions to work:
Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md. | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-002 | GHSA conflict regression fixtures | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-NVD-04-002 | NVD conflict regression fixtures | -| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-OSV-04-002 | OSV conflict regression fixtures
Instructions to work:
Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA. | -| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-11) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-001 | Concelier Conflict Rules
Runbook published at `docs/modules/concelier/operations/conflict-resolution.md`; metrics/log guidance aligned with Sprint 3 merge counters. | -| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-16) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-002 | Conflict runbook ops rollout
Ops review completed, alert thresholds applied, and change log appended in `docs/modules/concelier/operations/conflict-resolution.md`; task closed after connector signals verified. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-15) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-04-001 | Advisory schema parity (description/CWE/canonical metric)
Extend `Advisory` and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-003 | Canonical merger parity for new fields
Teach `CanonicalMerger` to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-004 | Reference normalization & freshness instrumentation cleanup
Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-004 | Merge pipeline parity for new advisory fields
Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-005 | Connector coordination for new advisory fields
GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-15) | Team Exporters – JSON | FEEDEXPORT-JSON-04-001 | Surface new advisory fields in JSON exporter
Update schemas/offline bundle + fixtures once model/core parity lands.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json.Tests` validated canonical metric/CWE emission. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-15) | Team Exporters – Trivy DB | FEEDEXPORT-TRIVY-04-001 | Propagate new advisory fields into Trivy DB package
Extend Bolt builder, metadata, and regression tests for the expanded schema.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb.Tests` confirmed canonical metric/CWE propagation. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-16) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-004 | Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge. | -| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-04-005 | Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-001 | Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-002 | Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-003 | Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-001 | Established policy options & snapshot provider covering baseline weights/overrides. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-002 | Policy evaluator now feeds consensus resolver with immutable snapshots. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-003 | Author policy diagnostics, CLI/WebService surfacing, and documentation updates. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-004 | Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-005 | Add policy change tracking, snapshot digests, and telemetry/logging hooks. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-15) | Team Excititor Storage | EXCITITOR-STORAGE-01-001 | Mongo mapping registry plus raw/export entities and DI extensions in place. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-16) | Team Excititor Storage | EXCITITOR-STORAGE-01-004 | Build provider/consensus/cache class maps and related collections. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-15) | Team Excititor Export | EXCITITOR-EXPORT-01-001 | Export engine delivers cache lookup, manifest creation, and policy integration. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-17) | Team Excititor Export | EXCITITOR-EXPORT-01-004 | Connect export engine to attestation client and persist Rekor metadata. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-001 | Implement in-toto predicate + DSSE builder providing envelopes for export attestation. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors | EXCITITOR-CONN-ABS-01-001 | Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker. | -| Sprint 5 | Excititor Core Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-17) | Team Excititor WebService | EXCITITOR-WEB-01-001 | Scaffold minimal API host, DI, and `/excititor/status` endpoint integrating policy, storage, export, and attestation services. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-17) | Team Excititor Worker | EXCITITOR-WORKER-01-001 | Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CSAF-01-001 | Implement CSAF normalizer foundation translating provider documents into `VexClaim` entries. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CYCLONE-01-001 | Implement CycloneDX VEX normalizer capturing `analysis` state and component references. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-OPENVEX-01-001 | Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-001 | Ship Red Hat CSAF provider metadata discovery enabling incremental pulls. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-002 | Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-003 | Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-004 | Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-005 | Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-006 | Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-001 | Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-002 | Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – SUSE | EXCITITOR-CONN-SUSE-01-001 | Build Rancher VEX Hub discovery/subscription path with offline snapshot support. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – MSRC | EXCITITOR-CONN-MS-01-001 | Deliver AAD onboarding/token cache for MSRC CSAF ingestion. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Oracle | EXCITITOR-CONN-ORACLE-01-001 | Implement Oracle CSAF catalogue discovery with CPU calendar awareness. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Ubuntu | EXCITITOR-CONN-UBUNTU-01-001 | Implement Ubuntu CSAF discovery and channel selection for USN ingestion. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-001 | Wire OCI discovery/auth to fetch OpenVEX attestations for configured images. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-002 | Attestation fetch & verify loop – download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements. | -| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-003 | Provenance metadata & policy hooks – emit image, subject digest, issuer, and trust metadata for policy weighting/logging. | -| Sprint 6 | Excititor Ingest & Formats | src/Cli/StellaOps.Cli/TASKS.md | DONE (2025-10-18) | DevEx/CLI | EXCITITOR-CLI-01-001 | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. | -| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-19) | Team Excititor Core & Policy | EXCITITOR-CORE-02-001 | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. | -| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-19) | Team Excititor Policy | EXCITITOR-POLICY-02-001 | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. | -| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-002 | Rekor v2 client integration – ship transparency log client with retries and offline queue. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-501 | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `modules/scanner/architecture.md` §3–§4. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-502 | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-503 | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. | -| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-001 | Buildx driver scaffold + handshake with Scanner.Emit (local CAS). | -| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-002 | OCI annotations + provenance hand-off to Attestor. | -| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-003 | CI demo: minimal SBOM push & backend report wiring. | -| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-004 | Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders. | -| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-005 | Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-101 | Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-102 | `/api/v1/scans` submission/status endpoints with deterministic IDs, validation, and cancellation support. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-WEB-09-104 | Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-201 | Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-202 | Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-203 | Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-204 | Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-205 | Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run. | -| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-001 | Policy schema + binder + diagnostics. | -| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-002 | Policy snapshot store + revision digests. | -| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-003 | `/policy/preview` API (image digest → projected verdict diff). | -| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-HELM-09-001 | Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests. | -| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, DevEx | DOCS-ADR-09-001 | Establish ADR process and template. | -| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, Platform Events | DOCS-EVENTS-09-002 | Publish event schema catalog (`docs/events/`) for critical envelopes. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-301 | Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-302 | MinIO layout, immutability policies, client abstraction, and configuration binding. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-303 | Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-401 | Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-402 | Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs. | -| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-403 | Retry + dead-letter strategy with structured logs/metrics for offline deployments. | -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors.
Progress 2025-10-20: Coordination matrix + rollout dashboard refreshed; upcoming deadlines tracked (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) with escalation path documented in FEEDMERGE-COORD-02-900.| -| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. | -| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-02-001 | Statement events & scoring signals – immutable VEX statements store, consensus signal fields, and migration `20251019-consensus-signals-statements` with tests (`dotnet test src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`, `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). | -| Sprint 7 | Contextual Truth Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-19) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. | -| Sprint 7 | Contextual Truth Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Concelier WebService Guild | FEEDWEB-EVENTS-07-001 | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. | -| Sprint 7 | Contextual Truth Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-20) | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. | -| Sprint 8 | Mongo strengthening | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions
Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. | -| Sprint 8 | Mongo strengthening | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage
Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. | -| Sprint 8 | Mongo strengthening | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories
Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`. | -| Sprint 8 | Platform Maintenance | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-03-001 | Statement backfill tooling – shipped admin backfill endpoint, CLI hook (`stellaops excititor backfill-statements`), integration tests, and operator runbook (`docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`). | -| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. | -| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. | -| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-20) | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. | -| Sprint 8 | Mirror Distribution | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-MIRROR-08-001 | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. | -| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-003 | Refactor Authority identity-provider registry to resolve scoped plugin services on-demand.
Introduce factory pattern aligned with scoped lifetimes decided in coordination workshop. | -| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-004 | Update Authority plugin loader to activate registrars with DI support and scoped service awareness.
Add two-phase initialization allowing scoped dependencies post-container build. | -| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-005 | Provide scoped-safe bootstrap execution for Authority plugins.
Implement scope-per-run pattern for hosted bootstrap tasks and document migration guidance. | -| Sprint 10 | DevOps Security | ops/devops/TASKS.md | DONE (2025-10-20) | DevOps Guild | DEVOPS-SEC-10-301 | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0; Wave 0A prerequisites confirmed complete before remediation work. | -| Sprint 11 | Signing Chain Bring-up | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-20) | Authority Core & Security Guild | AUTH-DPOP-11-001 | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | -| Sprint 15 | Notify Foundations | src/Notify/StellaOps.Notify.WebService/TASKS.md | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-604 | Teams health endpoint metadata alignment. | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-503 | Package Slack connector as restart-time plug-in (manifest + host registration). | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-603 | Package Teams connector as restart-time plug-in (manifest + host registration). | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-703 | Package Email connector as restart-time plug-in (manifest + host registration). | -| Sprint 15 | Notify Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-20) | Scanner WebService Guild | SCANNER-EVENTS-15-201 | Emit `scanner.report.ready` + `scanner.scan.completed` events. | -| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-803 | Package Webhook connector as restart-time plug-in (manifest + host registration). | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-20) | Scheduler Models Guild | SCHED-MODELS-16-103 | Versioning/migration helpers for schedules/runs. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-401 | Queue abstraction + Redis Streams adapter. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-402 | NATS JetStream adapter with health probes. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-20) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-300 | **STUB** ImpactIndex ingest/query using fixtures (to be removed by SP16 completion). | +Closed sprint tasks archived from SPRINTS.md on 2025-10-19. + +| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | +| --- | --- | --- | --- | --- | --- | --- | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-001 | SemVer primitive range-style metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-002 | Provenance decision rationale field
Instructions to work:
AdvisoryProvenance now carries `decisionReason` and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/Concelier/__Libraries/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-003 | Normalized version rules collection
Instructions to work:
`AffectedPackage.NormalizedVersions` and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-02-900 | Range primitives for SemVer/EVR/NEVRA metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new `NormalizedVersions` representation so connectors finishing in Sprint 2 can emit consistent metadata. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
Shared `SemVerRangeRuleBuilder` now outputs primitives + normalized rules per `FASTER_MODELING_AND_NORMALIZATION.md`; CVE/GHSA connectors consuming the API have verified fixtures. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
AdvisoryStore dual-writes flattened `normalizedVersions` when `concelier.storage.enableSemVerStyle` is set; migration `20251011-semver-style-backfill` updates historical records and docs outline the rollout. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence
Storage now persists `provenance.decisionReason` for advisories and merge events; tests cover round-trips. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Bootstrapper seeds compound/sparse indexes for flattened normalized rules and `docs/dev/mongo_indices.md` documents query guidance. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Updated constructors/tests keep storage suites passing with the new feature flag defaults. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-ENGINE-01-002 | Plumb Authority client resilience options
WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Operator guides now call out `route/status/subject/clientId/scopes/bypass/remote` audit fields and SIEM triggers. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.HOST | Rate limiter policy binding
Authority host now applies configuration-driven fixed windows to `/token`, `/authorize`, and `/internal/*`; integration tests assert 429 + `Retry-After` headers; docs/config samples refreshed for Docs guild diagrams. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.BUILD | Authority rate-limiter follow-through
`Security.RateLimiting` now fronts token/authorize/internal limiters; Authority + Configuration matrices (`dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln`, `dotnet test src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) passed on 2025-10-11; awaiting #authority-core broadcast. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES | Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so `dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.sln` returns success. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | PLG6.DOC | Plugin developer guide polish
Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-001 | Fetch pipeline & state tracking
Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.
Team instructions: Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-002 | VINCE note detail fetcher
Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-003 | DTO & parser implementation
Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-004 | Canonical mapping & range primitives
VINCE DTO aggregate flows through `CertCcMapper`, emitting vendor range primitives + normalized version rules that persist via `_advisoryStore`. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-005 | Deterministic fixtures/tests
Snapshot harness refreshed 2025-10-12; `certcc-*.snapshot.json` regenerated and regression suite green without UPDATE flag drift. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-006 | Telemetry & documentation
`CertCcDiagnostics` publishes summary/detail/parse/map metrics (meter `StellaOps.Concelier.Connector.CertCc`), README documents instruments, and log guidance captured for Ops on 2025-10-12. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-007 | Connector test harness remediation
Harness now wires `AddSourceCommon`, resets `FakeTimeProvider`, and passes canned-response regression run dated 2025-10-12. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-008 | Snapshot coverage handoff
Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-012 | Schema sync & snapshot regen follow-up
Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-009 | Detail/map reintegration plan
Staged reintegration plan published in `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md`; coordinates enablement with FEEDCONN-CERTCC-02-004. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-010 | Partial-detail graceful degradation
Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-REDHAT-02-001 | Fixture validation sweep
Instructions to work:
Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-001 | Canonical mapping & range primitives
Mapper emits SemVer rules (`scheme=apple:*`); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-002 | Deterministic fixtures/tests
Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-003 | Telemetry & documentation
Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-004 | Live HTML regression sweep
Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-005 | Fixture regeneration tooling
`UPDATE_APPLE_FIXTURES=1` flow fetches & rewrites fixtures; README documents usage.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-CVE-02-003 | CVE normalized versions uplift | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-KEV-02-003 | KEV normalized versions propagation | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-04-003 | OSV parity fixture refresh | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-10) | Team WebService & Authority | FEEDWEB-DOCS-01-001 | Document authority toggle & scope requirements
Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint). | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption
Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). | +| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). | +| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-13) | Team Authority Platform & Security Guild | AUTHSEC-DOCS-01-002 | SEC3.B — Published `docs/security/rate-limits.md` with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide. | +| Sprint 1 | Stabilize In-Progress Foundations | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHSEC-CRYPTO-02-001 | SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements. | +| Sprint 1 | Bootstrap & Replay Hardening | src/__Libraries/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Security Guild | AUTHSEC-CRYPTO-02-004 | SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration. | +| Sprint 1 | Developer Tooling | src/Cli/StellaOps.Cli/TASKS.md | DONE (2025-10-15) | DevEx/CLI | AUTHCLI-DIAG-01-001 | Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.
CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in `StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests`. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHPLUG-DOCS-01-001 | PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-12) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
`SemVerRangeRuleBuilder` shipped 2025-10-12 with comparator/`||` support and fixtures aligning to `FASTER_MODELING_AND_NORMALIZATION.md`. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDMERGE-ENGINE-02-002 | Normalized versions union & dedupe
Affected package resolver unions/dedupes normalized rules, stamps merge provenance with `decisionReason`, and tests cover the rollout. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-004 | GHSA credits & ecosystem severity mapping | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-005 | GitHub quota monitoring & retries | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-006 | Production credential & scheduler rollout | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-007 | Credit parity regression fixtures | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-004 | NVD CVSS & CWE precedence payloads | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-005 | NVD merge/export parity regression | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-004 | OSV references & credits alignment | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-005 | Fixture updater workflow
Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit `purl`; conflict fixtures unchanged for invalid npm names. Verified via `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd.Tests`, and backbone normalization/storage suites. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Acsc/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ACSC-02-001 … 02-008 | Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed). | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cccs/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CCCS-02-001 … 02-008 | Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under `docs/modules/concelier/operations/connectors/cccs.md` with fixtures validating EN/FR list handling. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertBund/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CERTBUND-02-001 … 02-008 | Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook `docs/modules/concelier/operations/connectors/certbund.md` captures locale guidance and offline packaging. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kisa/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-KISA-02-001 … 02-007 | Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in `docs/dev/kisa_connector_notes.md` complete rollout. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-RUBDU-02-001 … 02-008 | Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md | DONE (2025-10-13) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-NKCKI-02-001 … 02-008 | Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ICSCISA-02-001 … 02-011 | Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CISCO-02-001 … 02-007 | OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed). | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-MSRC-02-001 … 02-008 | Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in `docs/modules/concelier/operations/connectors/msrc.md`. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-15) | Team Connector Support & Monitoring | FEEDCONN-CVE-02-001 … 02-002 | CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from `seed-data/cve/` until live CVE Services credentials arrive. | +| Sprint 2 | Connector & Data Implementation Wave | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Support & Monitoring | FEEDCONN-KEV-02-001 … 02-002 | KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published. | +| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-01-001 | Canonical schema docs refresh
Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes. | +| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-001 | Concelier-SemVer Playbook
Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist. | +| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-002 | Normalized versions query guide
Delivered Mongo index/query addendum with `$unwind` recipes, dedupe checks, and operational checklist.
Instructions to work:
DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-001 | Canonical merger implementation
`CanonicalMerger` ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-002 | Field precedence and tie-breaker map
Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.
Instructions to work:
Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-03-001 | Merge event provenance audit prep
Merge events now persist `fieldDecisions` and analytics-ready provenance snapshots. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
Dual-write/backfill flag delivered; migration + options validated in tests. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Storage tests adjusted for normalized versions/decision reasons.
Instructions to work:
Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for `NormalizedVersions` + `decisionReason` so connectors can roll out safely. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-001 | GHSA/NVD/OSV conflict rules
Merge pipeline consumes `CanonicalMerger` output prior to precedence merge. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-002 | Override metrics instrumentation
Merge events capture per-field decisions; counters/logs align with conflict rules. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-003 | Reference & credit union pipeline
Canonical merge preserves unions with updated tests. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-QA-04-001 | End-to-end conflict regression suite
Added regression tests (`AdvisoryMergeServiceTests`) covering canonical + precedence flow.
Instructions to work:
Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md. | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-002 | GHSA conflict regression fixtures | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-NVD-04-002 | NVD conflict regression fixtures | +| Sprint 3 | Conflict Resolution Integration & Communications | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-OSV-04-002 | OSV conflict regression fixtures
Instructions to work:
Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA. | +| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-11) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-001 | Concelier Conflict Rules
Runbook published at `docs/modules/concelier/operations/conflict-resolution.md`; metrics/log guidance aligned with Sprint 3 merge counters. | +| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-16) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-002 | Conflict runbook ops rollout
Ops review completed, alert thresholds applied, and change log appended in `docs/modules/concelier/operations/conflict-resolution.md`; task closed after connector signals verified. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-15) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-04-001 | Advisory schema parity (description/CWE/canonical metric)
Extend `Advisory` and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-003 | Canonical merger parity for new fields
Teach `CanonicalMerger` to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-004 | Reference normalization & freshness instrumentation cleanup
Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-004 | Merge pipeline parity for new advisory fields
Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-005 | Connector coordination for new advisory fields
GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-15) | Team Exporters – JSON | FEEDEXPORT-JSON-04-001 | Surface new advisory fields in JSON exporter
Update schemas/offline bundle + fixtures once model/core parity lands.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json.Tests` validated canonical metric/CWE emission. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-15) | Team Exporters – Trivy DB | FEEDEXPORT-TRIVY-04-001 | Propagate new advisory fields into Trivy DB package
Extend Bolt builder, metadata, and regression tests for the expanded schema.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb.Tests` confirmed canonical metric/CWE propagation. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-16) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-004 | Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge. | +| Sprint 4 | Schema Parity & Freshness Alignment | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-04-005 | Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-001 | Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-002 | Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-003 | Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-001 | Established policy options & snapshot provider covering baseline weights/overrides. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-002 | Policy evaluator now feeds consensus resolver with immutable snapshots. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-003 | Author policy diagnostics, CLI/WebService surfacing, and documentation updates. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-004 | Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-005 | Add policy change tracking, snapshot digests, and telemetry/logging hooks. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-15) | Team Excititor Storage | EXCITITOR-STORAGE-01-001 | Mongo mapping registry plus raw/export entities and DI extensions in place. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-16) | Team Excititor Storage | EXCITITOR-STORAGE-01-004 | Build provider/consensus/cache class maps and related collections. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-15) | Team Excititor Export | EXCITITOR-EXPORT-01-001 | Export engine delivers cache lookup, manifest creation, and policy integration. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-17) | Team Excititor Export | EXCITITOR-EXPORT-01-004 | Connect export engine to attestation client and persist Rekor metadata. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-001 | Implement in-toto predicate + DSSE builder providing envelopes for export attestation. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors | EXCITITOR-CONN-ABS-01-001 | Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker. | +| Sprint 5 | Excititor Core Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-17) | Team Excititor WebService | EXCITITOR-WEB-01-001 | Scaffold minimal API host, DI, and `/excititor/status` endpoint integrating policy, storage, export, and attestation services. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-17) | Team Excititor Worker | EXCITITOR-WORKER-01-001 | Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CSAF-01-001 | Implement CSAF normalizer foundation translating provider documents into `VexClaim` entries. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CYCLONE-01-001 | Implement CycloneDX VEX normalizer capturing `analysis` state and component references. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-OPENVEX-01-001 | Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-001 | Ship Red Hat CSAF provider metadata discovery enabling incremental pulls. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-002 | Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-003 | Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-004 | Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-005 | Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-006 | Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-001 | Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-002 | Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – SUSE | EXCITITOR-CONN-SUSE-01-001 | Build Rancher VEX Hub discovery/subscription path with offline snapshot support. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – MSRC | EXCITITOR-CONN-MS-01-001 | Deliver AAD onboarding/token cache for MSRC CSAF ingestion. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Oracle | EXCITITOR-CONN-ORACLE-01-001 | Implement Oracle CSAF catalogue discovery with CPU calendar awareness. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Ubuntu | EXCITITOR-CONN-UBUNTU-01-001 | Implement Ubuntu CSAF discovery and channel selection for USN ingestion. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-001 | Wire OCI discovery/auth to fetch OpenVEX attestations for configured images. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-002 | Attestation fetch & verify loop – download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements. | +| Sprint 6 | Excititor Ingest & Formats | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-003 | Provenance metadata & policy hooks – emit image, subject digest, issuer, and trust metadata for policy weighting/logging. | +| Sprint 6 | Excititor Ingest & Formats | src/Cli/StellaOps.Cli/TASKS.md | DONE (2025-10-18) | DevEx/CLI | EXCITITOR-CLI-01-001 | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. | +| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-19) | Team Excititor Core & Policy | EXCITITOR-CORE-02-001 | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. | +| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-19) | Team Excititor Policy | EXCITITOR-POLICY-02-001 | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. | +| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-002 | Rekor v2 client integration – ship transparency log client with retries and offline queue. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-501 | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `modules/scanner/architecture.md` §3–§4. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-502 | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-503 | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. | +| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-001 | Buildx driver scaffold + handshake with Scanner.Emit (local CAS). | +| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-002 | OCI annotations + provenance hand-off to Attestor. | +| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-003 | CI demo: minimal SBOM push & backend report wiring. | +| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-004 | Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders. | +| Sprint 9 | Scanner Build-time | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-005 | Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-101 | Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-102 | `/api/v1/scans` submission/status endpoints with deterministic IDs, validation, and cancellation support. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-WEB-09-104 | Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-201 | Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-202 | Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-203 | Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-204 | Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-205 | Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run. | +| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-001 | Policy schema + binder + diagnostics. | +| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-002 | Policy snapshot store + revision digests. | +| Sprint 9 | Policy Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-003 | `/policy/preview` API (image digest → projected verdict diff). | +| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-HELM-09-001 | Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests. | +| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, DevEx | DOCS-ADR-09-001 | Establish ADR process and template. | +| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, Platform Events | DOCS-EVENTS-09-002 | Publish event schema catalog (`docs/events/`) for critical envelopes. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-301 | Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-302 | MinIO layout, immutability policies, client abstraction, and configuration binding. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-303 | Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-401 | Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-402 | Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs. | +| Sprint 9 | Scanner Core Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-403 | Retry + dead-letter strategy with structured logs/metrics for offline deployments. | +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors.
Progress 2025-10-20: Coordination matrix + rollout dashboard refreshed; upcoming deadlines tracked (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) with escalation path documented in FEEDMERGE-COORD-02-900.| +| Sprint 1 | Stabilize In-Progress Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. | +| Sprint 7 | Contextual Truth Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-02-001 | Statement events & scoring signals – immutable VEX statements store, consensus signal fields, and migration `20251019-consensus-signals-statements` with tests (`dotnet test src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`, `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). | +| Sprint 7 | Contextual Truth Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-19) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. | +| Sprint 7 | Contextual Truth Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Concelier WebService Guild | FEEDWEB-EVENTS-07-001 | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. | +| Sprint 7 | Contextual Truth Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-20) | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. | +| Sprint 8 | Mongo strengthening | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions
Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. | +| Sprint 8 | Mongo strengthening | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage
Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. | +| Sprint 8 | Mongo strengthening | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories
Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`. | +| Sprint 8 | Platform Maintenance | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-03-001 | Statement backfill tooling – shipped admin backfill endpoint, CLI hook (`stellaops excititor backfill-statements`), integration tests, and operator runbook (`docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`). | +| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. | +| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. | +| Sprint 8 | Mirror Distribution | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-20) | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. | +| Sprint 8 | Mirror Distribution | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-MIRROR-08-001 | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. | +| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-003 | Refactor Authority identity-provider registry to resolve scoped plugin services on-demand.
Introduce factory pattern aligned with scoped lifetimes decided in coordination workshop. | +| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-004 | Update Authority plugin loader to activate registrars with DI support and scoped service awareness.
Add two-phase initialization allowing scoped dependencies post-container build. | +| Sprint 8 | Plugin Infrastructure | src/__Libraries/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-005 | Provide scoped-safe bootstrap execution for Authority plugins.
Implement scope-per-run pattern for hosted bootstrap tasks and document migration guidance. | +| Sprint 10 | DevOps Security | ops/devops/TASKS.md | DONE (2025-10-20) | DevOps Guild | DEVOPS-SEC-10-301 | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0; Wave 0A prerequisites confirmed complete before remediation work. | +| Sprint 11 | Signing Chain Bring-up | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-20) | Authority Core & Security Guild | AUTH-DPOP-11-001 | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | +| Sprint 15 | Notify Foundations | src/Notify/StellaOps.Notify.WebService/TASKS.md | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-604 | Teams health endpoint metadata alignment. | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-503 | Package Slack connector as restart-time plug-in (manifest + host registration). | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-603 | Package Teams connector as restart-time plug-in (manifest + host registration). | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-703 | Package Email connector as restart-time plug-in (manifest + host registration). | +| Sprint 15 | Notify Foundations | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-20) | Scanner WebService Guild | SCANNER-EVENTS-15-201 | Emit `scanner.report.ready` + `scanner.scan.completed` events. | +| Sprint 15 | Notify Foundations | src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-803 | Package Webhook connector as restart-time plug-in (manifest + host registration). | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-20) | Scheduler Models Guild | SCHED-MODELS-16-103 | Versioning/migration helpers for schedules/runs. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-401 | Queue abstraction + Redis Streams adapter. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-402 | NATS JetStream adapter with health probes. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-20) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-300 | **STUB** ImpactIndex ingest/query using fixtures (to be removed by SP16 completion). | diff --git a/docs/implplan/SPRINTS_PRIOR_20251027.md b/docs/implplan/SPRINTS_PRIOR_20251027.md index 8f8841c0..f12a30f2 100644 --- a/docs/implplan/SPRINTS_PRIOR_20251027.md +++ b/docs/implplan/SPRINTS_PRIOR_20251027.md @@ -1,84 +1,84 @@ -This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). - -| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | -| --- | --- | --- | --- | --- | --- | --- | -| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-NUGET-13-002 | Ensure all solutions/projects prioritize `local-nuget` before public feeds and add restore-order validation. | -| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-003 | Upgrade `Microsoft.*` dependencies pinned to 8.* to their latest .NET 10 (or 9.x) releases and refresh guidance. | -| Sprint 14 | Release & Offline Ops | ops/deployment/TASKS.md | DONE (2025-10-26) | Deployment Guild | DEVOPS-OPS-14-003 | Deployment/update/rollback automation and channel management documentation. | -| Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-REL-14-001 | Deterministic build/release pipeline with SBOM/provenance, signing, and manifest generation. | -| Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, Scanner Guild | DEVOPS-REL-14-004 | Extend release/offline smoke jobs to cover Python analyzer plug-ins (warm/cold, determinism, signing). | -| Sprint 14 | Release & Offline Ops | ops/licensing/TASKS.md | DONE (2025-10-26) | Licensing Guild | DEVOPS-LIC-14-004 | Registry token service tied to Authority, plan gating, revocation handling, monitoring. | -| Sprint 14 | Release & Offline Ops | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild | DEVOPS-OFFLINE-14-002 | Offline kit packaging workflow with integrity verification and documentation. | -| Sprint 15 | Benchmarks | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild, Notify Team | BENCH-NOTIFY-15-001 | Notify dispatch throughput bench with results CSV. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-19) | Scheduler Models Guild | SCHED-MODELS-16-101 | Define Scheduler DTOs & validation. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-19) | Scheduler Models Guild | SCHED-MODELS-16-102 | Publish schema docs/sample payloads. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Scheduler Storage Guild | SCHED-STORAGE-16-201 | Mongo schemas/indexes for Scheduler state. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-26) | Scheduler Storage Guild | SCHED-STORAGE-16-202 | Repositories with tenant scoping, TTL, causal consistency. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-26) | Scheduler Storage Guild | SCHED-STORAGE-16-203 | Audit/run stats materialization for UI. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-26) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-302 | Query APIs for ResolveByPurls/ResolveByVulns/ResolveAll. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-26) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-301 | Ingest BOM-Index into roaring bitmap store. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-16-102 | Schedules CRUD (cron validation, pause/resume, audit). | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-16-103 | Runs API (list/detail/cancel) + impact previews. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-27) | Scheduler WebService Guild | SCHED-WEB-16-104 | Feedser/Vexer webhook handlers with security enforcement. | -| Sprint 17 | Symbol Intelligence & Forensics | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-RUNTIME-17-004 | Document build-id workflows for SBOMs, runtime events, and debug-store usage. | -| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-REL-17-002 | Ship stripped debug artifacts organised by build-id within release/offline kits. | -| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-003 | Mirror release debug-store artefacts into Offline Kit packaging and document validation. | -| Sprint 17 | Symbol Intelligence & Forensics | src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-26) | Emit Guild | SCANNER-EMIT-17-701 | Record GNU build-id for ELF components and surface it in SBOM/diff outputs. | -| Sprint 18 | Launch Readiness | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-LAUNCH-18-001 | Production launch cutover rehearsal and runbook publication. | -| Sprint 18 | Launch Readiness | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild, Scanner Guild | DEVOPS-OFFLINE-18-005 | Rebuild Offline Kit with Python analyzer artefacts and refreshed manifest/signature pair. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-AOC-19-001 | Publish aggregation-only contract reference documentation. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-AOC-19-002 | Update architecture overview with AOC boundary diagrams. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Policy Guild | DOCS-AOC-19-003 | Refresh policy engine doc with raw ingestion constraints. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, UI Guild | DOCS-AOC-19-004 | Document console AOC dashboard and drill-down flow. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, CLI Guild | DOCS-AOC-19-005 | Document CLI AOC commands and exit codes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Observability Guild | DOCS-AOC-19-006 | Document new AOC metrics, traces, and logs. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Authority Core | DOCS-AOC-19-007 | Document new Authority scopes and tenancy enforcement. | -| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, DevOps Guild | DOCS-AOC-19-008 | Update deployment guide with validator enablement and verify user guidance. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-AOC-19-001 | Introduce new ingestion/auth scopes across Authority. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-POLICY-20-001 | Publish `/docs/policy/overview.md` with compliance checklist. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-POLICY-20-002 | Document DSL grammar + examples in `/docs/policy/dsl.md`. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Authority Core | DOCS-POLICY-20-003 | Write `/docs/policy/lifecycle.md` covering workflow + roles. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Scheduler Guild | DOCS-POLICY-20-004 | Document policy run modes + cursors in `/docs/policy/runs.md`. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Platform Guild | DOCS-POLICY-20-005 | Produce `/docs/api/policy.md` with endpoint schemas + errors. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, CLI Guild | DOCS-POLICY-20-006 | Author `/docs/modules/cli/guides/policy.md` with commands, exit codes, JSON output. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, UI Guild | DOCS-POLICY-20-007 | Create `/docs/ui/policy-editor.md` covering editor, simulation, approvals. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-POLICY-20-008 | Publish `/docs/modules/policy/architecture.md` with sequence diagrams. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Observability Guild | DOCS-POLICY-20-009 | Document metrics/traces/logs in `/docs/observability/policy.md`. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Security Guild | DOCS-POLICY-20-010 | Publish `/docs/security/policy-governance.md` for scopes + approvals. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Policy Guild | DOCS-POLICY-20-011 | Add example policies under `/docs/examples/policies/` with commentary. | -| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Support Guild | DOCS-POLICY-20-012 | Draft `/docs/faq/policy-faq.md` covering conflicts, determinism, pitfalls. | -| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-POLICY-20-001 | Add DSL lint + compile checks to CI pipelines. | -| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-POLICY-20-003 | Add determinism CI job diffing repeated policy runs. | -| Sprint 20 | Policy Engine v2 | samples/TASKS.md | DONE (2025-10-26) | Samples Guild, Policy Guild | SAMPLES-POLICY-20-001 | Commit baseline/serverless/internal-only policy samples + fixtures. | -| Sprint 20 | Policy Engine v2 | samples/TASKS.md | DONE (2025-10-26) | Samples Guild, UI Guild | SAMPLES-POLICY-20-002 | Produce simulation diff fixtures for UI/CLI tests. | -| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-POLICY-20-001 | Add new policy scopes (`policy:*`, `findings:read`, `effective:write`). | -| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-POLICY-20-002 | Enforce Policy Engine service identity and scope checks at gateway. | -| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Docs Guild | AUTH-POLICY-20-003 | Update Authority docs/config samples for policy scopes + workflows. | -| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild, Policy Guild | BENCH-POLICY-20-001 | Create policy evaluation benchmark suite + baseline metrics. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE (2025-10-26) | Policy Guild, Platform Guild | POLICY-ENGINE-20-000 | Spin up new Policy Engine service host with DI bootstrap and Authority wiring. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE (2025-10-26) | Policy Guild | POLICY-ENGINE-20-001 | Deliver `stella-dsl@1` parser + IR compiler with diagnostics and checksums. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-20-001 | Define policy run/diff DTOs + validation helpers. | -| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core Guild | AUTH-GRAPH-21-001 | Introduce graph scopes (`graph:*`) with configuration binding and defaults. | -| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core Guild | AUTH-GRAPH-21-002 | Enforce graph scopes/identities at gateway with tenant propagation. | -| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Docs Guild | AUTH-GRAPH-21-003 | Update security docs/config samples for graph access and least privilege. | -| Sprint 21 | Graph Explorer v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-21-001 | Define job DTOs for graph builds/overlay refresh (`GraphBuildJob`, `GraphOverlayJob`) with deterministic serialization and status enums; document in `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`. | -| Sprint 21 | Graph Explorer v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-21-002 | Publish schema docs/sample payloads for graph job lifecycle. | -| Sprint 22 | Link-Not-Merge v1 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild | BENCH-LNM-22-001 | Benchmark advisory observation ingest/correlation throughput. | -| Sprint 22 | Link-Not-Merge v1 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild | BENCH-LNM-22-002 | Benchmark VEX ingest/correlation latency and event emission. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-001 | Publish `/docs/ui/console-overview.md` (IA, tenant model, filters, AOC alignment). | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-002 | Author `/docs/ui/navigation.md` with route map, filters, keyboard shortcuts, deep links. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-003 | Document `/docs/ui/sbom-explorer.md` covering catalog, graph, overlays, exports. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-004 | Produce `/docs/ui/advisories-and-vex.md` detailing aggregation-not-merge UX. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-005 | Write `/docs/ui/findings.md` with filters, explain, exports, CLI parity notes. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-006 | Publish `/docs/ui/policies.md` (editor, simulation, approvals, RBAC). | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-007 | Document `/docs/ui/runs.md` with SSE monitoring, diff, retries, evidence downloads. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-008 | Draft `/docs/ui/admin.md` covering tenants, roles, tokens, integrations, fresh-auth. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-27) | Docs Guild | DOCS-CONSOLE-23-009 | Publish `/docs/ui/downloads.md` aligning manifest with commands and offline flow. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-27) | Docs Guild, Deployment Guild, Console Guild | DOCS-CONSOLE-23-010 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, env vars, health checks). | -| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-001 | Provide graph build/overlay job APIs; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | -| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-002 | Provide overlay lag metrics endpoint/webhook; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | -| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild, Authority Core Guild | SCHED-WEB-21-003 | Replace header auth with Authority scopes using `StellaOpsScopes`; dev fallback only when `Scheduler:Authority:Enabled=false`. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-001 | Deploy default OpenTelemetry collector manifests with secure OTLP pipeline. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-003 | Package telemetry stack configs for offline/air-gapped installs with signatures. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-27) | Scheduler WebService Guild | SCHED-WEB-16-101 | Minimal API host with Authority enforcement. | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-202 | ImpactIndex targeting and shard planning. | +This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). + +| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | +| --- | --- | --- | --- | --- | --- | --- | +| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-NUGET-13-002 | Ensure all solutions/projects prioritize `local-nuget` before public feeds and add restore-order validation. | +| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-003 | Upgrade `Microsoft.*` dependencies pinned to 8.* to their latest .NET 10 (or 9.x) releases and refresh guidance. | +| Sprint 14 | Release & Offline Ops | ops/deployment/TASKS.md | DONE (2025-10-26) | Deployment Guild | DEVOPS-OPS-14-003 | Deployment/update/rollback automation and channel management documentation. | +| Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-REL-14-001 | Deterministic build/release pipeline with SBOM/provenance, signing, and manifest generation. | +| Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, Scanner Guild | DEVOPS-REL-14-004 | Extend release/offline smoke jobs to cover Python analyzer plug-ins (warm/cold, determinism, signing). | +| Sprint 14 | Release & Offline Ops | ops/licensing/TASKS.md | DONE (2025-10-26) | Licensing Guild | DEVOPS-LIC-14-004 | Registry token service tied to Authority, plan gating, revocation handling, monitoring. | +| Sprint 14 | Release & Offline Ops | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild | DEVOPS-OFFLINE-14-002 | Offline kit packaging workflow with integrity verification and documentation. | +| Sprint 15 | Benchmarks | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild, Notify Team | BENCH-NOTIFY-15-001 | Notify dispatch throughput bench with results CSV. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-19) | Scheduler Models Guild | SCHED-MODELS-16-101 | Define Scheduler DTOs & validation. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-19) | Scheduler Models Guild | SCHED-MODELS-16-102 | Publish schema docs/sample payloads. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Scheduler Storage Guild | SCHED-STORAGE-16-201 | Mongo schemas/indexes for Scheduler state. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-26) | Scheduler Storage Guild | SCHED-STORAGE-16-202 | Repositories with tenant scoping, TTL, causal consistency. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md | DONE (2025-10-26) | Scheduler Storage Guild | SCHED-STORAGE-16-203 | Audit/run stats materialization for UI. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-26) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-302 | Query APIs for ResolveByPurls/ResolveByVulns/ResolveAll. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-26) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-301 | Ingest BOM-Index into roaring bitmap store. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-16-102 | Schedules CRUD (cron validation, pause/resume, audit). | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-16-103 | Runs API (list/detail/cancel) + impact previews. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-27) | Scheduler WebService Guild | SCHED-WEB-16-104 | Feedser/Vexer webhook handlers with security enforcement. | +| Sprint 17 | Symbol Intelligence & Forensics | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-RUNTIME-17-004 | Document build-id workflows for SBOMs, runtime events, and debug-store usage. | +| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-REL-17-002 | Ship stripped debug artifacts organised by build-id within release/offline kits. | +| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-003 | Mirror release debug-store artefacts into Offline Kit packaging and document validation. | +| Sprint 17 | Symbol Intelligence & Forensics | src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-26) | Emit Guild | SCANNER-EMIT-17-701 | Record GNU build-id for ELF components and surface it in SBOM/diff outputs. | +| Sprint 18 | Launch Readiness | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-LAUNCH-18-001 | Production launch cutover rehearsal and runbook publication. | +| Sprint 18 | Launch Readiness | ops/offline-kit/TASKS.md | DONE (2025-10-26) | Offline Kit Guild, Scanner Guild | DEVOPS-OFFLINE-18-005 | Rebuild Offline Kit with Python analyzer artefacts and refreshed manifest/signature pair. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-AOC-19-001 | Publish aggregation-only contract reference documentation. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-AOC-19-002 | Update architecture overview with AOC boundary diagrams. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Policy Guild | DOCS-AOC-19-003 | Refresh policy engine doc with raw ingestion constraints. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, UI Guild | DOCS-AOC-19-004 | Document console AOC dashboard and drill-down flow. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, CLI Guild | DOCS-AOC-19-005 | Document CLI AOC commands and exit codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Observability Guild | DOCS-AOC-19-006 | Document new AOC metrics, traces, and logs. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Authority Core | DOCS-AOC-19-007 | Document new Authority scopes and tenancy enforcement. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, DevOps Guild | DOCS-AOC-19-008 | Update deployment guide with validator enablement and verify user guidance. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-AOC-19-001 | Introduce new ingestion/auth scopes across Authority. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-POLICY-20-001 | Publish `/docs/policy/overview.md` with compliance checklist. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-POLICY-20-002 | Document DSL grammar + examples in `/docs/policy/dsl.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Authority Core | DOCS-POLICY-20-003 | Write `/docs/policy/lifecycle.md` covering workflow + roles. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Scheduler Guild | DOCS-POLICY-20-004 | Document policy run modes + cursors in `/docs/policy/runs.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Platform Guild | DOCS-POLICY-20-005 | Produce `/docs/api/policy.md` with endpoint schemas + errors. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, CLI Guild | DOCS-POLICY-20-006 | Author `/docs/modules/cli/guides/policy.md` with commands, exit codes, JSON output. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, UI Guild | DOCS-POLICY-20-007 | Create `/docs/ui/policy-editor.md` covering editor, simulation, approvals. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-POLICY-20-008 | Publish `/docs/modules/policy/architecture.md` with sequence diagrams. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Observability Guild | DOCS-POLICY-20-009 | Document metrics/traces/logs in `/docs/observability/policy.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Security Guild | DOCS-POLICY-20-010 | Publish `/docs/security/policy-governance.md` for scopes + approvals. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Policy Guild | DOCS-POLICY-20-011 | Add example policies under `/docs/examples/policies/` with commentary. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | DONE (2025-10-26) | Docs Guild, Support Guild | DOCS-POLICY-20-012 | Draft `/docs/faq/policy-faq.md` covering conflicts, determinism, pitfalls. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-POLICY-20-001 | Add DSL lint + compile checks to CI pipelines. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-POLICY-20-003 | Add determinism CI job diffing repeated policy runs. | +| Sprint 20 | Policy Engine v2 | samples/TASKS.md | DONE (2025-10-26) | Samples Guild, Policy Guild | SAMPLES-POLICY-20-001 | Commit baseline/serverless/internal-only policy samples + fixtures. | +| Sprint 20 | Policy Engine v2 | samples/TASKS.md | DONE (2025-10-26) | Samples Guild, UI Guild | SAMPLES-POLICY-20-002 | Produce simulation diff fixtures for UI/CLI tests. | +| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-POLICY-20-001 | Add new policy scopes (`policy:*`, `findings:read`, `effective:write`). | +| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Security Guild | AUTH-POLICY-20-002 | Enforce Policy Engine service identity and scope checks at gateway. | +| Sprint 20 | Policy Engine v2 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Docs Guild | AUTH-POLICY-20-003 | Update Authority docs/config samples for policy scopes + workflows. | +| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild, Policy Guild | BENCH-POLICY-20-001 | Create policy evaluation benchmark suite + baseline metrics. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE (2025-10-26) | Policy Guild, Platform Guild | POLICY-ENGINE-20-000 | Spin up new Policy Engine service host with DI bootstrap and Authority wiring. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE (2025-10-26) | Policy Guild | POLICY-ENGINE-20-001 | Deliver `stella-dsl@1` parser + IR compiler with diagnostics and checksums. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-20-001 | Define policy run/diff DTOs + validation helpers. | +| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core Guild | AUTH-GRAPH-21-001 | Introduce graph scopes (`graph:*`) with configuration binding and defaults. | +| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core Guild | AUTH-GRAPH-21-002 | Enforce graph scopes/identities at gateway with tenant propagation. | +| Sprint 21 | Graph Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | DONE (2025-10-26) | Authority Core & Docs Guild | AUTH-GRAPH-21-003 | Update security docs/config samples for graph access and least privilege. | +| Sprint 21 | Graph Explorer v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-21-001 | Define job DTOs for graph builds/overlay refresh (`GraphBuildJob`, `GraphOverlayJob`) with deterministic serialization and status enums; document in `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`. | +| Sprint 21 | Graph Explorer v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-26) | Scheduler Models Guild | SCHED-MODELS-21-002 | Publish schema docs/sample payloads for graph job lifecycle. | +| Sprint 22 | Link-Not-Merge v1 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild | BENCH-LNM-22-001 | Benchmark advisory observation ingest/correlation throughput. | +| Sprint 22 | Link-Not-Merge v1 | src/Bench/StellaOps.Bench/TASKS.md | DONE (2025-10-26) | Bench Guild | BENCH-LNM-22-002 | Benchmark VEX ingest/correlation latency and event emission. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-001 | Publish `/docs/ui/console-overview.md` (IA, tenant model, filters, AOC alignment). | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-002 | Author `/docs/ui/navigation.md` with route map, filters, keyboard shortcuts, deep links. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-003 | Document `/docs/ui/sbom-explorer.md` covering catalog, graph, overlays, exports. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-004 | Produce `/docs/ui/advisories-and-vex.md` detailing aggregation-not-merge UX. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-005 | Write `/docs/ui/findings.md` with filters, explain, exports, CLI parity notes. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-006 | Publish `/docs/ui/policies.md` (editor, simulation, approvals, RBAC). | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-007 | Document `/docs/ui/runs.md` with SSE monitoring, diff, retries, evidence downloads. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-26) | Docs Guild | DOCS-CONSOLE-23-008 | Draft `/docs/ui/admin.md` covering tenants, roles, tokens, integrations, fresh-auth. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-27) | Docs Guild | DOCS-CONSOLE-23-009 | Publish `/docs/ui/downloads.md` aligning manifest with commands and offline flow. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-27) | Docs Guild, Deployment Guild, Console Guild | DOCS-CONSOLE-23-010 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, env vars, health checks). | +| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-001 | Provide graph build/overlay job APIs; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | +| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-002 | Provide overlay lag metrics endpoint/webhook; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | +| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild, Authority Core Guild | SCHED-WEB-21-003 | Replace header auth with Authority scopes using `StellaOpsScopes`; dev fallback only when `Scheduler:Authority:Enabled=false`. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-001 | Deploy default OpenTelemetry collector manifests with secure OTLP pipeline. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DONE (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-003 | Package telemetry stack configs for offline/air-gapped installs with signatures. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-27) | Scheduler WebService Guild | SCHED-WEB-16-101 | Minimal API host with Authority enforcement. | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-202 | ImpactIndex targeting and shard planning. | diff --git a/docs/ingestion/aggregation-only-contract.md b/docs/ingestion/aggregation-only-contract.md index eee8575a..3a588067 100644 --- a/docs/ingestion/aggregation-only-contract.md +++ b/docs/ingestion/aggregation-only-contract.md @@ -1,181 +1,181 @@ -# Aggregation-Only Contract Reference - -> The Aggregation-Only Contract (AOC) is the governing rule set that keeps StellaOps ingestion services deterministic, policy-neutral, and auditable. It applies to Concelier, Excititor, and any future collectors that write raw advisory or VEX documents. - -## 1. Purpose and Scope - -- Defines the canonical behaviour for `advisory_raw` and `vex_raw` collections and the linkset hints they may emit. -- Applies to every ingestion runtime (`StellaOps.Concelier.*`, `StellaOps.Excititor.*`), the Authority scopes that guard them, and the DevOps/QA surfaces that verify compliance. -- Complements the high-level architecture in [Concelier](../modules/concelier/architecture.md) and Authority enforcement documented in [Authority Architecture](../modules/authority/architecture.md). +# Aggregation-Only Contract Reference + +> The Aggregation-Only Contract (AOC) is the governing rule set that keeps StellaOps ingestion services deterministic, policy-neutral, and auditable. It applies to Concelier, Excititor, and any future collectors that write raw advisory or VEX documents. + +## 1. Purpose and Scope + +- Defines the canonical behaviour for `advisory_raw` and `vex_raw` collections and the linkset hints they may emit. +- Applies to every ingestion runtime (`StellaOps.Concelier.*`, `StellaOps.Excititor.*`), the Authority scopes that guard them, and the DevOps/QA surfaces that verify compliance. +- Complements the high-level architecture in [Concelier](../modules/concelier/architecture.md) and Authority enforcement documented in [Authority Architecture](../modules/authority/architecture.md). - Paired guidance: see the guard-rail checkpoints in [AOC Guardrails](../aoc/aoc-guardrails.md), the implementation reference in [AOC Guard Library](../aoc/guard-library.md), and CLI usage that will land in `/docs/modules/cli/guides/` as part of Sprint 19 follow-up. - -## 2. Philosophy and Goals - -- Preserve upstream truth: ingestion only captures immutable raw facts plus provenance, never derived severity or policy decisions. -- Defer interpretation: Policy Engine and downstream overlays remain the sole writers of materialised findings, severity, consensus, or risk scores. -- Make every write explainable: provenance, signatures, and content hashes are required so operators can prove where each fact originated. -- Keep outputs reproducible: identical inputs must yield identical documents, hashes, and linksets across replays and air-gapped installs. - -## 3. Contract Invariants - -| # | Invariant | What it forbids or requires | Enforcement surfaces | -|---|-----------|-----------------------------|----------------------| -| 1 | No derived severity at ingest | Reject top-level keys such as `severity`, `cvss`, `effective_status`, `consensus_provider`, `risk_score`. Raw upstream CVSS remains inside `content.raw`. | Mongo schema validator, `AOCWriteGuard`, Roslyn analyzer, `stella aoc verify`. | -| 2 | No merges or opinionated dedupe | Each upstream document persists on its own; ingestion never collapses multiple vendors into one document. | Repository interceptors, unit/fixture suites. | -| 3 | Provenance is mandatory | `source.*`, `upstream.*`, and `signature` metadata must be present; missing provenance triggers `ERR_AOC_004`. | Schema validator, guard, CLI verifier. | -| 4 | Idempotent upserts | Writes keyed by `(vendor, upstream_id, content_hash)` either no-op or insert a new revision with `supersedes`. Duplicate hashes map to the same document. | Repository guard, storage unique index, CI smoke tests. | -| 5 | Append-only revisions | Updates create a new document with `supersedes` pointer; no in-place mutation of content. | Mongo schema (`supersedes` format), guard, data migration scripts. | -| 6 | Linkset only | Ingestion may compute link hints (`purls`, `cpes`, IDs) to accelerate joins, but must not transform or infer severity or policy. | Linkset builders reviewed via fixtures and analyzers. | -| 7 | Policy-only effective findings | Only Policy Engine identities can write `effective_finding_*`; ingestion callers receive `ERR_AOC_006` if they attempt it. | Authority scopes, Policy Engine guard. | -| 8 | Schema safety | Unknown top-level keys reject with `ERR_AOC_007`; timestamps use ISO 8601 UTC strings; tenant is required. | Mongo validator, JSON schema tests. | -| 9 | Clock discipline | Collectors stamp `fetched_at` and `received_at` monotonically per batch to support reproducibility windows. | Collector contracts, QA fixtures. | - -## 4. Raw Schemas - -### 4.1 `advisory_raw` - -| Field | Type | Notes | -|-------|------|-------| -| `_id` | string | `advisory_raw:{source}:{upstream_id}:{revision}`; deterministic and tenant-scoped. | -| `tenant` | string | Required; injected by Authority middleware and asserted by schema validator. | -| `source.vendor` | string | Provider identifier (e.g., `redhat`, `osv`, `ghsa`). | -| `source.stream` | string | Connector stream name (`csaf`, `osv`, etc.). | -| `source.api` | string | Absolute URI of upstream document; stored for traceability. | -| `source.collector_version` | string | Semantic version of the collector. | -| `upstream.upstream_id` | string | Vendor- or ecosystem-provided identifier (CVE, GHSA, vendor ID). | -| `upstream.document_version` | string | Upstream issued timestamp or revision string. | -| `upstream.fetched_at` / `received_at` | string | ISO 8601 UTC timestamps recorded by the collector. | -| `upstream.content_hash` | string | `sha256:` digest of the raw payload used for idempotency. | -| `upstream.signature` | object | Required structure storing `present`, `format`, `key_id`, `sig`; even unsigned payloads set `present: false`. | -| `content.format` | string | Source format (`CSAF`, `OSV`, etc.). | -| `content.spec_version` | string | Upstream spec version when known. | -| `content.raw` | object | Full upstream payload, untouched except for transport normalisation. | -| `identifiers` | object | Upstream identifiers (`cve`, `ghsa`, `aliases`, etc.) captured as provided (trimmed, order preserved, duplicates allowed). | -| `linkset` | object | Join hints (see section 4.3). | -| `supersedes` | string or null | Points to previous revision of same upstream doc when content hash changes. | - -### 4.2 `vex_raw` - -| Field | Type | Notes | -|-------|------|-------| -| `_id` | string | `vex_raw:{source}:{upstream_id}:{revision}`. | -| `tenant` | string | Required; matches advisory collection requirements. | -| `source.*` | object | Same shape and requirements as `advisory_raw`. | -| `upstream.*` | object | Includes `document_version`, timestamps, `content_hash`, and `signature`. | -| `content.format` | string | Typically `CycloneDX-VEX` or `CSAF-VEX`. | -| `content.raw` | object | Entire upstream VEX payload. | -| `identifiers.statements` | array | Normalised statement summaries (IDs, PURLs, status, justification) to accelerate policy joins. | -| `linkset` | object | CVEs, GHSA IDs, and PURLs referenced in the document. | -| `supersedes` | string or null | Same convention as advisory documents. | - -### 4.3 Linkset Fields - -- `purls`: fully qualified Package URLs extracted from raw ranges or product nodes. -- `cpes`: Common Platform Enumerations when upstream docs provide them. -- `aliases`: Any alternate advisory identifiers present in the payload. -- `references`: Array of `{ type, url }` pairs pointing back to vendor advisories, patches, or exploits. -- `reconciled_from`: Provenance of linkset entries (JSON Pointer or field origin) to make automated checks auditable. - -Canonicalisation rules: -- Package URLs are rendered in canonical form without qualifiers/subpaths (`pkg:type/namespace/name@version`). -- CPE values are normalised to the 2.3 binding (`cpe:2.3:part:vendor:product:version:*:*:*:*:*:*:*`). -- Connector mapping stages are responsible for the canonical form; ingestion trims whitespace but otherwise preserves the original order and duplicate entries so downstream policy can reason about upstream intent. - -### 4.4 `advisory_observations` - -`advisory_observations` is an immutable projection of the validated raw document used by Link‑Not‑Merge overlays. Fields mirror the JSON contract surfaced by `StellaOps.Concelier.Models.Observations.AdvisoryObservation`. - -| Field | Type | Notes | -|-------|------|-------| -| `_id` | string | Deterministic observation id — `{tenant}:{source.vendor}:{upstreamId}:{revision}`. | -| `tenant` | string | Lower-case tenant identifier. | -| `source.vendor` / `source.stream` | string | Connector identity (e.g., `vendor/redhat`, `ecosystem/osv`). | -| `source.api` | string | Absolute URI the connector fetched from. | -| `source.collectorVersion` | string | Optional semantic version of the connector build. | -| `upstream.upstream_id` | string | Advisory identifier as issued by the provider (CVE, vendor ID, etc.). | -| `upstream.document_version` | string | Upstream revision/version string. | -| `upstream.fetchedAt` / `upstream.receivedAt` | datetime | UTC timestamps recorded by the connector. | -| `upstream.contentHash` | string | `sha256:` digest used for idempotency. | -| `upstream.signature` | object | `{present, format?, keyId?, signature?}` describing upstream signature material. | -| `content.format` / `content.specVersion` | string | Raw payload format metadata (CSAF, OSV, JSON, etc.). | -| `content.raw` | object | Full upstream document stored losslessly (Relaxed Extended JSON). | -| `content.metadata` | object | Optional connector-specific metadata (batch ids, hints). | -| `linkset.aliases` | array | Connector-supplied aliases (trimmed, order preserved, duplicates allowed). | -| `linkset.purls` | array | Connector-supplied PURLs (ingestion preserves order and duplicates). | -| `linkset.cpes` | array | Connector-supplied CPE URIs (trimmed, order preserved). | -| `linkset.references` | array | `{ type, url }` pairs (trimmed; ingestion preserves order). | -| `createdAt` | datetime | Timestamp when Concelier persisted the observation. | -| `attributes` | object | Optional provenance attributes keyed by connector. | - -## 5. Error Model - -| Code | Description | HTTP status | Surfaces | -|------|-------------|-------------|----------| -| `ERR_AOC_001` | Forbidden field detected (severity, cvss, effective data). | 400 | Ingestion APIs, CLI verifier, CI guard. | -| `ERR_AOC_002` | Merge attempt detected (multiple upstream sources fused into one document). | 400 | Ingestion APIs, CLI verifier. | -| `ERR_AOC_003` | Idempotency violation (duplicate without supersedes pointer). | 409 | Repository guard, Mongo unique index, CLI verifier. | -| `ERR_AOC_004` | Missing provenance metadata (`source`, `upstream`, `signature`). | 422 | Schema validator, ingestion endpoints. | -| `ERR_AOC_005` | Signature or checksum mismatch. | 422 | Collector validation, CLI verifier. | -| `ERR_AOC_006` | Attempt to persist derived findings from ingestion context. | 403 | Policy engine guard, Authority scopes. | -| `ERR_AOC_007` | Unknown top-level fields (schema violation). | 400 | Mongo validator, CLI verifier. | - -Consumers should map these codes to CLI exit codes and structured log events so automation can fail fast and produce actionable guidance. - -## 6. API and Tooling Interfaces - -- **Concelier ingestion** (`StellaOps.Concelier.WebService`) - - `POST /ingest/advisory`: accepts upstream payload metadata; server-side guard constructs and persists raw document. - - `GET /advisories/raw/{id}` and filterable list endpoints expose raw documents for debugging and offline analysis. - - `POST /aoc/verify`: runs guard checks over recent documents and returns summary totals plus first violations. -- **Excititor ingestion** (`StellaOps.Excititor.WebService`) mirrors the same surface for VEX documents. -- **CLI workflows** (`stella aoc verify`, `stella sources ingest --dry-run`) surface pre-flight verification; documentation will live in `/docs/modules/cli/guides/` alongside Sprint 19 CLI updates. -- **Authority scopes**: new `advisory:ingest`, `advisory:read`, `vex:ingest`, and `vex:read` scopes enforce least privilege; see [Authority Architecture](../modules/authority/architecture.md) for scope grammar. - -## 7. Idempotency and Supersedes Rules - -1. Compute `content_hash` before any transformation; use it with `(source.vendor, upstream.upstream_id)` to detect duplicates. -2. If a document with the same hash already exists, skip the write and log a no-op. -3. When a new hash arrives for an existing upstream document, insert a new record and set `supersedes` to the previous `_id`. -4. Keep supersedes chains acyclic; collectors must resolve conflicts by rewinding before they insert. -5. Expose idempotency counters via metrics (`ingestion_write_total{result=ok|noop}`) to catch regressions early. - -## 8. Migration Playbook - -1. Freeze ingestion writes except for raw pass-through paths while deploying schema validators. -2. Snapshot existing collections to `_backup_*` for rollback safety. -3. Strip forbidden fields from historical documents into a temporary `advisory_view_legacy` used only during transition. -4. Enable Mongo JSON schema validators for `advisory_raw` and `vex_raw`. -5. Run collectors in `--dry-run` to confirm only allowed keys appear; fix violations before lifting the freeze. -6. Point Policy Engine to consume exclusively from raw collections and compute derived outputs downstream. -7. Delete legacy normalisation paths from ingestion code and enable runtime guards plus CI linting. -8. Roll forward CLI, Console, and dashboards so operators can monitor AOC status end-to-end. - -## 9. Observability and Diagnostics - -- **Metrics**: `ingestion_write_total{result=ok|reject}`, `aoc_violation_total{code}`, `ingestion_signature_verified_total{result}`, `ingestion_latency_seconds`, `advisory_revision_count`. -- **Traces**: spans `ingest.fetch`, `ingest.transform`, `ingest.write`, and `aoc.guard` with correlation IDs shared across workers. -- **Logs**: structured entries must include `tenant`, `source.vendor`, `upstream.upstream_id`, `content_hash`, and `violation_code` when applicable. -- **Dashboards**: DevOps should add panels for violation counts, signature failures, supersedes growth, and CLI verifier outcomes for each tenant. - -## 10. Security and Tenancy Checklist - -- Enforce Authority scopes (`advisory:ingest`, `vex:ingest`, `advisory:read`, `vex:read`) and require tenant claims on every request. -- Maintain pinned trust stores for signature verification; capture verification result in metrics and logs. -- Ensure collectors never log secrets or raw authentication headers; redact tokens before persistence. -- Validate that Policy Engine remains the only identity with permission to write `effective_finding_*` documents. -- Verify offline bundles include the raw collections, guard configuration, and verifier binaries so air-gapped installs can audit parity. -- Document operator steps for recovering from violations, including rollback to superseded revisions and re-running policy evaluation. - -## 11. Compliance Checklist - -- [ ] Deterministic guard enabled in Concelier and Excititor repositories. -- [ ] Mongo validators deployed for `advisory_raw` and `vex_raw`. -- [ ] Authority scopes and tenant enforcement verified via integration tests. -- [ ] CLI and CI pipelines run `stella aoc verify` against seeded snapshots. -- [ ] Observability feeds (metrics, logs, traces) wired into dashboards with alerts. -- [ ] Offline kit instructions updated to bundle validators and verifier tooling. -- [ ] Security review recorded covering ingestion, tenancy, and rollback procedures. - ---- - -*Last updated: 2025-10-27 (Sprint 19).* + +## 2. Philosophy and Goals + +- Preserve upstream truth: ingestion only captures immutable raw facts plus provenance, never derived severity or policy decisions. +- Defer interpretation: Policy Engine and downstream overlays remain the sole writers of materialised findings, severity, consensus, or risk scores. +- Make every write explainable: provenance, signatures, and content hashes are required so operators can prove where each fact originated. +- Keep outputs reproducible: identical inputs must yield identical documents, hashes, and linksets across replays and air-gapped installs. + +## 3. Contract Invariants + +| # | Invariant | What it forbids or requires | Enforcement surfaces | +|---|-----------|-----------------------------|----------------------| +| 1 | No derived severity at ingest | Reject top-level keys such as `severity`, `cvss`, `effective_status`, `consensus_provider`, `risk_score`. Raw upstream CVSS remains inside `content.raw`. | Mongo schema validator, `AOCWriteGuard`, Roslyn analyzer, `stella aoc verify`. | +| 2 | No merges or opinionated dedupe | Each upstream document persists on its own; ingestion never collapses multiple vendors into one document. | Repository interceptors, unit/fixture suites. | +| 3 | Provenance is mandatory | `source.*`, `upstream.*`, and `signature` metadata must be present; missing provenance triggers `ERR_AOC_004`. | Schema validator, guard, CLI verifier. | +| 4 | Idempotent upserts | Writes keyed by `(vendor, upstream_id, content_hash)` either no-op or insert a new revision with `supersedes`. Duplicate hashes map to the same document. | Repository guard, storage unique index, CI smoke tests. | +| 5 | Append-only revisions | Updates create a new document with `supersedes` pointer; no in-place mutation of content. | Mongo schema (`supersedes` format), guard, data migration scripts. | +| 6 | Linkset only | Ingestion may compute link hints (`purls`, `cpes`, IDs) to accelerate joins, but must not transform or infer severity or policy. Observations now persist both canonical linksets (for indexed queries) and raw linksets (preserving upstream order/duplicates) so downstream policy can decide how to normalise. | Linkset builders reviewed via fixtures/analyzers; raw-vs-canonical parity covered by observation fixtures. | +| 7 | Policy-only effective findings | Only Policy Engine identities can write `effective_finding_*`; ingestion callers receive `ERR_AOC_006` if they attempt it. | Authority scopes, Policy Engine guard. | +| 8 | Schema safety | Unknown top-level keys reject with `ERR_AOC_007`; timestamps use ISO 8601 UTC strings; tenant is required. | Mongo validator, JSON schema tests. | +| 9 | Clock discipline | Collectors stamp `fetched_at` and `received_at` monotonically per batch to support reproducibility windows. | Collector contracts, QA fixtures. | + +## 4. Raw Schemas + +### 4.1 `advisory_raw` + +| Field | Type | Notes | +|-------|------|-------| +| `_id` | string | `advisory_raw:{source}:{upstream_id}:{revision}`; deterministic and tenant-scoped. | +| `tenant` | string | Required; injected by Authority middleware and asserted by schema validator. | +| `source.vendor` | string | Provider identifier (e.g., `redhat`, `osv`, `ghsa`). | +| `source.stream` | string | Connector stream name (`csaf`, `osv`, etc.). | +| `source.api` | string | Absolute URI of upstream document; stored for traceability. | +| `source.collector_version` | string | Semantic version of the collector. | +| `upstream.upstream_id` | string | Vendor- or ecosystem-provided identifier (CVE, GHSA, vendor ID). | +| `upstream.document_version` | string | Upstream issued timestamp or revision string. | +| `upstream.fetched_at` / `received_at` | string | ISO 8601 UTC timestamps recorded by the collector. | +| `upstream.content_hash` | string | `sha256:` digest of the raw payload used for idempotency. | +| `upstream.signature` | object | Required structure storing `present`, `format`, `key_id`, `sig`; even unsigned payloads set `present: false`. | +| `content.format` | string | Source format (`CSAF`, `OSV`, etc.). | +| `content.spec_version` | string | Upstream spec version when known. | +| `content.raw` | object | Full upstream payload, untouched except for transport normalisation. | +| `identifiers` | object | Upstream identifiers (`cve`, `ghsa`, `aliases`, etc.) captured as provided (trimmed, order preserved, duplicates allowed). | +| `linkset` | object | Join hints (see section 4.3). | +| `supersedes` | string or null | Points to previous revision of same upstream doc when content hash changes. | + +### 4.2 `vex_raw` + +| Field | Type | Notes | +|-------|------|-------| +| `_id` | string | `vex_raw:{source}:{upstream_id}:{revision}`. | +| `tenant` | string | Required; matches advisory collection requirements. | +| `source.*` | object | Same shape and requirements as `advisory_raw`. | +| `upstream.*` | object | Includes `document_version`, timestamps, `content_hash`, and `signature`. | +| `content.format` | string | Typically `CycloneDX-VEX` or `CSAF-VEX`. | +| `content.raw` | object | Entire upstream VEX payload. | +| `identifiers.statements` | array | Normalised statement summaries (IDs, PURLs, status, justification) to accelerate policy joins. | +| `linkset` | object | CVEs, GHSA IDs, and PURLs referenced in the document. | +| `supersedes` | string or null | Same convention as advisory documents. | + +### 4.3 Linkset Fields + +- `purls`: fully qualified Package URLs extracted from raw ranges or product nodes. +- `cpes`: Common Platform Enumerations when upstream docs provide them. +- `aliases`: Any alternate advisory identifiers present in the payload. +- `references`: Array of `{ type, url }` pairs pointing back to vendor advisories, patches, or exploits. +- `reconciled_from`: Provenance of linkset entries (JSON Pointer or field origin) to make automated checks auditable. + +Canonicalisation rules: +- Package URLs are rendered in canonical form without qualifiers/subpaths (`pkg:type/namespace/name@version`). +- CPE values are normalised to the 2.3 binding (`cpe:2.3:part:vendor:product:version:*:*:*:*:*:*:*`). +- Connector mapping stages are responsible for the canonical form; ingestion trims whitespace but otherwise preserves the original order and duplicate entries so downstream policy can reason about upstream intent. + +### 4.4 `advisory_observations` + +`advisory_observations` is an immutable projection of the validated raw document used by Link‑Not‑Merge overlays. Fields mirror the JSON contract surfaced by `StellaOps.Concelier.Models.Observations.AdvisoryObservation`. + +| Field | Type | Notes | +|-------|------|-------| +| `_id` | string | Deterministic observation id — `{tenant}:{source.vendor}:{upstreamId}:{revision}`. | +| `tenant` | string | Lower-case tenant identifier. | +| `source.vendor` / `source.stream` | string | Connector identity (e.g., `vendor/redhat`, `ecosystem/osv`). | +| `source.api` | string | Absolute URI the connector fetched from. | +| `source.collectorVersion` | string | Optional semantic version of the connector build. | +| `upstream.upstream_id` | string | Advisory identifier as issued by the provider (CVE, vendor ID, etc.). | +| `upstream.document_version` | string | Upstream revision/version string. | +| `upstream.fetchedAt` / `upstream.receivedAt` | datetime | UTC timestamps recorded by the connector. | +| `upstream.contentHash` | string | `sha256:` digest used for idempotency. | +| `upstream.signature` | object | `{present, format?, keyId?, signature?}` describing upstream signature material. | +| `content.format` / `content.specVersion` | string | Raw payload format metadata (CSAF, OSV, JSON, etc.). | +| `content.raw` | object | Full upstream document stored losslessly (Relaxed Extended JSON). | +| `content.metadata` | object | Optional connector-specific metadata (batch ids, hints). | +| `linkset.aliases` | array | Connector-supplied aliases (trimmed, order preserved, duplicates allowed). | +| `linkset.purls` | array | Connector-supplied PURLs (ingestion preserves order and duplicates). | +| `linkset.cpes` | array | Connector-supplied CPE URIs (trimmed, order preserved). | +| `linkset.references` | array | `{ type, url }` pairs (trimmed; ingestion preserves order). | +| `createdAt` | datetime | Timestamp when Concelier persisted the observation. | +| `attributes` | object | Optional provenance attributes keyed by connector. | + +## 5. Error Model + +| Code | Description | HTTP status | Surfaces | +|------|-------------|-------------|----------| +| `ERR_AOC_001` | Forbidden field detected (severity, cvss, effective data). | 400 | Ingestion APIs, CLI verifier, CI guard. | +| `ERR_AOC_002` | Merge attempt detected (multiple upstream sources fused into one document). | 400 | Ingestion APIs, CLI verifier. | +| `ERR_AOC_003` | Idempotency violation (duplicate without supersedes pointer). | 409 | Repository guard, Mongo unique index, CLI verifier. | +| `ERR_AOC_004` | Missing provenance metadata (`source`, `upstream`, `signature`). | 422 | Schema validator, ingestion endpoints. | +| `ERR_AOC_005` | Signature or checksum mismatch. | 422 | Collector validation, CLI verifier. | +| `ERR_AOC_006` | Attempt to persist derived findings from ingestion context. | 403 | Policy engine guard, Authority scopes. | +| `ERR_AOC_007` | Unknown top-level fields (schema violation). | 400 | Mongo validator, CLI verifier. | + +Consumers should map these codes to CLI exit codes and structured log events so automation can fail fast and produce actionable guidance. + +## 6. API and Tooling Interfaces + +- **Concelier ingestion** (`StellaOps.Concelier.WebService`) + - `POST /ingest/advisory`: accepts upstream payload metadata; server-side guard constructs and persists raw document. + - `GET /advisories/raw/{id}` and filterable list endpoints expose raw documents for debugging and offline analysis. + - `POST /aoc/verify`: runs guard checks over recent documents and returns summary totals plus first violations. +- **Excititor ingestion** (`StellaOps.Excititor.WebService`) mirrors the same surface for VEX documents. +- **CLI workflows** (`stella aoc verify`, `stella sources ingest --dry-run`) surface pre-flight verification; documentation will live in `/docs/modules/cli/guides/` alongside Sprint 19 CLI updates. +- **Authority scopes**: new `advisory:ingest`, `advisory:read`, `vex:ingest`, and `vex:read` scopes enforce least privilege; see [Authority Architecture](../modules/authority/architecture.md) for scope grammar. + +## 7. Idempotency and Supersedes Rules + +1. Compute `content_hash` before any transformation; use it with `(source.vendor, upstream.upstream_id)` to detect duplicates. +2. If a document with the same hash already exists, skip the write and log a no-op. +3. When a new hash arrives for an existing upstream document, insert a new record and set `supersedes` to the previous `_id`. +4. Keep supersedes chains acyclic; collectors must resolve conflicts by rewinding before they insert. +5. Expose idempotency counters via metrics (`ingestion_write_total{result=ok|noop}`) to catch regressions early. + +## 8. Migration Playbook + +1. Freeze ingestion writes except for raw pass-through paths while deploying schema validators. +2. Snapshot existing collections to `_backup_*` for rollback safety. +3. Strip forbidden fields from historical documents into a temporary `advisory_view_legacy` used only during transition. +4. Enable Mongo JSON schema validators for `advisory_raw` and `vex_raw`. +5. Run collectors in `--dry-run` to confirm only allowed keys appear; fix violations before lifting the freeze. +6. Point Policy Engine to consume exclusively from raw collections and compute derived outputs downstream. +7. Delete legacy normalisation paths from ingestion code and enable runtime guards plus CI linting. +8. Roll forward CLI, Console, and dashboards so operators can monitor AOC status end-to-end. + +## 9. Observability and Diagnostics + +- **Metrics**: `ingestion_write_total{result=ok|reject}`, `aoc_violation_total{code}`, `ingestion_signature_verified_total{result}`, `ingestion_latency_seconds`, `advisory_revision_count`. +- **Traces**: spans `ingest.fetch`, `ingest.transform`, `ingest.write`, and `aoc.guard` with correlation IDs shared across workers. +- **Logs**: structured entries must include `tenant`, `source.vendor`, `upstream.upstream_id`, `content_hash`, and `violation_code` when applicable. +- **Dashboards**: DevOps should add panels for violation counts, signature failures, supersedes growth, and CLI verifier outcomes for each tenant. + +## 10. Security and Tenancy Checklist + +- Enforce Authority scopes (`advisory:ingest`, `vex:ingest`, `advisory:read`, `vex:read`) and require tenant claims on every request. +- Maintain pinned trust stores for signature verification; capture verification result in metrics and logs. +- Ensure collectors never log secrets or raw authentication headers; redact tokens before persistence. +- Validate that Policy Engine remains the only identity with permission to write `effective_finding_*` documents. +- Verify offline bundles include the raw collections, guard configuration, and verifier binaries so air-gapped installs can audit parity. +- Document operator steps for recovering from violations, including rollback to superseded revisions and re-running policy evaluation. + +## 11. Compliance Checklist + +- [ ] Deterministic guard enabled in Concelier and Excititor repositories. +- [ ] Mongo validators deployed for `advisory_raw` and `vex_raw`. +- [ ] Authority scopes and tenant enforcement verified via integration tests. +- [ ] CLI and CI pipelines run `stella aoc verify` against seeded snapshots. +- [ ] Observability feeds (metrics, logs, traces) wired into dashboards with alerts. +- [ ] Offline kit instructions updated to bundle validators and verifier tooling. +- [ ] Security review recorded covering ingestion, tenancy, and rollback procedures. + +--- + +*Last updated: 2025-10-27 (Sprint 19).* diff --git a/docs/moat.md b/docs/moat.md index 01fc91b4..e810b8c2 100644 --- a/docs/moat.md +++ b/docs/moat.md @@ -1,430 +1,430 @@ -# StellaOps Moat Track — Spec Outline v0.3 - -**Scope of this doc:** -(1) Deterministic Replayable Scans (SRM), (2) Policy Engine & Lattice UI, (3) Sovereign Readiness (CryptoProfile + RootPack), (4) Attestation Observability Graph (AOG), (5) Procurement‑Grade Trust Statement, (6) Third‑Party Proof Channel, (7) Zastava differential SBOM + AI scheduler. - -Cross‑cutting principles: offline‑first, cryptographic determinism, evidence‑bound decisions, regional crypto compliance, minimal operational friction. - ---- - -## 0) Shared Concepts (applies to all 7) - -* **Artifact identity:** digest-first (OCI image digest, file sha256). -* **Canonicalization:** all structured payloads (SBOM, SRM, Trust Statement JSON, VEX) are normalized via Canonical JSON (RFC‑8785‑like) prior to hashing/signing. -* **Signatures:** DSSE envelopes; **dual‑signing** supported (e.g., FIPS ECDSA + GOST R 34.10; or ECDSA + SM2). -* **Attestation chain:** each decision (scan, VEX merge, policy evaluation) yields a signed, replayable record. -* **Profiles & Packs:** **CryptoProfile** (algorithm + root policy) and **RootPack** (trust anchors + OCSP/CRL/TSA mirrors) are versioned and importable. -* **Policy Unit Tests:** any policy/lattice bundle ships with fixtures expected to pass during CI. - ---- - -## 1) Deterministic Replayable Scans — SRM - -### Objective - -Make every scan a **provable, re‑executable fact**. Auditors can replay; results are bit‑for‑bit reproducible. - -### Deliverables - -* **SRM v0.1** schema (YAML/JSON) -* Deterministic executor + `stella replay` -* Replay diffing and result hashing - -### SRM (Stella Replay Manifest) — schema (abridged) - -```yaml -apiVersion: srm.stellaops.dev/v0.1 -scan: - id: uuid - timestamp: ISO8601 - engine: { name: "stella-scan", version: "1.7.3", build_sha: "" } -environment: - os_image: - kernel: { uname: "...", cgroups: "v2" } - cpu_features: [avx2, sse4.2] -inputs: - image: { name: "reg/app:1.9.2", digest: "", layers: ["", ...] } - sbom: { type: "cyclonedx@1.5", digest: "" } - vex_set: [{ type: "openvex", digest: "" }] - lattice_policy: { id: "corp-policy@2025-08-15", digest: "" } -rules_and_feeds: - rulesets: [{ name: "vuln-core", version: "2025.08.30", digest: "" }] - feeds: - - { name: "nvd", snapshot_date: "2025-08-30", archive_digest: "" } -execution: - mode: deterministic - random_seed: 314159 - ordering: lexical - heuristics: { binary_scan: true, secrets: false } -evidence: - files_hashed: 12873 - samples: [{ path: "/usr/lib/libssl.so.3", sha256: "" }] -outputs: - report_digest: "" # canonical JSON root hash - artifacts: - - { name: "findings.json", sha256: "" } -signatures: - - { scheme: "DSSE", CryptoProfile: "FIPS-140-3", signer: "build-ca@corp" } - - { scheme: "DSSE", CryptoProfile: "GOST-2012", signer: "ru-ca@corp" } -rekor: { entries: ["", ...] } # optional (offline allowed) -``` - -### CLI & API - -* `stella scan --image reg/app@sha256:... --srm-out srm.yaml --findings findings.json` -* `stella replay srm.yaml --out replay.json --assert-digest ` -* `POST /v1/srm/replay` → returns `ok`, `replay_report_digest`, `diff` (if any). - -### Determinism Rules - -* Single thread or ordered parallel with stable scheduling; sorted inputs; fixed random seed; pinned rules/feeds/policies from SRM; identical canonicalization routines. - -### Acceptance Criteria - -* Replaying SRM on a different host returns identical `report_digest`. -* If any feed archive differs by 1 bit, replay fails with a precise diff. -* SRM size ≤ 25 MB for a typical microservice image (excludes large feed archives, which may be referenced by digest and bundled as a side‑car tar). - ---- - -## 2) Policy Engine & Lattice UI - -### Objective - -Turn VEX merging and severity logic into **programmable, testable algebra** with explainability. - -### Model - -* **Domain:** partial order over vulnerability states: - `unknown < under_investigation < affected || not_affected < fixed`. - Cross‑product with *scope*: `{runtime_path, build_path, optional_path}` and *confidence*: `{low, med, high}`. -* **Merge semantics:** monotonic lattice joins; conflict resolution rules prioritized by signed source trust and policy precedence. - -### DSL (sketch) - -```hocon -policy "corp-runtime" version "2025.08.15" { - sources { - trust_order = ["vendor:redhat", "internal:appsec", "public:nvd"] - require_signatures = true - } - - rules { - when vex.statement == "not_affected" - and evidence.entrypoint_exposes == false - then state := not_affected with confidence := high; - - when package.is_dev_dependency == true - then scope := optional_path; - - when cvss >= 9.0 and reachable == true - then priority := "block"; - } - - guards { - forbid unsigned_sources; - forbid downgrade_of_state_below previous_state; - } -} -``` - -### UI (“Trust Algebra Studio”) - -* Drag‑and‑drop rule blocks, precedence editor, **simulation mode** on sample SBOM/VEX; **policy unit tests**. -* Export **signed** `.lattice.json`; importable into CI. - -### CLI & API - -* `stella policy lint corp-runtime.lattice.json` -* `stella policy test --fixtures fixtures/` -* `POST /v1/policy/evaluate` → normalized decision + proof trail. - -### Acceptance Criteria - -* Given same inputs, policy evaluation yields identical decision + proof trail hash. -* UI can round‑trip DSL ⇄ JSON with no semantic drift. -* Policy pack signature required to run in “enforced” mode. - ---- - -## 3) Sovereign Readiness — CryptoProfile + RootPack - -### Objective - -**Drop‑in regional cryptography** (Russia/China/EU/US) with offline operation. - -### CryptoProfile (attached to every signature/attestation) - -```json -{ - "id": "GOST-2012@v1", - "algorithms": {"sign":"GOST R 34.10-2012","hash":"GOST R 34.11-2012","cipher":"GOST 34.12-2015"}, - "key_policy": {"curve":"id-tc26-gost-3410-2012-256","hsm_required": true}, - "time_stamping": {"tsa": "rootpack://ru/tsa1"}, - "roots": ["rootpack://ru/trustanchors/gost-ca1"] -} -``` - -### RootPack - -* Tarball containing: trust anchors, intermediate CAs, OCSP/CRL snapshots, TSA profiles, policy constraints (e.g., no cross‑sign with foreign roots), and region metadata. -* Installed via: `stella rootpack import rootpack_ru_v1.tar.gz`. - -### Dual‑Signing & Guardrails - -* Policy flags like `allow_dual_signing FIPS+GOST`, `forbid_sm2_for_us_exports` (example only). -* Enforcement happens at signing time and verification time. - -### Acceptance Criteria - -* Offline verification using RootPack succeeds; online OCSP disabled per policy. -* Mis‑profiled signatures are rejected with explicit reason codes. -* Dual‑signed DSSE verifies under both profiles when allowed. - ---- - -## 4) Attestation Observability Graph (AOG) - -### Objective - -Make trust **observable**. Expose SLIs/SLOs for cryptographic posture & policy compliance. - -### Data Model - -* Nodes: `{artifact, sbom, policy, vex, srm, signature, rootpack, runtime_instance}` -* Edges: `derived_from`, `signed_by`, `evaluated_by`, `replayed_by`, `runs_as` - -### Metrics (OpenTelemetry/Prometheus) - -* `stella_trust_sli{service,env}` = fraction of running pods whose image has a valid SRM‑backed attestation chain under the active policy. -* `stella_attestation_latency_seconds` (P50/P95) from build to verified‑ready. -* `stella_policy_drift_events_total` (increment when running policy != signed policy). -* `stella_exception_without_proof_total` (must be 0). -* `stella_replay_success_ratio` (per week). - -**SLO Example** - -* **Trust SLO ≥ 99.9%** measured hourly; error budget resets monthly. - -### Interfaces - -* `stella aog export --format otlp` -* `GET /v1/aog/graph?artifactDigest=...` → subgraph JSON (with signed edge proofs). -* Grafana dashboards (packaged). - -### Acceptance Criteria - -* AOG can reconstruct the full trust lineage for any running pod in ≤ 2s (p95) on a 1k‑service cluster. -* Metrics cardinality bounded (service/env/policy only). - ---- - -## 5) Procurement‑Grade “Trust Statement” - -### Objective - -One **board‑ready** artifact that unifies security posture across vendors; machine‑readable twin for ERP/GRC. - -### Outputs - -* **PDF** (human): signed, watermark, controlled fields for vendor name/version/date, summary graphs, SLOs, exceptions with PCE (proof‑carrying exceptions). -* **JSON** (machine): normalized schema below; DSSE‑signed; includes SRM and policy references. - -```json -{ - "schema": "trust-statement.stellaops.dev/v1", - "vendor": {"name": "Acme","product":"Payments API","version":"1.9.2"}, - "build": {"image_digest":"sha256:...","srm_digest":"sha256:..."}, - "policy": {"id":"corp-runtime@2025-08-15","digest":"sha256:..."}, - "summary": { - "trust_sli": 0.9992, - "exceptions": 1, - "open_findings": {"critical":0,"high":2,"medium":4,"low":12} - }, - "exceptions": [{ - "id":"EXC-2025-0912", - "reason":"not_affected-via-vex", - "proof_digest":"sha256:...", - "expiry":"2026-01-15" - }], - "signatures": [{ "CryptoProfile":"FIPS-140-3" }] -} -``` - -### Integrations - -* Push connectors: **SAP Ariba, ServiceNow, Archer, Jira** (webhooks or SFTP in offline flows). -* CLI: `stella trust-statement generate --srm srm.yaml --policy corp-runtime.lattice.json --out acme-1.9.2.trust.json --pdf`. - -### Acceptance Criteria - -* JSON validates against schema; PDF and JSON hashes match the DSSE statement. -* ERP ingest POC: Ariba/ServiceNow field mapping validated. - ---- - -## 6) Third‑Party Proof Channel - -### Objective - -Create a **publisher ecosystem** for upstream proofs: SBOM, VEX, and **VDR (Vulnerability Derivation Reason)**. - -### Publisher Model - -* **Identity:** publishers obtain a **Publisher Certificate** (could be verified via RootPack‑anchored CA or cross‑signed). -* **Submission:** `stella ledger publish --type {sbom|vex|vdr} --artifact --file proof.json --sign`. -* **Moderation & Revocation:** CRL‑like **Proof Revocation List (PRL)** with signed reasons. - -### VDR (schema sketch) - -```json -{ - "schema":"vdr.stellaops.dev/v1", - "artifact":"sha256:...", - "cve":"CVE-2025-12345", - "claim":"not_affected", - "method":"entrypoint_unreachable|abi_mismatch|dead_code", - "evidence_refs":[{"type":"symbol_map","digest":"sha256:..."}], - "publisher":"redhat://rhel", - "signatures":[...] -} -``` - -### Consumption - -* Policies can **prioritize** publisher channels by trust level. -* AOG shows which proofs originated from which publishers. - -### Acceptance Criteria - -* At least one upstream (e.g., base image vendor) can publish and your policy can consume & rank it. -* PRL revokes a proof and AOG reflects the change within 5 minutes. - ---- - -## 7) Zastava — differential SBOM + AI enrichment scheduler - -### Objective - -Produce **entrypoint‑aware differential SBOMs** and continually **re‑enrich** new/old SBOMs with AI context and exposure‑aware prioritization. - -### Concepts - -* **dSBOM:** SBOM that reflects effective dependency set for a specific `ENTRYPOINT/CMD` and runtime flags (e.g., `--server.urls`, `DOTNET_...`). -* **Scheduler:** rescans **old SBOMs** when: (a) new CVE feeds arrive, (b) new VEX/VDR appear, (c) policy changes, or (d) AI models learn new exploitability signals. - -### Pipeline - -1. **Static slice:** infer reachable packages from entrypoint (e.g., `.NET Kestrel` vs CLI tool). -2. **Runtime slice (optional):** collect process tree, open sockets, and imported modules at startup in a **shadow run** or mirrored traffic. -3. **Diff:** `dSBOM = SBOM ∩ (static_reachable ∪ runtime_observed)`. -4. **AI Enrichment:** Zastava annotates each finding with *context weights* (exposed/not exposed, network scope, RBAC, secrets proximity). -5. **Plan:** produce PRs (Dockerfile base bump, package pin, k8s Service change). -6. **Scheduler:** - - * `stella zastava schedule --query 'service=payments AND env=prod' --interval 6h` - * Triggers re‑evaluation and emits updated SRM + Trust deltas. - -### dSBOM format (addon) - -```json -{ - "schema":"cyclonedx+stella-diff@1.0", - "base_sbom":"sha256:...", - "entrypoint": ["/app/bin/Release/net8.0/app.dll"], - "cmd": ["--urls","http://127.0.0.1:8080"], - "static_reachable": ["pkg:nuget/Kestrel@*", "pkg:nuget/System.Data@*"], - "runtime_observed": ["pkg:rpm/openssl@3.0.9"], - "excluded_paths": ["/usr/share/docs/**"], - "digest":"sha256:..." -} -``` - -### Kestrel example (priority logic) - -* If Kestrel present but Service is `ClusterIP` and no Ingress, **deprioritize**; if `LoadBalancer`/`NodePort` with 0‑RTT TLS disabled, **prioritize**. -* Zastava produces an **explainable card**: “Priority lowered due to non‑exposed runtime path; evidence: `kubectl get svc`, `netstat`, policy rule #42.” - -### Acceptance Criteria - -* Changing `ENTRYPOINT` produces a different, signed dSBOM and updated priorities. -* Scheduler updates stale SBOMs and issues signed deltas without network access (when RootPacks + feed mirrors are available). - ---- - -## Cross‑Cutting Security & Compliance - -* **Sanctions & Guardrails:** per‑profile constraints (e.g., forbid dual‑signing across certain jurisdictions). Policy‑enforced at sign/verify time. -* **HSM Integrations:** PKCS#11 providers for each profile (FIPS, GOST, SM2). -* **Data handling:** SRMs and Trust Statements may contain paths and hashes; optional redaction profiles for vendor sharing. - ---- - -## Interfaces Summary (CLI) - -```bash -# Scans / Replay -stella scan --image --srm-out srm.yaml -stella replay srm.yaml --assert-digest - -# Policy & Lattice -stella policy lint corp.lattice.json -stella policy test --fixtures fixtures/ -stella policy sign --profile FIPS-140-3 - -# Crypto Sovereign -stella rootpack import rootpack_ru_v1.tar.gz -stella attest sign --profile GOST-2012 --in srm.yaml -stella attest verify --profiles GOST-2012,FIPS-140-3 - -# AOG -stella aog export --format otlp -stella aog graph --artifact - -# Trust Statement -stella trust-statement generate --srm srm.yaml --policy corp.lattice.json --pdf out.pdf --json out.json - -# Third-Party Proof Channel -stella ledger publish --type vdr --artifact --file vdr.json --sign -stella ledger revoke --id --reason "superseded" - -# Zastava -stella zastava diff-sbom --image --entrypoint "" --out dsbom.json -stella zastava enrich --sbom dsbom.json --findings findings.json -stella zastava schedule --query 'env=prod' --interval 6h -``` - ---- - -## Success Metrics (per pillar) - -* **SRM:** ≥ 99% of production images have SRM attached; **Replay Success Ratio** ≥ 0.99 weekly. -* **Policy/Lattice:** 100% of exceptions carry proof; policy test coverage ≥ 90% on top CVE classes. -* **Sovereign:** RootPacks for RU/CN/EU/US verified; dual‑signing working in CI; offline verification median < 200 ms. -* **AOG:** Trust SLO ≥ 99.9%; lineage lookup p95 ≤ 2s. -* **Trust Statement:** Accepted by at least one ERP (pilot); generation time ≤ 15s. -* **Third‑Party Channel:** ≥ 3 upstream publishers integrated; PRL revocations flow to AOG within 5 minutes. -* **Zastava:** dSBOM reduces non‑reachable high/critical findings by ≥ 35% without raising exposure incidents. - ---- - -## Risks & Mitigations - -* **Crypto complexity:** profile misuse → strict guardrails + default safe profiles, strong linting. -* **Cardinality/telemetry blow‑ups:** AOG label hygiene + sampling. -* **Vendor adoption (Proof Channel):** seed with your own base images and internal frameworks; provide SDKs and reference publishers. -* **Determinism regressions:** CI runs replay tests on golden SRMs; any drift fails the build. - ---- - -## 90‑Day Moat‑First Milestones - -1. **SRM v0.1**: schema, deterministic executor, CLI replay, golden tests. -2. **Policy Engine MVP**: DSL + evaluator + UI simulation; policy unit tests; signed policy packs. -3. **CryptoProfile/RootPack MVP**: FIPS + GOST working; dual‑signing; offline verify. -4. **AOG MVP**: lineage service + OTLP exporter + Grafana pack; Trust SLI. -5. **Trust Statement MVP**: JSON + PDF; ServiceNow ingest POC. -6. **Proof Channel alpha**: publisher identity + VDR schema + local ledger; PRL. -7. **Zastava α**: `diff-sbom` + exposure heuristics for `.NET Kestrel`; scheduler with offline mirrors. - ---- +# StellaOps Moat Track — Spec Outline v0.3 + +**Scope of this doc:** +(1) Deterministic Replayable Scans (SRM), (2) Policy Engine & Lattice UI, (3) Sovereign Readiness (CryptoProfile + RootPack), (4) Attestation Observability Graph (AOG), (5) Procurement‑Grade Trust Statement, (6) Third‑Party Proof Channel, (7) Zastava differential SBOM + AI scheduler. + +Cross‑cutting principles: offline‑first, cryptographic determinism, evidence‑bound decisions, regional crypto compliance, minimal operational friction. + +--- + +## 0) Shared Concepts (applies to all 7) + +* **Artifact identity:** digest-first (OCI image digest, file sha256). +* **Canonicalization:** all structured payloads (SBOM, SRM, Trust Statement JSON, VEX) are normalized via Canonical JSON (RFC‑8785‑like) prior to hashing/signing. +* **Signatures:** DSSE envelopes; **dual‑signing** supported (e.g., FIPS ECDSA + GOST R 34.10; or ECDSA + SM2). +* **Attestation chain:** each decision (scan, VEX merge, policy evaluation) yields a signed, replayable record. +* **Profiles & Packs:** **CryptoProfile** (algorithm + root policy) and **RootPack** (trust anchors + OCSP/CRL/TSA mirrors) are versioned and importable. +* **Policy Unit Tests:** any policy/lattice bundle ships with fixtures expected to pass during CI. + +--- + +## 1) Deterministic Replayable Scans — SRM + +### Objective + +Make every scan a **provable, re‑executable fact**. Auditors can replay; results are bit‑for‑bit reproducible. + +### Deliverables + +* **SRM v0.1** schema (YAML/JSON) +* Deterministic executor + `stella replay` +* Replay diffing and result hashing + +### SRM (Stella Replay Manifest) — schema (abridged) + +```yaml +apiVersion: srm.stellaops.dev/v0.1 +scan: + id: uuid + timestamp: ISO8601 + engine: { name: "stella-scan", version: "1.7.3", build_sha: "" } +environment: + os_image: + kernel: { uname: "...", cgroups: "v2" } + cpu_features: [avx2, sse4.2] +inputs: + image: { name: "reg/app:1.9.2", digest: "", layers: ["", ...] } + sbom: { type: "cyclonedx@1.5", digest: "" } + vex_set: [{ type: "openvex", digest: "" }] + lattice_policy: { id: "corp-policy@2025-08-15", digest: "" } +rules_and_feeds: + rulesets: [{ name: "vuln-core", version: "2025.08.30", digest: "" }] + feeds: + - { name: "nvd", snapshot_date: "2025-08-30", archive_digest: "" } +execution: + mode: deterministic + random_seed: 314159 + ordering: lexical + heuristics: { binary_scan: true, secrets: false } +evidence: + files_hashed: 12873 + samples: [{ path: "/usr/lib/libssl.so.3", sha256: "" }] +outputs: + report_digest: "" # canonical JSON root hash + artifacts: + - { name: "findings.json", sha256: "" } +signatures: + - { scheme: "DSSE", CryptoProfile: "FIPS-140-3", signer: "build-ca@corp" } + - { scheme: "DSSE", CryptoProfile: "GOST-2012", signer: "ru-ca@corp" } +rekor: { entries: ["", ...] } # optional (offline allowed) +``` + +### CLI & API + +* `stella scan --image reg/app@sha256:... --srm-out srm.yaml --findings findings.json` +* `stella replay srm.yaml --out replay.json --assert-digest ` +* `POST /v1/srm/replay` → returns `ok`, `replay_report_digest`, `diff` (if any). + +### Determinism Rules + +* Single thread or ordered parallel with stable scheduling; sorted inputs; fixed random seed; pinned rules/feeds/policies from SRM; identical canonicalization routines. + +### Acceptance Criteria + +* Replaying SRM on a different host returns identical `report_digest`. +* If any feed archive differs by 1 bit, replay fails with a precise diff. +* SRM size ≤ 25 MB for a typical microservice image (excludes large feed archives, which may be referenced by digest and bundled as a side‑car tar). + +--- + +## 2) Policy Engine & Lattice UI + +### Objective + +Turn VEX merging and severity logic into **programmable, testable algebra** with explainability. + +### Model + +* **Domain:** partial order over vulnerability states: + `unknown < under_investigation < affected || not_affected < fixed`. + Cross‑product with *scope*: `{runtime_path, build_path, optional_path}` and *confidence*: `{low, med, high}`. +* **Merge semantics:** monotonic lattice joins; conflict resolution rules prioritized by signed source trust and policy precedence. + +### DSL (sketch) + +```hocon +policy "corp-runtime" version "2025.08.15" { + sources { + trust_order = ["vendor:redhat", "internal:appsec", "public:nvd"] + require_signatures = true + } + + rules { + when vex.statement == "not_affected" + and evidence.entrypoint_exposes == false + then state := not_affected with confidence := high; + + when package.is_dev_dependency == true + then scope := optional_path; + + when cvss >= 9.0 and reachable == true + then priority := "block"; + } + + guards { + forbid unsigned_sources; + forbid downgrade_of_state_below previous_state; + } +} +``` + +### UI (“Trust Algebra Studio”) + +* Drag‑and‑drop rule blocks, precedence editor, **simulation mode** on sample SBOM/VEX; **policy unit tests**. +* Export **signed** `.lattice.json`; importable into CI. + +### CLI & API + +* `stella policy lint corp-runtime.lattice.json` +* `stella policy test --fixtures fixtures/` +* `POST /v1/policy/evaluate` → normalized decision + proof trail. + +### Acceptance Criteria + +* Given same inputs, policy evaluation yields identical decision + proof trail hash. +* UI can round‑trip DSL ⇄ JSON with no semantic drift. +* Policy pack signature required to run in “enforced” mode. + +--- + +## 3) Sovereign Readiness — CryptoProfile + RootPack + +### Objective + +**Drop‑in regional cryptography** (Russia/China/EU/US) with offline operation. + +### CryptoProfile (attached to every signature/attestation) + +```json +{ + "id": "GOST-2012@v1", + "algorithms": {"sign":"GOST R 34.10-2012","hash":"GOST R 34.11-2012","cipher":"GOST 34.12-2015"}, + "key_policy": {"curve":"id-tc26-gost-3410-2012-256","hsm_required": true}, + "time_stamping": {"tsa": "rootpack://ru/tsa1"}, + "roots": ["rootpack://ru/trustanchors/gost-ca1"] +} +``` + +### RootPack + +* Tarball containing: trust anchors, intermediate CAs, OCSP/CRL snapshots, TSA profiles, policy constraints (e.g., no cross‑sign with foreign roots), and region metadata. +* Installed via: `stella rootpack import rootpack_ru_v1.tar.gz`. + +### Dual‑Signing & Guardrails + +* Policy flags like `allow_dual_signing FIPS+GOST`, `forbid_sm2_for_us_exports` (example only). +* Enforcement happens at signing time and verification time. + +### Acceptance Criteria + +* Offline verification using RootPack succeeds; online OCSP disabled per policy. +* Mis‑profiled signatures are rejected with explicit reason codes. +* Dual‑signed DSSE verifies under both profiles when allowed. + +--- + +## 4) Attestation Observability Graph (AOG) + +### Objective + +Make trust **observable**. Expose SLIs/SLOs for cryptographic posture & policy compliance. + +### Data Model + +* Nodes: `{artifact, sbom, policy, vex, srm, signature, rootpack, runtime_instance}` +* Edges: `derived_from`, `signed_by`, `evaluated_by`, `replayed_by`, `runs_as` + +### Metrics (OpenTelemetry/Prometheus) + +* `stella_trust_sli{service,env}` = fraction of running pods whose image has a valid SRM‑backed attestation chain under the active policy. +* `stella_attestation_latency_seconds` (P50/P95) from build to verified‑ready. +* `stella_policy_drift_events_total` (increment when running policy != signed policy). +* `stella_exception_without_proof_total` (must be 0). +* `stella_replay_success_ratio` (per week). + +**SLO Example** + +* **Trust SLO ≥ 99.9%** measured hourly; error budget resets monthly. + +### Interfaces + +* `stella aog export --format otlp` +* `GET /v1/aog/graph?artifactDigest=...` → subgraph JSON (with signed edge proofs). +* Grafana dashboards (packaged). + +### Acceptance Criteria + +* AOG can reconstruct the full trust lineage for any running pod in ≤ 2s (p95) on a 1k‑service cluster. +* Metrics cardinality bounded (service/env/policy only). + +--- + +## 5) Procurement‑Grade “Trust Statement” + +### Objective + +One **board‑ready** artifact that unifies security posture across vendors; machine‑readable twin for ERP/GRC. + +### Outputs + +* **PDF** (human): signed, watermark, controlled fields for vendor name/version/date, summary graphs, SLOs, exceptions with PCE (proof‑carrying exceptions). +* **JSON** (machine): normalized schema below; DSSE‑signed; includes SRM and policy references. + +```json +{ + "schema": "trust-statement.stellaops.dev/v1", + "vendor": {"name": "Acme","product":"Payments API","version":"1.9.2"}, + "build": {"image_digest":"sha256:...","srm_digest":"sha256:..."}, + "policy": {"id":"corp-runtime@2025-08-15","digest":"sha256:..."}, + "summary": { + "trust_sli": 0.9992, + "exceptions": 1, + "open_findings": {"critical":0,"high":2,"medium":4,"low":12} + }, + "exceptions": [{ + "id":"EXC-2025-0912", + "reason":"not_affected-via-vex", + "proof_digest":"sha256:...", + "expiry":"2026-01-15" + }], + "signatures": [{ "CryptoProfile":"FIPS-140-3" }] +} +``` + +### Integrations + +* Push connectors: **SAP Ariba, ServiceNow, Archer, Jira** (webhooks or SFTP in offline flows). +* CLI: `stella trust-statement generate --srm srm.yaml --policy corp-runtime.lattice.json --out acme-1.9.2.trust.json --pdf`. + +### Acceptance Criteria + +* JSON validates against schema; PDF and JSON hashes match the DSSE statement. +* ERP ingest POC: Ariba/ServiceNow field mapping validated. + +--- + +## 6) Third‑Party Proof Channel + +### Objective + +Create a **publisher ecosystem** for upstream proofs: SBOM, VEX, and **VDR (Vulnerability Derivation Reason)**. + +### Publisher Model + +* **Identity:** publishers obtain a **Publisher Certificate** (could be verified via RootPack‑anchored CA or cross‑signed). +* **Submission:** `stella ledger publish --type {sbom|vex|vdr} --artifact --file proof.json --sign`. +* **Moderation & Revocation:** CRL‑like **Proof Revocation List (PRL)** with signed reasons. + +### VDR (schema sketch) + +```json +{ + "schema":"vdr.stellaops.dev/v1", + "artifact":"sha256:...", + "cve":"CVE-2025-12345", + "claim":"not_affected", + "method":"entrypoint_unreachable|abi_mismatch|dead_code", + "evidence_refs":[{"type":"symbol_map","digest":"sha256:..."}], + "publisher":"redhat://rhel", + "signatures":[...] +} +``` + +### Consumption + +* Policies can **prioritize** publisher channels by trust level. +* AOG shows which proofs originated from which publishers. + +### Acceptance Criteria + +* At least one upstream (e.g., base image vendor) can publish and your policy can consume & rank it. +* PRL revokes a proof and AOG reflects the change within 5 minutes. + +--- + +## 7) Zastava — differential SBOM + AI enrichment scheduler + +### Objective + +Produce **entrypoint‑aware differential SBOMs** and continually **re‑enrich** new/old SBOMs with AI context and exposure‑aware prioritization. + +### Concepts + +* **dSBOM:** SBOM that reflects effective dependency set for a specific `ENTRYPOINT/CMD` and runtime flags (e.g., `--server.urls`, `DOTNET_...`). +* **Scheduler:** rescans **old SBOMs** when: (a) new CVE feeds arrive, (b) new VEX/VDR appear, (c) policy changes, or (d) AI models learn new exploitability signals. + +### Pipeline + +1. **Static slice:** infer reachable packages from entrypoint (e.g., `.NET Kestrel` vs CLI tool). +2. **Runtime slice (optional):** collect process tree, open sockets, and imported modules at startup in a **shadow run** or mirrored traffic. +3. **Diff:** `dSBOM = SBOM ∩ (static_reachable ∪ runtime_observed)`. +4. **AI Enrichment:** Zastava annotates each finding with *context weights* (exposed/not exposed, network scope, RBAC, secrets proximity). +5. **Plan:** produce PRs (Dockerfile base bump, package pin, k8s Service change). +6. **Scheduler:** + + * `stella zastava schedule --query 'service=payments AND env=prod' --interval 6h` + * Triggers re‑evaluation and emits updated SRM + Trust deltas. + +### dSBOM format (addon) + +```json +{ + "schema":"cyclonedx+stella-diff@1.0", + "base_sbom":"sha256:...", + "entrypoint": ["/app/bin/Release/net8.0/app.dll"], + "cmd": ["--urls","http://127.0.0.1:8080"], + "static_reachable": ["pkg:nuget/Kestrel@*", "pkg:nuget/System.Data@*"], + "runtime_observed": ["pkg:rpm/openssl@3.0.9"], + "excluded_paths": ["/usr/share/docs/**"], + "digest":"sha256:..." +} +``` + +### Kestrel example (priority logic) + +* If Kestrel present but Service is `ClusterIP` and no Ingress, **deprioritize**; if `LoadBalancer`/`NodePort` with 0‑RTT TLS disabled, **prioritize**. +* Zastava produces an **explainable card**: “Priority lowered due to non‑exposed runtime path; evidence: `kubectl get svc`, `netstat`, policy rule #42.” + +### Acceptance Criteria + +* Changing `ENTRYPOINT` produces a different, signed dSBOM and updated priorities. +* Scheduler updates stale SBOMs and issues signed deltas without network access (when RootPacks + feed mirrors are available). + +--- + +## Cross‑Cutting Security & Compliance + +* **Sanctions & Guardrails:** per‑profile constraints (e.g., forbid dual‑signing across certain jurisdictions). Policy‑enforced at sign/verify time. +* **HSM Integrations:** PKCS#11 providers for each profile (FIPS, GOST, SM2). +* **Data handling:** SRMs and Trust Statements may contain paths and hashes; optional redaction profiles for vendor sharing. + +--- + +## Interfaces Summary (CLI) + +```bash +# Scans / Replay +stella scan --image --srm-out srm.yaml +stella replay srm.yaml --assert-digest + +# Policy & Lattice +stella policy lint corp.lattice.json +stella policy test --fixtures fixtures/ +stella policy sign --profile FIPS-140-3 + +# Crypto Sovereign +stella rootpack import rootpack_ru_v1.tar.gz +stella attest sign --profile GOST-2012 --in srm.yaml +stella attest verify --profiles GOST-2012,FIPS-140-3 + +# AOG +stella aog export --format otlp +stella aog graph --artifact + +# Trust Statement +stella trust-statement generate --srm srm.yaml --policy corp.lattice.json --pdf out.pdf --json out.json + +# Third-Party Proof Channel +stella ledger publish --type vdr --artifact --file vdr.json --sign +stella ledger revoke --id --reason "superseded" + +# Zastava +stella zastava diff-sbom --image --entrypoint "" --out dsbom.json +stella zastava enrich --sbom dsbom.json --findings findings.json +stella zastava schedule --query 'env=prod' --interval 6h +``` + +--- + +## Success Metrics (per pillar) + +* **SRM:** ≥ 99% of production images have SRM attached; **Replay Success Ratio** ≥ 0.99 weekly. +* **Policy/Lattice:** 100% of exceptions carry proof; policy test coverage ≥ 90% on top CVE classes. +* **Sovereign:** RootPacks for RU/CN/EU/US verified; dual‑signing working in CI; offline verification median < 200 ms. +* **AOG:** Trust SLO ≥ 99.9%; lineage lookup p95 ≤ 2s. +* **Trust Statement:** Accepted by at least one ERP (pilot); generation time ≤ 15s. +* **Third‑Party Channel:** ≥ 3 upstream publishers integrated; PRL revocations flow to AOG within 5 minutes. +* **Zastava:** dSBOM reduces non‑reachable high/critical findings by ≥ 35% without raising exposure incidents. + +--- + +## Risks & Mitigations + +* **Crypto complexity:** profile misuse → strict guardrails + default safe profiles, strong linting. +* **Cardinality/telemetry blow‑ups:** AOG label hygiene + sampling. +* **Vendor adoption (Proof Channel):** seed with your own base images and internal frameworks; provide SDKs and reference publishers. +* **Determinism regressions:** CI runs replay tests on golden SRMs; any drift fails the build. + +--- + +## 90‑Day Moat‑First Milestones + +1. **SRM v0.1**: schema, deterministic executor, CLI replay, golden tests. +2. **Policy Engine MVP**: DSL + evaluator + UI simulation; policy unit tests; signed policy packs. +3. **CryptoProfile/RootPack MVP**: FIPS + GOST working; dual‑signing; offline verify. +4. **AOG MVP**: lineage service + OTLP exporter + Grafana pack; Trust SLI. +5. **Trust Statement MVP**: JSON + PDF; ServiceNow ingest POC. +6. **Proof Channel alpha**: publisher identity + VDR schema + local ledger; PRL. +7. **Zastava α**: `diff-sbom` + exposure heuristics for `.NET Kestrel`; scheduler with offline mirrors. + +--- diff --git a/docs/modules/advisory-ai/AGENTS.md b/docs/modules/advisory-ai/AGENTS.md index dcece288..1885c2b8 100644 --- a/docs/modules/advisory-ai/AGENTS.md +++ b/docs/modules/advisory-ai/AGENTS.md @@ -1,22 +1,22 @@ -# Advisory AI agent guide - -## Mission -Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. -3. Check ./TASKS.md and update status before/after work. -4. Read README/architecture for design context and update as the implementation evolves. - -## Guardrails -- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. -- Preserve determinism and provenance in all derived outputs. -- Document offline/air-gap pathways for any new feature. -- Update telemetry/observability assets alongside feature work. +# Advisory AI agent guide + +## Mission +Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support. +2. Open ../../implplan/SPRINTS.md and locate stories for this component. +3. Check ./TASKS.md and update status before/after work. +4. Read README/architecture for design context and update as the implementation evolves. + +## Guardrails +- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. +- Preserve determinism and provenance in all derived outputs. +- Document offline/air-gap pathways for any new feature. +- Update telemetry/observability assets alongside feature work. diff --git a/docs/modules/advisory-ai/README.md b/docs/modules/advisory-ai/README.md index c4b3dcda..09521d9c 100644 --- a/docs/modules/advisory-ai/README.md +++ b/docs/modules/advisory-ai/README.md @@ -1,29 +1,29 @@ -# StellaOps Advisory AI - -Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. - -## Responsibilities -- Generate policy-aware advisory summaries with citations back to Conseiller and Excititor evidence. -- Explain conflicting advisories/VEX statements using weights from VEX Lens and Policy Engine. -- Propose remediation hints aligned with Offline Kit staging and export bundles. -- Expose API/UI surfaces with guardrails on model prompts, outputs, and retention. - -## Key components -- RAG pipeline drawing from Conseiller, Excititor, VEX Lens, Policy Engine, and SBOM Service data. -- Prompt templates and guard models enforcing provenance and redaction policies. -- Vercel/offline inference workers with deterministic caching of generated artefacts. - -## Integrations & dependencies -- Authority for tenant-aware access control. -- Policy Engine for context-specific decisions and explain traces. -- Console/CLI for interaction surfaces. -- Export Center/Vuln Explorer for embedding generated briefs. - -## Operational notes -- Model cache management and offline bundle packaging per Epic 8 requirements. -- Usage/latency dashboards for prompt/response monitoring. -- Redaction policies validated against security/LLM guardrail tests. - -## Epic alignment -- Epic 8: Advisory AI Assistant. -- DOCS-AI stories to be tracked in ../../TASKS.md. +# StellaOps Advisory AI + +Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. + +## Responsibilities +- Generate policy-aware advisory summaries with citations back to Conseiller and Excititor evidence. +- Explain conflicting advisories/VEX statements using weights from VEX Lens and Policy Engine. +- Propose remediation hints aligned with Offline Kit staging and export bundles. +- Expose API/UI surfaces with guardrails on model prompts, outputs, and retention. + +## Key components +- RAG pipeline drawing from Conseiller, Excititor, VEX Lens, Policy Engine, and SBOM Service data. +- Prompt templates and guard models enforcing provenance and redaction policies. +- Vercel/offline inference workers with deterministic caching of generated artefacts. + +## Integrations & dependencies +- Authority for tenant-aware access control. +- Policy Engine for context-specific decisions and explain traces. +- Console/CLI for interaction surfaces. +- Export Center/Vuln Explorer for embedding generated briefs. + +## Operational notes +- Model cache management and offline bundle packaging per Epic 8 requirements. +- Usage/latency dashboards for prompt/response monitoring. +- Redaction policies validated against security/LLM guardrail tests. + +## Epic alignment +- Epic 8: Advisory AI Assistant. +- DOCS-AI stories to be tracked in ../../TASKS.md. diff --git a/docs/modules/advisory-ai/TASKS.md b/docs/modules/advisory-ai/TASKS.md index e3873e52..5633669b 100644 --- a/docs/modules/advisory-ai/TASKS.md +++ b/docs/modules/advisory-ai/TASKS.md @@ -1,9 +1,9 @@ -# Task board — Advisory AI - -> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. - -| ID | Status | Owner(s) | Description | Notes | -|----|--------|----------|-------------|-------| -| ADVISORY-AI-DOCS-0001 | TODO | Docs Guild | Ensure ./README.md reflects the latest epic deliverables. | Align with ./AGENTS.md | -| ADVISORY-AI-ENG-0001 | TODO | Module Team | Break down epic milestones into actionable stories. | Sync into ../../TASKS.md | -| ADVISORY-AI-OPS-0001 | TODO | Ops Guild | Prepare runbooks/observability assets once MVP lands. | Document outputs in ./README.md | +# Task board — Advisory AI + +> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. + +| ID | Status | Owner(s) | Description | Notes | +|----|--------|----------|-------------|-------| +| ADVISORY-AI-DOCS-0001 | TODO | Docs Guild | Ensure ./README.md reflects the latest epic deliverables. | Align with ./AGENTS.md | +| ADVISORY-AI-ENG-0001 | TODO | Module Team | Break down epic milestones into actionable stories. | Sync into ../../TASKS.md | +| ADVISORY-AI-OPS-0001 | TODO | Ops Guild | Prepare runbooks/observability assets once MVP lands. | Document outputs in ./README.md | diff --git a/docs/modules/advisory-ai/architecture.md b/docs/modules/advisory-ai/architecture.md index bbaf1d94..1134dee8 100644 --- a/docs/modules/advisory-ai/architecture.md +++ b/docs/modules/advisory-ai/architecture.md @@ -1,100 +1,100 @@ -# Advisory AI architecture - -> Captures the retrieval, guardrail, and inference packaging requirements defined in the Advisory AI implementation plan and related module guides. - -## 1) Goals - -- Summarise advisories/VEX evidence into operator-ready briefs with citations. -- Explain conflicting statements with provenance and trust weights (using VEX Lens & Excititor data). -- Suggest remediation plans aligned with Offline Kit deployment models and scheduler follow-ups. -- Operate deterministically where possible; cache generated artefacts with digests for audit. - -## 2) Pipeline overview - -``` - +---------------------+ - Concelier/VEX Lens | Evidence Retriever | - Policy Engine ----> | (vector + keyword) | ---> Context Pack (JSON) - Zastava runtime +---------------------+ - | - v - +-------------+ - | Prompt | - | Assembler | - +-------------+ - | - v - +-------------+ - | Guarded LLM | - | (local/host)| - +-------------+ - | - v - +-----------------+ - | Citation & | - | Validation | - +-----------------+ - | - v - +----------------+ - | Output cache | - | (hash, bundle) | - +----------------+ -``` - -## 3) Retrieval & context - -- Hybrid search: vector embeddings (SBERT-compatible) + keyword filters for advisory IDs, PURLs, CVEs. -- Context packs include: - - Advisory raw excerpts with highlighted sections and source URLs. - - VEX statements (normalized tuples + trust metadata). - - Policy explain traces for the affected finding. - - Runtime/impact hints from Zastava (exposure, entrypoints). - - Export-ready remediation data (fixed versions, patches). - -All context references include `content_hash` and `source_id` enabling verifiable citations. - -## 4) Guardrails - -- Prompt templates enforce structure: summary, conflicts, remediation, references. -- Response validator ensures: - - No hallucinated advisories (every fact must map to input context). - - Citations follow `[n]` indexing referencing actual sources. - - Remediation suggestions only cite policy-approved sources (fixed versions, vendor hotfixes). -- Moderation/PII filters prevent leaking secrets; responses failing validation are rejected and logged. - -## 5) Output persistence - -- Cached artefacts stored in `advisory_ai_outputs` with fields: - - `output_hash` (sha256 of JSON response). - - `input_digest` (hash of context pack). - - `summary`, `conflicts`, `remediation`, `citations`. - - `generated_at`, `model_id`, `profile` (Sovereign/FIPS etc.). - - `signatures` (optional DSSE if run in deterministic mode). -- Offline bundle format contains `summary.md`, `citations.json`, `context_manifest.json`, `signatures/`. - -## 6) Profiles & sovereignty - -- **Profiles:** `default`, `fips-local` (FIPS-compliant local model), `gost-local`, `cloud-openai` (optional, disabled by default). Each profile defines allowed models, key management, and telemetry endpoints. -- **CryptoProfile/RootPack integration:** generated artefacts can be signed using configured CryptoProfile to satisfy procurement/trust requirements. - -## 7) APIs - -- `POST /v1/advisory-ai/summaries` — generate (or retrieve cached) summary for `{advisoryKey, artifactId, policyVersion}`. -- `POST /v1/advisory-ai/conflicts` — explain conflicting VEX statements with trust ranking. -- `POST /v1/advisory-ai/remediation` — fetch remediation plan with target fix versions, prerequisites, verification steps. -- `GET /v1/advisory-ai/outputs/{hash}` — retrieve cached artefact (used by CLI/Console/Export Center). - -All endpoints accept `profile` parameter (default `fips-local`) and return `output_hash`, `input_digest`, and `citations` for verification. - -## 8) Observability - -- Metrics: `advisory_ai_requests_total{profile,type}`, `advisory_ai_latency_seconds`, `advisory_ai_validation_failures_total`. -- Logs: include `output_hash`, `input_digest`, `profile`, `model_id`, `tenant`, `artifacts`. Sensitive context is not logged. -- Traces: spans for retrieval, prompt assembly, model inference, validation, cache write. - -## 9) Operational controls - -- Feature flags per tenant (`ai.summary.enabled`, `ai.remediation.enabled`). -- Rate limits (per tenant, per profile) enforced by Orchestrator to prevent runaway usage. -- Offline/air-gapped deployments run local models packaged with Offline Kit; model weights validated via manifest digests. +# Advisory AI architecture + +> Captures the retrieval, guardrail, and inference packaging requirements defined in the Advisory AI implementation plan and related module guides. + +## 1) Goals + +- Summarise advisories/VEX evidence into operator-ready briefs with citations. +- Explain conflicting statements with provenance and trust weights (using VEX Lens & Excititor data). +- Suggest remediation plans aligned with Offline Kit deployment models and scheduler follow-ups. +- Operate deterministically where possible; cache generated artefacts with digests for audit. + +## 2) Pipeline overview + +``` + +---------------------+ + Concelier/VEX Lens | Evidence Retriever | + Policy Engine ----> | (vector + keyword) | ---> Context Pack (JSON) + Zastava runtime +---------------------+ + | + v + +-------------+ + | Prompt | + | Assembler | + +-------------+ + | + v + +-------------+ + | Guarded LLM | + | (local/host)| + +-------------+ + | + v + +-----------------+ + | Citation & | + | Validation | + +-----------------+ + | + v + +----------------+ + | Output cache | + | (hash, bundle) | + +----------------+ +``` + +## 3) Retrieval & context + +- Hybrid search: vector embeddings (SBERT-compatible) + keyword filters for advisory IDs, PURLs, CVEs. +- Context packs include: + - Advisory raw excerpts with highlighted sections and source URLs. + - VEX statements (normalized tuples + trust metadata). + - Policy explain traces for the affected finding. + - Runtime/impact hints from Zastava (exposure, entrypoints). + - Export-ready remediation data (fixed versions, patches). + +All context references include `content_hash` and `source_id` enabling verifiable citations. + +## 4) Guardrails + +- Prompt templates enforce structure: summary, conflicts, remediation, references. +- Response validator ensures: + - No hallucinated advisories (every fact must map to input context). + - Citations follow `[n]` indexing referencing actual sources. + - Remediation suggestions only cite policy-approved sources (fixed versions, vendor hotfixes). +- Moderation/PII filters prevent leaking secrets; responses failing validation are rejected and logged. + +## 5) Output persistence + +- Cached artefacts stored in `advisory_ai_outputs` with fields: + - `output_hash` (sha256 of JSON response). + - `input_digest` (hash of context pack). + - `summary`, `conflicts`, `remediation`, `citations`. + - `generated_at`, `model_id`, `profile` (Sovereign/FIPS etc.). + - `signatures` (optional DSSE if run in deterministic mode). +- Offline bundle format contains `summary.md`, `citations.json`, `context_manifest.json`, `signatures/`. + +## 6) Profiles & sovereignty + +- **Profiles:** `default`, `fips-local` (FIPS-compliant local model), `gost-local`, `cloud-openai` (optional, disabled by default). Each profile defines allowed models, key management, and telemetry endpoints. +- **CryptoProfile/RootPack integration:** generated artefacts can be signed using configured CryptoProfile to satisfy procurement/trust requirements. + +## 7) APIs + +- `POST /v1/advisory-ai/summaries` — generate (or retrieve cached) summary for `{advisoryKey, artifactId, policyVersion}`. +- `POST /v1/advisory-ai/conflicts` — explain conflicting VEX statements with trust ranking. +- `POST /v1/advisory-ai/remediation` — fetch remediation plan with target fix versions, prerequisites, verification steps. +- `GET /v1/advisory-ai/outputs/{hash}` — retrieve cached artefact (used by CLI/Console/Export Center). + +All endpoints accept `profile` parameter (default `fips-local`) and return `output_hash`, `input_digest`, and `citations` for verification. + +## 8) Observability + +- Metrics: `advisory_ai_requests_total{profile,type}`, `advisory_ai_latency_seconds`, `advisory_ai_validation_failures_total`. +- Logs: include `output_hash`, `input_digest`, `profile`, `model_id`, `tenant`, `artifacts`. Sensitive context is not logged. +- Traces: spans for retrieval, prompt assembly, model inference, validation, cache write. + +## 9) Operational controls + +- Feature flags per tenant (`ai.summary.enabled`, `ai.remediation.enabled`). +- Rate limits (per tenant, per profile) enforced by Orchestrator to prevent runaway usage. +- Offline/air-gapped deployments run local models packaged with Offline Kit; model weights validated via manifest digests. diff --git a/docs/modules/advisory-ai/implementation_plan.md b/docs/modules/advisory-ai/implementation_plan.md index 5be64b7c..5dcf28d2 100644 --- a/docs/modules/advisory-ai/implementation_plan.md +++ b/docs/modules/advisory-ai/implementation_plan.md @@ -1,19 +1,19 @@ -# Implementation plan — Advisory AI - -## Current objectives -- Deliver Epic milestones summarised below while maintaining determinism and offline parity. -- Keep documentation, telemetry, and runbooks aligned with sprint outcomes. - -## Workstreams -- Roadmap: reconcile open stories in ../../TASKS.md with module backlog. -- Delivery: ship features outlined in the epic while preserving AOC guardrails. -- Validation: extend tests/fixtures to guarantee reproducibility and provenance. - -## Epic milestones -- Epic 8: Advisory AI Assistant. -- DOCS-AI stories to be tracked in ../../TASKS.md. - -## Coordination -- Review ./AGENTS.md before picking up work. -- Sync with owners listed in docs/implplan/SPRINTS.md. -- Update this plan whenever scope, dependencies, or guardrails change. +# Implementation plan — Advisory AI + +## Current objectives +- Deliver Epic milestones summarised below while maintaining determinism and offline parity. +- Keep documentation, telemetry, and runbooks aligned with sprint outcomes. + +## Workstreams +- Roadmap: reconcile open stories in ../../TASKS.md with module backlog. +- Delivery: ship features outlined in the epic while preserving AOC guardrails. +- Validation: extend tests/fixtures to guarantee reproducibility and provenance. + +## Epic milestones +- Epic 8: Advisory AI Assistant. +- DOCS-AI stories to be tracked in ../../TASKS.md. + +## Coordination +- Review ./AGENTS.md before picking up work. +- Sync with owners listed in docs/implplan/SPRINTS.md. +- Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/attestor/AGENTS.md b/docs/modules/attestor/AGENTS.md index 02066f19..b0211dbc 100644 --- a/docs/modules/attestor/AGENTS.md +++ b/docs/modules/attestor/AGENTS.md @@ -1,22 +1,22 @@ -# Attestor agent guide - -## Mission -Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. +# Attestor agent guide + +## Mission +Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. diff --git a/docs/modules/attestor/README.md b/docs/modules/attestor/README.md index b842aefc..89a1e2de 100644 --- a/docs/modules/attestor/README.md +++ b/docs/modules/attestor/README.md @@ -1,54 +1,54 @@ -# StellaOps Attestor - -Attestor converts signed DSSE evidence from the Signer into transparency-log proofs and verifiable reports for every downstream surface (Policy Engine, Export Center, CLI, Console, Scheduler). It is the trust backbone that proves SBOM, scan, VEX, and policy artefacts were signed, witnessed, and preserved without tampering. - -## Why it exists -- **Evidence first:** organisations need portable, verifiable attestations that prove build provenance, SBOM availability, policy verdicts, and VEX statements. -- **Policy enforcement:** verification policies ensure only approved issuers, key types, witnesses, and freshness windows are accepted. -- **Sovereign/offline-ready:** Attestor archives envelopes, signatures, and proofs so air-gapped deployments can replay verification without contacting external services. - -## Roles & surfaces -- **Subjects:** immutable digests for container images, SBOMs, reports, and policy bundles. -- **Issuers:** builders, scanners, policy engines, or operators signing DSSE envelopes using keyless (Fulcio), KMS/HSM, or FIDO2 keys. -- **Consumers:** CLI/SDK, Console, Export Center, Scanner, Policy Engine, and Notify retrieving verification bundles or triggering policy checks. -- **Scopes:** Authority issues `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for issuer/key management; every call is bound with mTLS + DPoP. - -## Supported payloads -- `StellaOps.BuildProvenance@1`, `StellaOps.SBOMAttestation@1` -- `StellaOps.ScanResults@1`, `StellaOps.VEXAttestation@1` -- `StellaOps.PolicyEvaluation@1`, `StellaOps.RiskProfileEvidence@1` -All predicates capture subjects, issuer metadata, policy context, materials, optional witnesses, and versioned schemas. Unsupported predicates return `422 predicate_unsupported`. - -## Trust & envelope model -- DSSE envelopes are canonicalised, hashed, and stored alongside the Rekor UUID, index, and proof. -- Signature modes span keyless (Fulcio), keyful (KMS/HSM), and hardware-backed (FIDO2). Multiple signatures are supported per envelope. -- Proofs include Merkle inclusion path, checkpoint metadata, optional witness endorsements, and cached verification verdicts. -- CAS/object storage retains envelopes + provenance for later replay; Rekor backends may be primary plus mirrors. - -## UI, CLI, and SDK workflows -- **Console:** Evidence browser, verification reports, chain-of-custody graph, issuer/key management, attestation workbench, and bulk verification flows. -- **CLI / SDK:** `stella attest sign|verify|list|fetch|key` commands plus language SDKs to integrate build pipelines and offline verification scripts. -- **Policy Studio:** Verification policies author required predicate types, issuers, witness requirements, and freshness windows; simulations show enforcement impact. - -## Storage, offline & air-gap posture -- MongoDB stores entry metadata, dedupe keys, and audit events; object storage optionally archives DSSE bundles. -- Export Center packages attestation bundles (`stella export attestation-bundle`) for Offline Kit delivery. -- Transparency logs can be mirrored; offline mode records gaps and provides compensating controls. - -## Observability & performance -- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_cache_hit_ratio`, `attestor_rekor_latency_seconds`. -- Logs capture tenant, issuer, subject digests, Rekor UUID, proof status, and policy verdict. -- Performance target: ≥1 000 envelopes/minute per worker with cached verification, batched operations, and concurrency controls. - -## Key integrations -- Signer (DSSE source), Authority (scopes & tenancy), Export Center (attestation bundles), Policy Engine (verification policies), Scanner/Excititor (subject evidence), Notify (key rotation & verification alerts), Observability stack (dashboards/alerts). - -## Backlog references -- DOCS-ATTEST-73-001 … DOCS-ATTEST-75-002 (Attestor console, key management, air-gap bundles) in ../../TASKS.md. -- EXPORT-ATTEST-75-002 (Export Center attestation packaging) in ../export-center/TASKS.md. - -## Epic alignment -- **Epic 19 – Attestor Console:** console experience, verification APIs, issuer/key governance, transparency integration, and offline bundles. -- **Epic 10 – Export Center:** provenance alignment so exports carry signed manifests and attestation bundles. - -> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. +# StellaOps Attestor + +Attestor converts signed DSSE evidence from the Signer into transparency-log proofs and verifiable reports for every downstream surface (Policy Engine, Export Center, CLI, Console, Scheduler). It is the trust backbone that proves SBOM, scan, VEX, and policy artefacts were signed, witnessed, and preserved without tampering. + +## Why it exists +- **Evidence first:** organisations need portable, verifiable attestations that prove build provenance, SBOM availability, policy verdicts, and VEX statements. +- **Policy enforcement:** verification policies ensure only approved issuers, key types, witnesses, and freshness windows are accepted. +- **Sovereign/offline-ready:** Attestor archives envelopes, signatures, and proofs so air-gapped deployments can replay verification without contacting external services. + +## Roles & surfaces +- **Subjects:** immutable digests for container images, SBOMs, reports, and policy bundles. +- **Issuers:** builders, scanners, policy engines, or operators signing DSSE envelopes using keyless (Fulcio), KMS/HSM, or FIDO2 keys. +- **Consumers:** CLI/SDK, Console, Export Center, Scanner, Policy Engine, and Notify retrieving verification bundles or triggering policy checks. +- **Scopes:** Authority issues `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for issuer/key management; every call is bound with mTLS + DPoP. + +## Supported payloads +- `StellaOps.BuildProvenance@1`, `StellaOps.SBOMAttestation@1` +- `StellaOps.ScanResults@1`, `StellaOps.VEXAttestation@1` +- `StellaOps.PolicyEvaluation@1`, `StellaOps.RiskProfileEvidence@1` +All predicates capture subjects, issuer metadata, policy context, materials, optional witnesses, and versioned schemas. Unsupported predicates return `422 predicate_unsupported`. + +## Trust & envelope model +- DSSE envelopes are canonicalised, hashed, and stored alongside the Rekor UUID, index, and proof. +- Signature modes span keyless (Fulcio), keyful (KMS/HSM), and hardware-backed (FIDO2). Multiple signatures are supported per envelope. +- Proofs include Merkle inclusion path, checkpoint metadata, optional witness endorsements, and cached verification verdicts. +- CAS/object storage retains envelopes + provenance for later replay; Rekor backends may be primary plus mirrors. + +## UI, CLI, and SDK workflows +- **Console:** Evidence browser, verification reports, chain-of-custody graph, issuer/key management, attestation workbench, and bulk verification flows. +- **CLI / SDK:** `stella attest sign|verify|list|fetch|key` commands plus language SDKs to integrate build pipelines and offline verification scripts. +- **Policy Studio:** Verification policies author required predicate types, issuers, witness requirements, and freshness windows; simulations show enforcement impact. + +## Storage, offline & air-gap posture +- MongoDB stores entry metadata, dedupe keys, and audit events; object storage optionally archives DSSE bundles. +- Export Center packages attestation bundles (`stella export attestation-bundle`) for Offline Kit delivery. +- Transparency logs can be mirrored; offline mode records gaps and provides compensating controls. + +## Observability & performance +- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_cache_hit_ratio`, `attestor_rekor_latency_seconds`. +- Logs capture tenant, issuer, subject digests, Rekor UUID, proof status, and policy verdict. +- Performance target: ≥1 000 envelopes/minute per worker with cached verification, batched operations, and concurrency controls. + +## Key integrations +- Signer (DSSE source), Authority (scopes & tenancy), Export Center (attestation bundles), Policy Engine (verification policies), Scanner/Excititor (subject evidence), Notify (key rotation & verification alerts), Observability stack (dashboards/alerts). + +## Backlog references +- DOCS-ATTEST-73-001 … DOCS-ATTEST-75-002 (Attestor console, key management, air-gap bundles) in ../../TASKS.md. +- EXPORT-ATTEST-75-002 (Export Center attestation packaging) in ../export-center/TASKS.md. + +## Epic alignment +- **Epic 19 – Attestor Console:** console experience, verification APIs, issuer/key governance, transparency integration, and offline bundles. +- **Epic 10 – Export Center:** provenance alignment so exports carry signed manifests and attestation bundles. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/docs/modules/attestor/TASKS.md b/docs/modules/attestor/TASKS.md index 5b13b598..e9c83a74 100644 --- a/docs/modules/attestor/TASKS.md +++ b/docs/modules/attestor/TASKS.md @@ -1,9 +1,9 @@ -# Task board — Attestor - -> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. - -| ID | Status | Owner(s) | Description | Notes | -|----|--------|----------|-------------|-------| -| ATTESTOR-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | -| ATTESTOR-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| ATTESTOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +# Task board — Attestor + +> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. + +| ID | Status | Owner(s) | Description | Notes | +|----|--------|----------|-------------|-------| +| ATTESTOR-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | +| ATTESTOR-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | +| ATTESTOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/attestor/architecture.md b/docs/modules/attestor/architecture.md index 7fddbd17..7fed77e7 100644 --- a/docs/modules/attestor/architecture.md +++ b/docs/modules/attestor/architecture.md @@ -1,432 +1,432 @@ -# component_architecture_attestor.md — **Stella Ops Attestor** (2025Q4) - -> Derived from Epic 19 – Attestor Console with provenance hooks aligned to the Export Center bundle workflows scoped in Epic 10. - -> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Excititor exports when configured). - ---- - -## 0) Mission & boundaries - -**Mission.** Turn a signed DSSE envelope from the Signer into a **transparency‑logged, verifiable fact** with a durable, replayable proof (Merkle inclusion + (optional) checkpoint anchoring). Provide **fast verification** for downstream consumers and a stable retrieval interface for UI/CLI. - -**Boundaries.** - -* Attestor **does not sign**; it **must not** accept unsigned or third‑party‑signed bundles. -* Attestor **does not decide PASS/FAIL**; it logs attestations for SBOMs, reports, and export artifacts. -* Rekor v2 backends may be **local** (self‑hosted) or **remote**; Attestor handles both with retries, backoff, and idempotency. - ---- - -## 1) Topology & dependencies - -**Process shape:** single stateless service `stellaops/attestor` behind mTLS. - -**Dependencies:** - -* **Signer** (caller) — authenticated via **mTLS** and **Authority** OpToks. -* **Rekor v2** — tile‑backed transparency log endpoint(s). -* **MinIO (S3)** — optional archive store for DSSE envelopes & verification bundles. -* **MongoDB** — local cache of `{uuid, index, proof, artifactSha256, bundleSha256}`; job state; audit. -* **Redis** — dedupe/idempotency keys and short‑lived rate‑limit buckets. -* **Licensing Service (optional)** — “endorse” call for cross‑log publishing when customer opts‑in. - -Trust boundary: **Only the Signer** is allowed to call submission endpoints; enforced by **mTLS peer cert allowlist** + `aud=attestor` OpTok. - ---- - -### Roles, identities & scopes -- **Subjects** — immutable digests for artifacts (container images, SBOMs, reports) referenced in DSSE envelopes. -- **Issuers** — authenticated builders/scanners/policy engines signing evidence; tracked with mode (`keyless`, `kms`, `hsm`, `fido2`) and tenant scope. -- **Consumers** — Scanner, Export Center, CLI, Console, Policy Engine that verify proofs using Attestor APIs. -- **Authority scopes** — `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for key management; all calls mTLS/DPoP-bound. - -### Supported predicate types -- `StellaOps.BuildProvenance@1` -- `StellaOps.SBOMAttestation@1` -- `StellaOps.ScanResults@1` -- `StellaOps.PolicyEvaluation@1` -- `StellaOps.VEXAttestation@1` -- `StellaOps.RiskProfileEvidence@1` - -Each predicate embeds subject digests, issuer metadata, policy context, materials, and optional transparency hints. Unsupported predicates return `422 predicate_unsupported`. - -### Envelope & signature model -- DSSE envelopes canonicalised (stable JSON ordering) prior to hashing. -- Signature modes: keyless (Fulcio cert chain), keyful (KMS/HSM), hardware (FIDO2/WebAuthn). Multiple signatures allowed. -- Rekor entry stores bundle hash, certificate chain, and optional witness endorsements. -- Archive CAS retains original envelope plus metadata for offline verification. - -### Verification pipeline overview -1. Fetch envelope (from request, cache, or storage) and validate DSSE structure. -2. Verify signature(s) against configured trust roots; evaluate issuer policy. -3. Retrieve or acquire inclusion proof from Rekor (primary + optional mirror). -4. Validate Merkle proof against checkpoint; optionally verify witness endorsement. -5. Return cached verification bundle including policy verdict and timestamps. - -### UI & CLI touchpoints -- Console: Evidence browser, verification report, chain-of-custody graph, issuer/key management, attestation workbench, bulk verification views. -- CLI: `stella attest sign|verify|list|fetch|key` with offline verification and export bundle support. -- SDKs expose sign/verify primitives for build pipelines. - -### Performance & observability targets -- Throughput goal: ≥1 000 envelopes/minute per worker with cached verification. -- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_rekor_latency_seconds`, `attestor_cache_hit_ratio`. -- Logs include `tenant`, `issuer`, `subjectDigest`, `rekorUuid`, `proofStatus`; traces cover submission → Rekor → cache → response path. - ---- - -## 2) Data model (Mongo) - -Database: `attestor` - -**Collections & schemas** - -* `entries` - - ``` - { _id: "", - artifact: { sha256: "", kind: "sbom|report|vex-export", imageDigest?, subjectUri? }, - bundleSha256: "", // canonicalized DSSE - index: , // log index/sequence if provided by backend - proof: { // inclusion proof - checkpoint: { origin, size, rootHash, timestamp }, - inclusion: { leafHash, path[] } // Merkle path (tiles) - }, - log: { url, logId? }, - createdAt, status: "included|pending|failed", - signerIdentity: { mode: "keyless|kms", issuer, san?, kid? } - } - ``` - -* `dedupe` - - ``` - { key: "bundle:", rekorUuid, createdAt, ttlAt } // idempotency key - ``` - -* `audit` - - ``` - { _id, ts, caller: { cn, mTLSThumbprint, sub, aud }, // from mTLS + OpTok - action: "submit|verify|fetch", - artifactSha256, bundleSha256, rekorUuid?, index?, result, latencyMs, backend } - ``` - -Indexes: - -* `entries` on `artifact.sha256`, `bundleSha256`, `createdAt`, and `{status:1, createdAt:-1}`. -* `dedupe.key` unique (TTL 24–48h). -* `audit.ts` for time‑range queries. - ---- - -## 3) Input contract (from Signer) - -**Attestor accepts only** DSSE envelopes that satisfy all of: - -1. **mTLS** peer certificate maps to `signer` service (CA‑pinned). -2. **Authority** OpTok with `aud=attestor`, `scope=attestor.write`, DPoP or mTLS bound. -3. DSSE envelope is **signed by the Signer’s key** (or includes a **Fulcio‑issued** cert chain) and **chains to configured roots** (Fulcio/KMS). -4. **Predicate type** is one of Stella Ops types (sbom/report/vex‑export) with valid schema. -5. `subject[*].digest.sha256` is present and canonicalized. - -**Wire shape (JSON):** - -```json -{ - "bundle": { "dsse": { "payloadType": "application/vnd.in-toto+json", "payload": "", "signatures": [ ... ] }, - "certificateChain": [ "-----BEGIN CERTIFICATE-----..." ], - "mode": "keyless" }, - "meta": { - "artifact": { "sha256": "", "kind": "sbom|report|vex-export", "imageDigest": "sha256:..." }, - "bundleSha256": "", - "logPreference": "primary", // "primary" | "mirror" | "both" - "archive": true // whether Attestor should archive bundle to S3 - } -} -``` - ---- - -## 4) APIs - -### 4.1 Submission - -`POST /api/v1/rekor/entries` *(mTLS + OpTok required)* - -* **Body**: as above. -* **Behavior**: - - * Verify caller (mTLS + OpTok). - * Validate DSSE bundle (signature, cert chain to Fulcio/KMS; DSSE structure; payloadType allowed). - * Idempotency: compute `bundleSha256`; check `dedupe`. If present, return existing `rekorUuid`. - * Submit canonicalized bundle to Rekor v2 (primary or mirror according to `logPreference`). - * Retrieve **inclusion proof** (blocking until inclusion or up to `proofTimeoutMs`); if backend returns promise only, return `status=pending` and retry asynchronously. - * Persist `entries` record; archive DSSE to S3 if `archive=true`. -* **Response 200**: - - ```json - { - "uuid": "…", - "index": 123456, - "proof": { - "checkpoint": { "origin": "rekor@site", "size": 987654, "rootHash": "…", "timestamp": "…" }, - "inclusion": { "leafHash": "…", "path": ["…","…"] } - }, - "logURL": "https://rekor…/api/v2/log/…/entries/…", - "status": "included" - } - ``` -* **Errors**: `401 invalid_token`, `403 not_signer|chain_untrusted`, `409 duplicate_bundle` (with existing `uuid`), `502 rekor_unavailable`, `504 proof_timeout`. - -### 4.2 Proof retrieval - -`GET /api/v1/rekor/entries/{uuid}` - -* Returns `entries` row (refreshes proof from Rekor if stale/missing). -* Accepts `?refresh=true` to force backend query. - -### 4.3 Verification (third‑party or internal) - -`POST /api/v1/rekor/verify` - -* **Body** (one of): - - * `{ "uuid": "…" }` - * `{ "bundle": { …DSSE… } }` - * `{ "artifactSha256": "…" }` *(looks up most recent entry)* - -* **Checks**: - - 1. **Bundle signature** → cert chain to Fulcio/KMS roots configured. - 2. **Inclusion proof** → recompute leaf hash; verify Merkle path against checkpoint root. - 3. Optionally verify **checkpoint** against local trust anchors (if Rekor signs checkpoints). - 4. Confirm **subject.digest** matches caller‑provided hash (when given). - -* **Response**: - - ```json - { "ok": true, "uuid": "…", "index": 123, "logURL": "…", "checkedAt": "…" } - ``` - -### 4.4 Batch submission (optional) - -`POST /api/v1/rekor/batch` accepts an array of submission objects; processes with per‑item results. - ---- - -## 5) Rekor v2 driver (backend) - -* **Canonicalization**: DSSE envelopes are **normalized** (stable JSON ordering, no insignificant whitespace) before hashing and submission. -* **Transport**: HTTP/2 with retries (exponential backoff, jitter), budgeted timeouts. -* **Idempotency**: if backend returns “already exists,” map to existing `uuid`. -* **Proof acquisition**: - - * In synchronous mode, poll the log for inclusion up to `proofTimeoutMs`. - * In asynchronous mode, return `pending` and schedule a **proof fetcher** job (Mongo job doc + backoff). -* **Mirrors/dual logs**: - - * When `logPreference="both"`, submit to primary and mirror; store **both** UUIDs (primary canonical). - * Optional **cloud endorsement**: POST to the Stella Ops cloud `/attest/endorse` with `{uuid, artifactSha256}`; store returned endorsement id. - ---- - -## 6) Security model - -* **mTLS required** for submission from **Signer** (CA‑pinned). -* **Authority token** with `aud=attestor` and DPoP/mTLS binding must be presented; Attestor verifies both. -* **Bundle acceptance policy**: - - * DSSE signature must chain to the configured **Fulcio** (keyless) or **KMS/HSM** roots. - * SAN (Subject Alternative Name) must match **Signer identity** policy (e.g., `urn:stellaops:signer` or pinned OIDC issuer). - * Predicate `predicateType` must be on allowlist (sbom/report/vex-export). - * `subject.digest.sha256` values must be present and well‑formed (hex). -* **No public submission** path. **Never** accept bundles from untrusted clients. -* **Client certificate allowlists**: optional `security.mtls.allowedSubjects` / `allowedThumbprints` tighten peer identity checks beyond CA pinning. -* **Rate limits**: token-bucket per caller derived from `quotas.perCaller` (QPS/burst) returns `429` + `Retry-After` when exceeded. -* **Redaction**: Attestor never logs secret material; DSSE payloads **should** be public by design (SBOMs/reports). If customers require redaction, enforce policy at Signer (predicate minimization) **before** Attestor. - ---- - -## 7) Storage & archival - -* **Entries** in Mongo provide a local ledger keyed by `rekorUuid` and **artifact sha256** for quick reverse lookups. -* **S3 archival** (if enabled): - - ``` - s3://stellaops/attest/ - dsse/.json - proof/.json - bundle/.zip # optional verification bundle - ``` -* **Verification bundles** (zip): - - * DSSE (`*.dsse.json`), proof (`*.proof.json`), `chain.pem` (certs), `README.txt` with verification steps & hashes. - ---- - -## 8) Observability & audit - -**Metrics** (Prometheus): - -* `attestor.submit_total{result,backend}` -* `attestor.submit_latency_seconds{backend}` -* `attestor.proof_fetch_total{result}` -* `attestor.verify_total{result}` -* `attestor.dedupe_hits_total` -* `attestor.errors_total{type}` - -**Correlation**: - -* HTTP callers may supply `X-Correlation-Id`; Attestor will echo the header and push `CorrelationId` into the log scope for cross-service tracing. - -**Tracing**: - -* Spans: `validate`, `rekor.submit`, `rekor.poll`, `persist`, `archive`, `verify`. - -**Audit**: - -* Immutable `audit` rows (ts, caller, action, hashes, uuid, index, backend, result, latency). - ---- - -## 9) Configuration (YAML) - -```yaml -attestor: - listen: "https://0.0.0.0:8444" - security: - mtls: - caBundle: /etc/ssl/signer-ca.pem - requireClientCert: true - authority: - issuer: "https://authority.internal" - jwksUrl: "https://authority.internal/jwks" - requireSenderConstraint: "dpop" # or "mtls" - signerIdentity: - mode: ["keyless","kms"] - fulcioRoots: ["/etc/fulcio/root.pem"] - allowedSANs: ["urn:stellaops:signer"] - kmsKeys: ["kms://cluster-kms/stellaops-signer"] - rekor: - primary: - url: "https://rekor-v2.internal" - proofTimeoutMs: 15000 - pollIntervalMs: 250 - maxAttempts: 60 - mirror: - enabled: false - url: "https://rekor-v2.mirror" - mongo: - uri: "mongodb://mongo/attestor" - s3: - enabled: true - endpoint: "http://minio:9000" - bucket: "stellaops" - prefix: "attest/" - objectLock: "governance" - redis: - url: "redis://redis:6379/2" - quotas: - perCaller: - qps: 50 - burst: 100 -``` - ---- - -## 10) End‑to‑end sequences - -**A) Submit & include (happy path)** - -```mermaid -sequenceDiagram - autonumber - participant SW as Scanner.WebService - participant SG as Signer - participant AT as Attestor - participant RK as Rekor v2 - - SW->>SG: POST /sign/dsse (OpTok+PoE) - SG-->>SW: DSSE bundle (+certs) - SW->>AT: POST /rekor/entries (mTLS + OpTok) - AT->>AT: Validate DSSE (chain to Fulcio/KMS; signer identity) - AT->>RK: submit(bundle) - RK-->>AT: {uuid, index?} - AT->>RK: poll inclusion until proof or timeout - RK-->>AT: inclusion proof (checkpoint + path) - AT-->>SW: {uuid, index, proof, logURL} -``` - -**B) Verify by artifact digest (CLI)** - -```mermaid -sequenceDiagram - autonumber - participant CLI as stellaops verify - participant SW as Scanner.WebService - participant AT as Attestor - - CLI->>SW: GET /catalog/artifacts/{id} - SW-->>CLI: {artifactSha256, rekor: {uuid}} - CLI->>AT: POST /rekor/verify { uuid } - AT-->>CLI: { ok: true, index, logURL } -``` - ---- - -## 11) Failure modes & responses - -| Condition | Return | Details | | | -| ------------------------------------- | ----------------------- | --------------------------------------------------------- | -------- | ------------ | -| mTLS/OpTok invalid | `401 invalid_token` | Include `WWW-Authenticate` DPoP challenge when applicable | | | -| Bundle not signed by trusted identity | `403 chain_untrusted` | DSSE accepted only from Signer identities | | | -| Duplicate bundle | `409 duplicate_bundle` | Return existing `uuid` (idempotent) | | | -| Rekor unreachable/timeout | `502 rekor_unavailable` | Retry with backoff; surface `Retry-After` | | | -| Inclusion proof timeout | `202 accepted` | `status=pending`, background job continues to fetch proof | | | -| Archive failure | `207 multi-status` | Entry recorded; archive will retry asynchronously | | | -| Verification mismatch | `400 verify_failed` | Include reason: chain | leafHash | rootMismatch | - ---- - -## 12) Performance & scale - -* Stateless; scale horizontally. -* **Targets**: - - * Submit+proof P95 ≤ **300 ms** (warm log; local Rekor). - * Verify P95 ≤ **30 ms** from cache; ≤ **120 ms** with live proof fetch. - * 1k submissions/minute per replica sustained. -* **Hot caches**: `dedupe` (bundle hash → uuid), recent `entries` by artifact sha256. - ---- - -## 13) Testing matrix - -* **Happy path**: valid DSSE, inclusion within timeout. -* **Idempotency**: resubmit same `bundleSha256` → same `uuid`. -* **Security**: reject non‑Signer mTLS, wrong `aud`, DPoP replay, untrusted cert chain, forbidden predicateType. -* **Rekor variants**: promise‑then‑proof, proof delayed, mirror dual‑submit, mirror failure. -* **Verification**: corrupt leaf path, wrong root, tampered bundle. -* **Throughput**: soak test with 10k submissions; latency SLOs, zero drops. - ---- - -## 14) Implementation notes - -* Language: **.NET 10** minimal API; `HttpClient` with **sockets handler** tuned for HTTP/2. -* JSON: **canonical writer** for DSSE payload hashing. -* Crypto: use **BouncyCastle**/**System.Security.Cryptography**; PEM parsing for cert chains. -* Rekor client: pluggable driver; treat backend errors as retryable/non‑retryable with granular mapping. -* Safety: size caps on bundles; decompress bombs guarded; strict UTF‑8. -* CLI integration: `stellaops verify attestation ` calls `/rekor/verify`. - ---- - -## 15) Optional features - -* **Dual‑log** write (primary + mirror) and **cross‑log proof** packaging. -* **Cloud endorsement**: send `{uuid, artifactSha256}` to Stella Ops cloud; store returned endorsement id for marketing/chain‑of‑custody. -* **Checkpoint pinning**: periodically pin latest Rekor checkpoints to an external audit store for independent monitoring. - +# component_architecture_attestor.md — **Stella Ops Attestor** (2025Q4) + +> Derived from Epic 19 – Attestor Console with provenance hooks aligned to the Export Center bundle workflows scoped in Epic 10. + +> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Excititor exports when configured). + +--- + +## 0) Mission & boundaries + +**Mission.** Turn a signed DSSE envelope from the Signer into a **transparency‑logged, verifiable fact** with a durable, replayable proof (Merkle inclusion + (optional) checkpoint anchoring). Provide **fast verification** for downstream consumers and a stable retrieval interface for UI/CLI. + +**Boundaries.** + +* Attestor **does not sign**; it **must not** accept unsigned or third‑party‑signed bundles. +* Attestor **does not decide PASS/FAIL**; it logs attestations for SBOMs, reports, and export artifacts. +* Rekor v2 backends may be **local** (self‑hosted) or **remote**; Attestor handles both with retries, backoff, and idempotency. + +--- + +## 1) Topology & dependencies + +**Process shape:** single stateless service `stellaops/attestor` behind mTLS. + +**Dependencies:** + +* **Signer** (caller) — authenticated via **mTLS** and **Authority** OpToks. +* **Rekor v2** — tile‑backed transparency log endpoint(s). +* **MinIO (S3)** — optional archive store for DSSE envelopes & verification bundles. +* **MongoDB** — local cache of `{uuid, index, proof, artifactSha256, bundleSha256}`; job state; audit. +* **Redis** — dedupe/idempotency keys and short‑lived rate‑limit buckets. +* **Licensing Service (optional)** — “endorse” call for cross‑log publishing when customer opts‑in. + +Trust boundary: **Only the Signer** is allowed to call submission endpoints; enforced by **mTLS peer cert allowlist** + `aud=attestor` OpTok. + +--- + +### Roles, identities & scopes +- **Subjects** — immutable digests for artifacts (container images, SBOMs, reports) referenced in DSSE envelopes. +- **Issuers** — authenticated builders/scanners/policy engines signing evidence; tracked with mode (`keyless`, `kms`, `hsm`, `fido2`) and tenant scope. +- **Consumers** — Scanner, Export Center, CLI, Console, Policy Engine that verify proofs using Attestor APIs. +- **Authority scopes** — `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for key management; all calls mTLS/DPoP-bound. + +### Supported predicate types +- `StellaOps.BuildProvenance@1` +- `StellaOps.SBOMAttestation@1` +- `StellaOps.ScanResults@1` +- `StellaOps.PolicyEvaluation@1` +- `StellaOps.VEXAttestation@1` +- `StellaOps.RiskProfileEvidence@1` + +Each predicate embeds subject digests, issuer metadata, policy context, materials, and optional transparency hints. Unsupported predicates return `422 predicate_unsupported`. + +### Envelope & signature model +- DSSE envelopes canonicalised (stable JSON ordering) prior to hashing. +- Signature modes: keyless (Fulcio cert chain), keyful (KMS/HSM), hardware (FIDO2/WebAuthn). Multiple signatures allowed. +- Rekor entry stores bundle hash, certificate chain, and optional witness endorsements. +- Archive CAS retains original envelope plus metadata for offline verification. + +### Verification pipeline overview +1. Fetch envelope (from request, cache, or storage) and validate DSSE structure. +2. Verify signature(s) against configured trust roots; evaluate issuer policy. +3. Retrieve or acquire inclusion proof from Rekor (primary + optional mirror). +4. Validate Merkle proof against checkpoint; optionally verify witness endorsement. +5. Return cached verification bundle including policy verdict and timestamps. + +### UI & CLI touchpoints +- Console: Evidence browser, verification report, chain-of-custody graph, issuer/key management, attestation workbench, bulk verification views. +- CLI: `stella attest sign|verify|list|fetch|key` with offline verification and export bundle support. +- SDKs expose sign/verify primitives for build pipelines. + +### Performance & observability targets +- Throughput goal: ≥1 000 envelopes/minute per worker with cached verification. +- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_rekor_latency_seconds`, `attestor_cache_hit_ratio`. +- Logs include `tenant`, `issuer`, `subjectDigest`, `rekorUuid`, `proofStatus`; traces cover submission → Rekor → cache → response path. + +--- + +## 2) Data model (Mongo) + +Database: `attestor` + +**Collections & schemas** + +* `entries` + + ``` + { _id: "", + artifact: { sha256: "", kind: "sbom|report|vex-export", imageDigest?, subjectUri? }, + bundleSha256: "", // canonicalized DSSE + index: , // log index/sequence if provided by backend + proof: { // inclusion proof + checkpoint: { origin, size, rootHash, timestamp }, + inclusion: { leafHash, path[] } // Merkle path (tiles) + }, + log: { url, logId? }, + createdAt, status: "included|pending|failed", + signerIdentity: { mode: "keyless|kms", issuer, san?, kid? } + } + ``` + +* `dedupe` + + ``` + { key: "bundle:", rekorUuid, createdAt, ttlAt } // idempotency key + ``` + +* `audit` + + ``` + { _id, ts, caller: { cn, mTLSThumbprint, sub, aud }, // from mTLS + OpTok + action: "submit|verify|fetch", + artifactSha256, bundleSha256, rekorUuid?, index?, result, latencyMs, backend } + ``` + +Indexes: + +* `entries` on `artifact.sha256`, `bundleSha256`, `createdAt`, and `{status:1, createdAt:-1}`. +* `dedupe.key` unique (TTL 24–48h). +* `audit.ts` for time‑range queries. + +--- + +## 3) Input contract (from Signer) + +**Attestor accepts only** DSSE envelopes that satisfy all of: + +1. **mTLS** peer certificate maps to `signer` service (CA‑pinned). +2. **Authority** OpTok with `aud=attestor`, `scope=attestor.write`, DPoP or mTLS bound. +3. DSSE envelope is **signed by the Signer’s key** (or includes a **Fulcio‑issued** cert chain) and **chains to configured roots** (Fulcio/KMS). +4. **Predicate type** is one of Stella Ops types (sbom/report/vex‑export) with valid schema. +5. `subject[*].digest.sha256` is present and canonicalized. + +**Wire shape (JSON):** + +```json +{ + "bundle": { "dsse": { "payloadType": "application/vnd.in-toto+json", "payload": "", "signatures": [ ... ] }, + "certificateChain": [ "-----BEGIN CERTIFICATE-----..." ], + "mode": "keyless" }, + "meta": { + "artifact": { "sha256": "", "kind": "sbom|report|vex-export", "imageDigest": "sha256:..." }, + "bundleSha256": "", + "logPreference": "primary", // "primary" | "mirror" | "both" + "archive": true // whether Attestor should archive bundle to S3 + } +} +``` + +--- + +## 4) APIs + +### 4.1 Submission + +`POST /api/v1/rekor/entries` *(mTLS + OpTok required)* + +* **Body**: as above. +* **Behavior**: + + * Verify caller (mTLS + OpTok). + * Validate DSSE bundle (signature, cert chain to Fulcio/KMS; DSSE structure; payloadType allowed). + * Idempotency: compute `bundleSha256`; check `dedupe`. If present, return existing `rekorUuid`. + * Submit canonicalized bundle to Rekor v2 (primary or mirror according to `logPreference`). + * Retrieve **inclusion proof** (blocking until inclusion or up to `proofTimeoutMs`); if backend returns promise only, return `status=pending` and retry asynchronously. + * Persist `entries` record; archive DSSE to S3 if `archive=true`. +* **Response 200**: + + ```json + { + "uuid": "…", + "index": 123456, + "proof": { + "checkpoint": { "origin": "rekor@site", "size": 987654, "rootHash": "…", "timestamp": "…" }, + "inclusion": { "leafHash": "…", "path": ["…","…"] } + }, + "logURL": "https://rekor…/api/v2/log/…/entries/…", + "status": "included" + } + ``` +* **Errors**: `401 invalid_token`, `403 not_signer|chain_untrusted`, `409 duplicate_bundle` (with existing `uuid`), `502 rekor_unavailable`, `504 proof_timeout`. + +### 4.2 Proof retrieval + +`GET /api/v1/rekor/entries/{uuid}` + +* Returns `entries` row (refreshes proof from Rekor if stale/missing). +* Accepts `?refresh=true` to force backend query. + +### 4.3 Verification (third‑party or internal) + +`POST /api/v1/rekor/verify` + +* **Body** (one of): + + * `{ "uuid": "…" }` + * `{ "bundle": { …DSSE… } }` + * `{ "artifactSha256": "…" }` *(looks up most recent entry)* + +* **Checks**: + + 1. **Bundle signature** → cert chain to Fulcio/KMS roots configured. + 2. **Inclusion proof** → recompute leaf hash; verify Merkle path against checkpoint root. + 3. Optionally verify **checkpoint** against local trust anchors (if Rekor signs checkpoints). + 4. Confirm **subject.digest** matches caller‑provided hash (when given). + +* **Response**: + + ```json + { "ok": true, "uuid": "…", "index": 123, "logURL": "…", "checkedAt": "…" } + ``` + +### 4.4 Batch submission (optional) + +`POST /api/v1/rekor/batch` accepts an array of submission objects; processes with per‑item results. + +--- + +## 5) Rekor v2 driver (backend) + +* **Canonicalization**: DSSE envelopes are **normalized** (stable JSON ordering, no insignificant whitespace) before hashing and submission. +* **Transport**: HTTP/2 with retries (exponential backoff, jitter), budgeted timeouts. +* **Idempotency**: if backend returns “already exists,” map to existing `uuid`. +* **Proof acquisition**: + + * In synchronous mode, poll the log for inclusion up to `proofTimeoutMs`. + * In asynchronous mode, return `pending` and schedule a **proof fetcher** job (Mongo job doc + backoff). +* **Mirrors/dual logs**: + + * When `logPreference="both"`, submit to primary and mirror; store **both** UUIDs (primary canonical). + * Optional **cloud endorsement**: POST to the Stella Ops cloud `/attest/endorse` with `{uuid, artifactSha256}`; store returned endorsement id. + +--- + +## 6) Security model + +* **mTLS required** for submission from **Signer** (CA‑pinned). +* **Authority token** with `aud=attestor` and DPoP/mTLS binding must be presented; Attestor verifies both. +* **Bundle acceptance policy**: + + * DSSE signature must chain to the configured **Fulcio** (keyless) or **KMS/HSM** roots. + * SAN (Subject Alternative Name) must match **Signer identity** policy (e.g., `urn:stellaops:signer` or pinned OIDC issuer). + * Predicate `predicateType` must be on allowlist (sbom/report/vex-export). + * `subject.digest.sha256` values must be present and well‑formed (hex). +* **No public submission** path. **Never** accept bundles from untrusted clients. +* **Client certificate allowlists**: optional `security.mtls.allowedSubjects` / `allowedThumbprints` tighten peer identity checks beyond CA pinning. +* **Rate limits**: token-bucket per caller derived from `quotas.perCaller` (QPS/burst) returns `429` + `Retry-After` when exceeded. +* **Redaction**: Attestor never logs secret material; DSSE payloads **should** be public by design (SBOMs/reports). If customers require redaction, enforce policy at Signer (predicate minimization) **before** Attestor. + +--- + +## 7) Storage & archival + +* **Entries** in Mongo provide a local ledger keyed by `rekorUuid` and **artifact sha256** for quick reverse lookups. +* **S3 archival** (if enabled): + + ``` + s3://stellaops/attest/ + dsse/.json + proof/.json + bundle/.zip # optional verification bundle + ``` +* **Verification bundles** (zip): + + * DSSE (`*.dsse.json`), proof (`*.proof.json`), `chain.pem` (certs), `README.txt` with verification steps & hashes. + +--- + +## 8) Observability & audit + +**Metrics** (Prometheus): + +* `attestor.submit_total{result,backend}` +* `attestor.submit_latency_seconds{backend}` +* `attestor.proof_fetch_total{result}` +* `attestor.verify_total{result}` +* `attestor.dedupe_hits_total` +* `attestor.errors_total{type}` + +**Correlation**: + +* HTTP callers may supply `X-Correlation-Id`; Attestor will echo the header and push `CorrelationId` into the log scope for cross-service tracing. + +**Tracing**: + +* Spans: `validate`, `rekor.submit`, `rekor.poll`, `persist`, `archive`, `verify`. + +**Audit**: + +* Immutable `audit` rows (ts, caller, action, hashes, uuid, index, backend, result, latency). + +--- + +## 9) Configuration (YAML) + +```yaml +attestor: + listen: "https://0.0.0.0:8444" + security: + mtls: + caBundle: /etc/ssl/signer-ca.pem + requireClientCert: true + authority: + issuer: "https://authority.internal" + jwksUrl: "https://authority.internal/jwks" + requireSenderConstraint: "dpop" # or "mtls" + signerIdentity: + mode: ["keyless","kms"] + fulcioRoots: ["/etc/fulcio/root.pem"] + allowedSANs: ["urn:stellaops:signer"] + kmsKeys: ["kms://cluster-kms/stellaops-signer"] + rekor: + primary: + url: "https://rekor-v2.internal" + proofTimeoutMs: 15000 + pollIntervalMs: 250 + maxAttempts: 60 + mirror: + enabled: false + url: "https://rekor-v2.mirror" + mongo: + uri: "mongodb://mongo/attestor" + s3: + enabled: true + endpoint: "http://minio:9000" + bucket: "stellaops" + prefix: "attest/" + objectLock: "governance" + redis: + url: "redis://redis:6379/2" + quotas: + perCaller: + qps: 50 + burst: 100 +``` + +--- + +## 10) End‑to‑end sequences + +**A) Submit & include (happy path)** + +```mermaid +sequenceDiagram + autonumber + participant SW as Scanner.WebService + participant SG as Signer + participant AT as Attestor + participant RK as Rekor v2 + + SW->>SG: POST /sign/dsse (OpTok+PoE) + SG-->>SW: DSSE bundle (+certs) + SW->>AT: POST /rekor/entries (mTLS + OpTok) + AT->>AT: Validate DSSE (chain to Fulcio/KMS; signer identity) + AT->>RK: submit(bundle) + RK-->>AT: {uuid, index?} + AT->>RK: poll inclusion until proof or timeout + RK-->>AT: inclusion proof (checkpoint + path) + AT-->>SW: {uuid, index, proof, logURL} +``` + +**B) Verify by artifact digest (CLI)** + +```mermaid +sequenceDiagram + autonumber + participant CLI as stellaops verify + participant SW as Scanner.WebService + participant AT as Attestor + + CLI->>SW: GET /catalog/artifacts/{id} + SW-->>CLI: {artifactSha256, rekor: {uuid}} + CLI->>AT: POST /rekor/verify { uuid } + AT-->>CLI: { ok: true, index, logURL } +``` + +--- + +## 11) Failure modes & responses + +| Condition | Return | Details | | | +| ------------------------------------- | ----------------------- | --------------------------------------------------------- | -------- | ------------ | +| mTLS/OpTok invalid | `401 invalid_token` | Include `WWW-Authenticate` DPoP challenge when applicable | | | +| Bundle not signed by trusted identity | `403 chain_untrusted` | DSSE accepted only from Signer identities | | | +| Duplicate bundle | `409 duplicate_bundle` | Return existing `uuid` (idempotent) | | | +| Rekor unreachable/timeout | `502 rekor_unavailable` | Retry with backoff; surface `Retry-After` | | | +| Inclusion proof timeout | `202 accepted` | `status=pending`, background job continues to fetch proof | | | +| Archive failure | `207 multi-status` | Entry recorded; archive will retry asynchronously | | | +| Verification mismatch | `400 verify_failed` | Include reason: chain | leafHash | rootMismatch | + +--- + +## 12) Performance & scale + +* Stateless; scale horizontally. +* **Targets**: + + * Submit+proof P95 ≤ **300 ms** (warm log; local Rekor). + * Verify P95 ≤ **30 ms** from cache; ≤ **120 ms** with live proof fetch. + * 1k submissions/minute per replica sustained. +* **Hot caches**: `dedupe` (bundle hash → uuid), recent `entries` by artifact sha256. + +--- + +## 13) Testing matrix + +* **Happy path**: valid DSSE, inclusion within timeout. +* **Idempotency**: resubmit same `bundleSha256` → same `uuid`. +* **Security**: reject non‑Signer mTLS, wrong `aud`, DPoP replay, untrusted cert chain, forbidden predicateType. +* **Rekor variants**: promise‑then‑proof, proof delayed, mirror dual‑submit, mirror failure. +* **Verification**: corrupt leaf path, wrong root, tampered bundle. +* **Throughput**: soak test with 10k submissions; latency SLOs, zero drops. + +--- + +## 14) Implementation notes + +* Language: **.NET 10** minimal API; `HttpClient` with **sockets handler** tuned for HTTP/2. +* JSON: **canonical writer** for DSSE payload hashing. +* Crypto: use **BouncyCastle**/**System.Security.Cryptography**; PEM parsing for cert chains. +* Rekor client: pluggable driver; treat backend errors as retryable/non‑retryable with granular mapping. +* Safety: size caps on bundles; decompress bombs guarded; strict UTF‑8. +* CLI integration: `stellaops verify attestation ` calls `/rekor/verify`. + +--- + +## 15) Optional features + +* **Dual‑log** write (primary + mirror) and **cross‑log proof** packaging. +* **Cloud endorsement**: send `{uuid, artifactSha256}` to Stella Ops cloud; store returned endorsement id for marketing/chain‑of‑custody. +* **Checkpoint pinning**: periodically pin latest Rekor checkpoints to an external audit store for independent monitoring. + diff --git a/docs/modules/attestor/implementation_plan.md b/docs/modules/attestor/implementation_plan.md index c805be7d..18b2a638 100644 --- a/docs/modules/attestor/implementation_plan.md +++ b/docs/modules/attestor/implementation_plan.md @@ -1,74 +1,74 @@ -# Implementation plan — Attestor - -## Delivery phases -- **Phase 1 – Foundations** - Build the Attestor service skeleton, DSSE bundle ingestion, mTLS/OpTok enforcement, Rekor v2 client, and cache the `{uuid,index,proof}` tuple. Publish base API (`POST /rekor/entries`, `GET /entries/{uuid}`) and Mongo schemas. -- **Phase 2 – Policies & UI** - Deliver verification policy authoring (Policy Studio integration), console views (evidence browser, verification reports, issuer management), and CLI verbs (`stella attest sign|verify|list|fetch`). -- **Phase 3 – Scan & VEX support** - Accept SBOM, ScanResults, VEX, and PolicyEvaluation predicates; integrate with Scanner, Export Center, Excititor, and Policy Engine pipelines. Ensure AOC invariants on ingestion. -- **Phase 4 – Transparency & keys** - Add multi-log submission (primary + mirror), witness endorsements, KMS/HSM/FIDO2 drivers, key rotation/revocation workflows, and audit trails. -- **Phase 5 – Bulk & air gap** - Implement batch submission/verification, DSSE archival to CAS/object storage, export/import bundles for Offline Kit, and mirror transparency log snapshots. -- **Phase 6 – Performance & hardening** - Optimise cache usage, parallel verification (target ≥1 k envelopes/minute per worker), extend observability (metrics/logs/traces), fuzz parsers, and finalise incident playbooks. - -## Work breakdown -- **Attestor service & libraries** - - DSSE validation pipeline (payload whitelist, signature verification, trust roots). - - Rekor client with inclusion-proof acquisition, retry/backoff, mirroring controls. - - Mongo repositories for entries, dedupe, audit; CAS storage for DSSE envelopes. - - Batch submission/verification APIs, verification cache, deterministic serialization. - - Observability hooks: metrics (`attestor_submission_total`, `attestor_verify_seconds`), structured logs, OpenTelemetry traces. -- **Signer & Authority integration** - - Enforce mTLS peer validation, Authority scope mapping (`attestor.write`, `attestor.verify`), and DPoP binding. - - Provide signer identity attestation metadata consumed by Attestor. -- **Policy & Console** - - Extend Policy Studio with `VerificationPolicy` authoring, approvals, and simulated results. - - Console workflows: Evidence browser, verification reports, chain-of-custody graph, key management UI, bulk verification screens. -- **CLI & SDK** - - `stella attest` command group (sign/verify/list/fetch/key management) with DSSE canonicalisation and cosign interoperability. - - SDK helpers for DSSE envelope creation, verification, and proof inspection. -- **Export Center & Offline Kit** - - Export Center adapters for attestation bundles; CLI/Console flows to export & import evidence in air-gapped environments. - - Offline Kit scripts for replaying verification, mirroring transparency logs, and reporting gaps. -- **Security & key management** - - KMS/HSM/FIDO2 driver abstraction, key rotation and revocation runbooks, witness endorsements, and revocation telemetry. -- **Docs & training** - - Update module dossier (overview, architecture, implementation plan), key management guides, transparency reference, CLI/Console documentation, and air-gap runbooks. - -## Cross-module dependencies -- **Policy Studio / Policy Engine:** verification policy artefacts, explain integration, remediation hints. -- **Export Center:** attestation bundle export/import, provenance linking. -- **Authority & Tenancy:** scopes, identity attestations, tenant-aware issuer catalogues. -- **Notifications:** attestation success/failure events, key rotation alerts. -- **Observability:** dashboards and alerting for signing/verification pipelines. - -## Acceptance criteria -- Service ingests DSSE envelopes for all supported predicate types, logs them to configured transparency logs, and returns proofs with deterministic hashes. -- Verification APIs/CLI/UI validate signatures, inclusion proofs, and policy compliance; cached verification accelerates repeated checks. -- Verification policies gate attestation usage, enforcing issuer, freshness, signature count, and witness requirements. -- Export Center and Offline Kit workflows bundle attestations and replay verification offline. -- Observability coverage includes metrics, traces, logs, audit events, and alert triggers for key compromise, log outages, and verification failure spikes. -- Performance target met (≥1 k envelopes/minute per worker) with horizontal scaling. - -## Risks & mitigations -- **Key compromise or leakage:** enforce hardware-backed keys, rotation procedures, revocation checks, and incident runbooks. -- **Parser bugs / malformed DSSE:** fuzz DSSE and predicate schemas, strict schema validation, fail closed. -- **Transparency outage:** mirror logs, support witness endorsements, queue submissions for retry with exponential backoff. -- **Policy complexity:** ship curated starter policies, provide simulation tooling, and document common scenarios. -- **Offline gaps:** archive bundles and proof material, surface gaps to operators, and document compensating controls. - -## Test strategy -- **Unit:** DSSE validation, Rekor client, dedupe logic, key drivers, policy enforcement. -- **Integration:** submit/verify flows across predicate types, multi-log publishing, batch operations, CLI/UI end-to-end exercises. -- **Security:** tenant isolation, scope enforcement, key rotation regression, tamper detection. -- **Performance:** throughput benchmarks, cache hit-rate monitoring, large batch verification. -- **Chaos:** inject Rekor outages, network failures, corrupt bundles; ensure graceful degradation and auditable alerts. - -## Definition of done -- Phased milestones delivered with telemetry, documentation, and runbooks in place. -- CLI/Console parity verified; Offline Kit procedures validated in sealed environment. -- Cross-module dependencies acknowledged in ./TASKS.md and ../../TASKS.md. -- Documentation set refreshed (overview, architecture, key management, transparency, CLI/UI) with imposed rule statement. +# Implementation plan — Attestor + +## Delivery phases +- **Phase 1 – Foundations** + Build the Attestor service skeleton, DSSE bundle ingestion, mTLS/OpTok enforcement, Rekor v2 client, and cache the `{uuid,index,proof}` tuple. Publish base API (`POST /rekor/entries`, `GET /entries/{uuid}`) and Mongo schemas. +- **Phase 2 – Policies & UI** + Deliver verification policy authoring (Policy Studio integration), console views (evidence browser, verification reports, issuer management), and CLI verbs (`stella attest sign|verify|list|fetch`). +- **Phase 3 – Scan & VEX support** + Accept SBOM, ScanResults, VEX, and PolicyEvaluation predicates; integrate with Scanner, Export Center, Excititor, and Policy Engine pipelines. Ensure AOC invariants on ingestion. +- **Phase 4 – Transparency & keys** + Add multi-log submission (primary + mirror), witness endorsements, KMS/HSM/FIDO2 drivers, key rotation/revocation workflows, and audit trails. +- **Phase 5 – Bulk & air gap** + Implement batch submission/verification, DSSE archival to CAS/object storage, export/import bundles for Offline Kit, and mirror transparency log snapshots. +- **Phase 6 – Performance & hardening** + Optimise cache usage, parallel verification (target ≥1 k envelopes/minute per worker), extend observability (metrics/logs/traces), fuzz parsers, and finalise incident playbooks. + +## Work breakdown +- **Attestor service & libraries** + - DSSE validation pipeline (payload whitelist, signature verification, trust roots). + - Rekor client with inclusion-proof acquisition, retry/backoff, mirroring controls. + - Mongo repositories for entries, dedupe, audit; CAS storage for DSSE envelopes. + - Batch submission/verification APIs, verification cache, deterministic serialization. + - Observability hooks: metrics (`attestor_submission_total`, `attestor_verify_seconds`), structured logs, OpenTelemetry traces. +- **Signer & Authority integration** + - Enforce mTLS peer validation, Authority scope mapping (`attestor.write`, `attestor.verify`), and DPoP binding. + - Provide signer identity attestation metadata consumed by Attestor. +- **Policy & Console** + - Extend Policy Studio with `VerificationPolicy` authoring, approvals, and simulated results. + - Console workflows: Evidence browser, verification reports, chain-of-custody graph, key management UI, bulk verification screens. +- **CLI & SDK** + - `stella attest` command group (sign/verify/list/fetch/key management) with DSSE canonicalisation and cosign interoperability. + - SDK helpers for DSSE envelope creation, verification, and proof inspection. +- **Export Center & Offline Kit** + - Export Center adapters for attestation bundles; CLI/Console flows to export & import evidence in air-gapped environments. + - Offline Kit scripts for replaying verification, mirroring transparency logs, and reporting gaps. +- **Security & key management** + - KMS/HSM/FIDO2 driver abstraction, key rotation and revocation runbooks, witness endorsements, and revocation telemetry. +- **Docs & training** + - Update module dossier (overview, architecture, implementation plan), key management guides, transparency reference, CLI/Console documentation, and air-gap runbooks. + +## Cross-module dependencies +- **Policy Studio / Policy Engine:** verification policy artefacts, explain integration, remediation hints. +- **Export Center:** attestation bundle export/import, provenance linking. +- **Authority & Tenancy:** scopes, identity attestations, tenant-aware issuer catalogues. +- **Notifications:** attestation success/failure events, key rotation alerts. +- **Observability:** dashboards and alerting for signing/verification pipelines. + +## Acceptance criteria +- Service ingests DSSE envelopes for all supported predicate types, logs them to configured transparency logs, and returns proofs with deterministic hashes. +- Verification APIs/CLI/UI validate signatures, inclusion proofs, and policy compliance; cached verification accelerates repeated checks. +- Verification policies gate attestation usage, enforcing issuer, freshness, signature count, and witness requirements. +- Export Center and Offline Kit workflows bundle attestations and replay verification offline. +- Observability coverage includes metrics, traces, logs, audit events, and alert triggers for key compromise, log outages, and verification failure spikes. +- Performance target met (≥1 k envelopes/minute per worker) with horizontal scaling. + +## Risks & mitigations +- **Key compromise or leakage:** enforce hardware-backed keys, rotation procedures, revocation checks, and incident runbooks. +- **Parser bugs / malformed DSSE:** fuzz DSSE and predicate schemas, strict schema validation, fail closed. +- **Transparency outage:** mirror logs, support witness endorsements, queue submissions for retry with exponential backoff. +- **Policy complexity:** ship curated starter policies, provide simulation tooling, and document common scenarios. +- **Offline gaps:** archive bundles and proof material, surface gaps to operators, and document compensating controls. + +## Test strategy +- **Unit:** DSSE validation, Rekor client, dedupe logic, key drivers, policy enforcement. +- **Integration:** submit/verify flows across predicate types, multi-log publishing, batch operations, CLI/UI end-to-end exercises. +- **Security:** tenant isolation, scope enforcement, key rotation regression, tamper detection. +- **Performance:** throughput benchmarks, cache hit-rate monitoring, large batch verification. +- **Chaos:** inject Rekor outages, network failures, corrupt bundles; ensure graceful degradation and auditable alerts. + +## Definition of done +- Phased milestones delivered with telemetry, documentation, and runbooks in place. +- CLI/Console parity verified; Offline Kit procedures validated in sealed environment. +- Cross-module dependencies acknowledged in ./TASKS.md and ../../TASKS.md. +- Documentation set refreshed (overview, architecture, key management, transparency, CLI/UI) with imposed rule statement. diff --git a/docs/modules/authority/AGENTS.md b/docs/modules/authority/AGENTS.md index a1af49e0..42c48c82 100644 --- a/docs/modules/authority/AGENTS.md +++ b/docs/modules/authority/AGENTS.md @@ -1,22 +1,22 @@ -# Authority agent guide - -## Mission -Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +# Authority agent guide + +## Mission +Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. - Update runbooks/observability assets when operational characteristics change. \ No newline at end of file diff --git a/docs/modules/authority/README.md b/docs/modules/authority/README.md index 24d1c2b3..fdce7a65 100644 --- a/docs/modules/authority/README.md +++ b/docs/modules/authority/README.md @@ -1,40 +1,40 @@ -# StellaOps Authority - -Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. - -## Responsibilities -- Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding. -- Manage signing keys, JWKS rotation, and PoE integration for plan enforcement. -- Emit structured audit events and enforce tenant-aware scope policies. -- Provide plugin surface for custom identity providers and credential validators. - -## Key components -- `StellaOps.Authority` web host. -- `StellaOps.Authority.Plugin.*` extensions for secret stores, identity bridges, and OpTok validation. -- Telemetry and audit pipeline feeding Security/Observability stacks. - -## Integrations & dependencies -- Signer/Attestor for PoE and OpTok introspection. -- CLI/UI for login flows and token management. -- Scheduler/Scanner for machine-to-machine scope enforcement. - -## Operational notes -- MongoDB for tenant, client, and token state. -- Key material in KMS/HSM with rotation runbooks (see ./operations/key-rotation.md). -- Grafana/Prometheus dashboards for auth latency/issuance. - -## Related resources -- ./operations/backup-restore.md -- ./operations/key-rotation.md -- ./operations/monitoring.md -- ./operations/grafana-dashboard.json - -## Backlog references -- DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md. -- AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md. - -## Epic alignment -- **Epic 1 – AOC enforcement:** enforce OpTok scopes and guardrails supporting raw ingestion boundaries. -- **Epic 2 – Policy Engine & Editor:** supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows. -- **Epic 4 – Policy Studio:** integrate approval/promotion signatures and policy registry access controls. -- **Epic 14 – Identity & Tenancy:** deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication. +# StellaOps Authority + +Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. + +## Responsibilities +- Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding. +- Manage signing keys, JWKS rotation, and PoE integration for plan enforcement. +- Emit structured audit events and enforce tenant-aware scope policies. +- Provide plugin surface for custom identity providers and credential validators. + +## Key components +- `StellaOps.Authority` web host. +- `StellaOps.Authority.Plugin.*` extensions for secret stores, identity bridges, and OpTok validation. +- Telemetry and audit pipeline feeding Security/Observability stacks. + +## Integrations & dependencies +- Signer/Attestor for PoE and OpTok introspection. +- CLI/UI for login flows and token management. +- Scheduler/Scanner for machine-to-machine scope enforcement. + +## Operational notes +- MongoDB for tenant, client, and token state. +- Key material in KMS/HSM with rotation runbooks (see ./operations/key-rotation.md). +- Grafana/Prometheus dashboards for auth latency/issuance. + +## Related resources +- ./operations/backup-restore.md +- ./operations/key-rotation.md +- ./operations/monitoring.md +- ./operations/grafana-dashboard.json + +## Backlog references +- DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md. +- AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md. + +## Epic alignment +- **Epic 1 – AOC enforcement:** enforce OpTok scopes and guardrails supporting raw ingestion boundaries. +- **Epic 2 – Policy Engine & Editor:** supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows. +- **Epic 4 – Policy Studio:** integrate approval/promotion signatures and policy registry access controls. +- **Epic 14 – Identity & Tenancy:** deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication. diff --git a/docs/modules/authority/TASKS.md b/docs/modules/authority/TASKS.md index ba0f6b46..63f3c646 100644 --- a/docs/modules/authority/TASKS.md +++ b/docs/modules/authority/TASKS.md @@ -1,9 +1,9 @@ -# Task board — Authority - -> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. - -| ID | Status | Owner(s) | Description | Notes | -|----|--------|----------|-------------|-------| -| AUTHORITY-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | -| AUTHORITY-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| AUTHORITY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +# Task board — Authority + +> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. + +| ID | Status | Owner(s) | Description | Notes | +|----|--------|----------|-------------|-------| +| AUTHORITY-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | +| AUTHORITY-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | +| AUTHORITY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/authority/implementation_plan.md b/docs/modules/authority/implementation_plan.md index f6f83d36..eaa6547d 100644 --- a/docs/modules/authority/implementation_plan.md +++ b/docs/modules/authority/implementation_plan.md @@ -1,22 +1,22 @@ -# Implementation plan — Authority - -## Current objectives -- Maintain deterministic behaviour and offline parity across releases. -- Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes. - -## Workstreams -- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap. -- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs. -- Validation: extend tests/fixtures to preserve determinism and provenance requirements. - -## Epic milestones -- **Epic 1 – AOC enforcement:** deliver OpTok scopes, guardrails, and AOC verifier hooks for ingestion services. -- **Epic 2 – Policy Engine & Editor:** support policy evaluator flows (device-code, client credentials, scope sandboxing). -- **Epic 4 – Policy Studio:** provide registry/promotion signing, approvals, and fresh-auth prompts. -- **Epic 14 – Identity & Tenancy:** implement tenant isolation, RBAC hierarchies, audit trails, and PoE integration. -- Track additional work (DOCS-SEC-62-001, AUTH-POLICY-20-001/002) in ../../TASKS.md and src/Authority/**/TASKS.md. - -## Coordination -- Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. -- Update this plan whenever scope, dependencies, or guardrails change. +# Implementation plan — Authority + +## Current objectives +- Maintain deterministic behaviour and offline parity across releases. +- Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes. + +## Workstreams +- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap. +- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs. +- Validation: extend tests/fixtures to preserve determinism and provenance requirements. + +## Epic milestones +- **Epic 1 – AOC enforcement:** deliver OpTok scopes, guardrails, and AOC verifier hooks for ingestion services. +- **Epic 2 – Policy Engine & Editor:** support policy evaluator flows (device-code, client credentials, scope sandboxing). +- **Epic 4 – Policy Studio:** provide registry/promotion signing, approvals, and fresh-auth prompts. +- **Epic 14 – Identity & Tenancy:** implement tenant isolation, RBAC hierarchies, audit trails, and PoE integration. +- Track additional work (DOCS-SEC-62-001, AUTH-POLICY-20-001/002) in ../../TASKS.md and src/Authority/**/TASKS.md. + +## Coordination +- Review ./AGENTS.md before picking up new work. +- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/authority/operations/backup-restore.md b/docs/modules/authority/operations/backup-restore.md index 4e201e5e..aa7fdfe8 100644 --- a/docs/modules/authority/operations/backup-restore.md +++ b/docs/modules/authority/operations/backup-restore.md @@ -1,97 +1,97 @@ -# Authority Backup & Restore Runbook - -## Scope -- **Applies to:** StellaOps Authority deployments running the official `ops/authority/docker-compose.authority.yaml` stack or equivalent Kubernetes packaging. -- **Artifacts covered:** MongoDB (`stellaops-authority` database), Authority configuration (`etc/authority.yaml`), plugin manifests under `etc/authority.plugins/`, and signing key material stored in the `authority-keys` volume (defaults to `/app/keys` inside the container). -- **Frequency:** Run the full procedure prior to upgrades, before rotating keys, and at least once per 24 h in production. Store snapshots in an encrypted, access-controlled vault. - -## Inventory Checklist -| Component | Location (compose default) | Notes | -| --- | --- | --- | -| Mongo data | `mongo-data` volume (`/var/lib/docker/volumes/.../mongo-data`) | Contains all Authority collections (`AuthorityUser`, `AuthorityClient`, `AuthorityToken`, etc.). | -| Configuration | `etc/authority.yaml` | Mounted read-only into the container at `/etc/authority.yaml`. | -| Plugin manifests | `etc/authority.plugins/*.yaml` | Includes `standard.yaml` with `tokenSigning.keyDirectory`. | -| Signing keys | `authority-keys` volume -> `/app/keys` | Path is derived from `tokenSigning.keyDirectory` (defaults to `../keys` relative to the manifest). | - -> **TIP:** Confirm the deployed key directory via `tokenSigning.keyDirectory` in `etc/authority.plugins/standard.yaml`; some installations relocate keys to `/var/lib/stellaops/authority/keys`. - -## Hot Backup (no downtime) -1. **Create output directory:** `mkdir -p backup/$(date +%Y-%m-%d)` on the host. -2. **Dump Mongo:** - ```bash - docker compose -f ops/authority/docker-compose.authority.yaml exec mongo \ - mongodump --archive=/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz \ - --gzip --db stellaops-authority - docker compose -f ops/authority/docker-compose.authority.yaml cp \ - mongo:/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz backup/ - ``` - The `mongodump` archive preserves indexes and can be restored with `mongorestore --archive --gzip`. -3. **Capture configuration + manifests:** - ```bash - cp etc/authority.yaml backup/ - rsync -a etc/authority.plugins/ backup/authority.plugins/ - ``` -4. **Export signing keys:** the compose file maps `authority-keys` to a local Docker volume. Snapshot it without stopping the service: - ```bash - docker run --rm \ - -v authority-keys:/keys \ - -v "$(pwd)/backup:/backup" \ - busybox tar czf /backup/authority-keys-$(date +%Y%m%dT%H%M%SZ).tar.gz -C /keys . - ``` -5. **Checksum:** generate SHA-256 digests for every file and store them alongside the artefacts. -6. **Encrypt & upload:** wrap the backup folder using your secrets management standard (e.g., age, GPG) and upload to the designated offline vault. - -## Cold Backup (planned downtime) -1. Notify stakeholders and drain traffic (CLI clients should refresh tokens afterwards). -2. Stop services: - ```bash - docker compose -f ops/authority/docker-compose.authority.yaml down - ``` -3. Back up volumes directly using `tar`: - ```bash - docker run --rm -v mongo-data:/data -v "$(pwd)/backup:/backup" \ - busybox tar czf /backup/mongo-data-$(date +%Y%m%d).tar.gz -C /data . - docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ - busybox tar czf /backup/authority-keys-$(date +%Y%m%d).tar.gz -C /keys . - ``` -4. Copy configuration + manifests as in the hot backup (steps 3–6). -5. Restart services and verify health: - ```bash - docker compose -f ops/authority/docker-compose.authority.yaml up -d - curl -fsS http://localhost:8080/ready - ``` - -## Restore Procedure -1. **Provision clean volumes:** remove existing volumes if you’re rebuilding a node (`docker volume rm mongo-data authority-keys`), then recreate the compose stack so empty volumes exist. -2. **Restore Mongo:** - ```bash - docker compose exec -T mongo mongorestore --archive --gzip --drop < backup/authority-YYYYMMDDTHHMMSSZ.gz - ``` - Use `--drop` to replace collections; omit if doing a partial restore. -3. **Restore configuration/manifests:** copy `authority.yaml` and `authority.plugins/*` into place before starting the Authority container. -4. **Restore signing keys:** untar into the mounted volume: - ```bash - docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ - busybox tar xzf /backup/authority-keys-YYYYMMDD.tar.gz -C /keys - ``` - Ensure file permissions remain `600` for private keys (`chmod -R 600`). -5. **Start services & validate:** - ```bash - docker compose up -d - curl -fsS http://localhost:8080/health - ``` +# Authority Backup & Restore Runbook + +## Scope +- **Applies to:** StellaOps Authority deployments running the official `ops/authority/docker-compose.authority.yaml` stack or equivalent Kubernetes packaging. +- **Artifacts covered:** MongoDB (`stellaops-authority` database), Authority configuration (`etc/authority.yaml`), plugin manifests under `etc/authority.plugins/`, and signing key material stored in the `authority-keys` volume (defaults to `/app/keys` inside the container). +- **Frequency:** Run the full procedure prior to upgrades, before rotating keys, and at least once per 24 h in production. Store snapshots in an encrypted, access-controlled vault. + +## Inventory Checklist +| Component | Location (compose default) | Notes | +| --- | --- | --- | +| Mongo data | `mongo-data` volume (`/var/lib/docker/volumes/.../mongo-data`) | Contains all Authority collections (`AuthorityUser`, `AuthorityClient`, `AuthorityToken`, etc.). | +| Configuration | `etc/authority.yaml` | Mounted read-only into the container at `/etc/authority.yaml`. | +| Plugin manifests | `etc/authority.plugins/*.yaml` | Includes `standard.yaml` with `tokenSigning.keyDirectory`. | +| Signing keys | `authority-keys` volume -> `/app/keys` | Path is derived from `tokenSigning.keyDirectory` (defaults to `../keys` relative to the manifest). | + +> **TIP:** Confirm the deployed key directory via `tokenSigning.keyDirectory` in `etc/authority.plugins/standard.yaml`; some installations relocate keys to `/var/lib/stellaops/authority/keys`. + +## Hot Backup (no downtime) +1. **Create output directory:** `mkdir -p backup/$(date +%Y-%m-%d)` on the host. +2. **Dump Mongo:** + ```bash + docker compose -f ops/authority/docker-compose.authority.yaml exec mongo \ + mongodump --archive=/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz \ + --gzip --db stellaops-authority + docker compose -f ops/authority/docker-compose.authority.yaml cp \ + mongo:/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz backup/ + ``` + The `mongodump` archive preserves indexes and can be restored with `mongorestore --archive --gzip`. +3. **Capture configuration + manifests:** + ```bash + cp etc/authority.yaml backup/ + rsync -a etc/authority.plugins/ backup/authority.plugins/ + ``` +4. **Export signing keys:** the compose file maps `authority-keys` to a local Docker volume. Snapshot it without stopping the service: + ```bash + docker run --rm \ + -v authority-keys:/keys \ + -v "$(pwd)/backup:/backup" \ + busybox tar czf /backup/authority-keys-$(date +%Y%m%dT%H%M%SZ).tar.gz -C /keys . + ``` +5. **Checksum:** generate SHA-256 digests for every file and store them alongside the artefacts. +6. **Encrypt & upload:** wrap the backup folder using your secrets management standard (e.g., age, GPG) and upload to the designated offline vault. + +## Cold Backup (planned downtime) +1. Notify stakeholders and drain traffic (CLI clients should refresh tokens afterwards). +2. Stop services: + ```bash + docker compose -f ops/authority/docker-compose.authority.yaml down + ``` +3. Back up volumes directly using `tar`: + ```bash + docker run --rm -v mongo-data:/data -v "$(pwd)/backup:/backup" \ + busybox tar czf /backup/mongo-data-$(date +%Y%m%d).tar.gz -C /data . + docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ + busybox tar czf /backup/authority-keys-$(date +%Y%m%d).tar.gz -C /keys . + ``` +4. Copy configuration + manifests as in the hot backup (steps 3–6). +5. Restart services and verify health: + ```bash + docker compose -f ops/authority/docker-compose.authority.yaml up -d + curl -fsS http://localhost:8080/ready + ``` + +## Restore Procedure +1. **Provision clean volumes:** remove existing volumes if you’re rebuilding a node (`docker volume rm mongo-data authority-keys`), then recreate the compose stack so empty volumes exist. +2. **Restore Mongo:** + ```bash + docker compose exec -T mongo mongorestore --archive --gzip --drop < backup/authority-YYYYMMDDTHHMMSSZ.gz + ``` + Use `--drop` to replace collections; omit if doing a partial restore. +3. **Restore configuration/manifests:** copy `authority.yaml` and `authority.plugins/*` into place before starting the Authority container. +4. **Restore signing keys:** untar into the mounted volume: + ```bash + docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ + busybox tar xzf /backup/authority-keys-YYYYMMDD.tar.gz -C /keys + ``` + Ensure file permissions remain `600` for private keys (`chmod -R 600`). +5. **Start services & validate:** + ```bash + docker compose up -d + curl -fsS http://localhost:8080/health + ``` 6. **Validate JWKS and tokens:** call `/jwks` and issue a short-lived token via the CLI to confirm key material matches expectations. If the restored environment requires a fresh signing key, follow the rotation SOP in [`docs/11_AUTHORITY.md`](../../../11_AUTHORITY.md) using `ops/authority/key-rotation.sh` to invoke `/internal/signing/rotate`. - -## Disaster Recovery Notes -- **Air-gapped replication:** replicate archives via the Offline Update Kit transport channels; never attach USB devices without scanning. -- **Retention:** maintain 30 daily snapshots + 12 monthly archival copies. Rotate encryption keys annually. + +## Disaster Recovery Notes +- **Air-gapped replication:** replicate archives via the Offline Update Kit transport channels; never attach USB devices without scanning. +- **Retention:** maintain 30 daily snapshots + 12 monthly archival copies. Rotate encryption keys annually. - **Key compromise:** if signing keys are suspected compromised, restore from the latest clean backup, rotate via OPS3 (see `ops/authority/key-rotation.sh` and [`docs/11_AUTHORITY.md`](../../../11_AUTHORITY.md)), and publish a revocation notice. -- **Mongo version:** keep dump/restore images pinned to the deployment version (compose uses `mongo:7`). Driver 3.5.0 requires MongoDB **4.2+**—clusters still on 4.0 must be upgraded before restore, and future driver releases will drop 4.0 entirely. citeturn1open1 - -## Verification Checklist -- [ ] `/ready` reports all identity providers ready. -- [ ] OAuth flows issue tokens signed by the restored keys. -- [ ] `PluginRegistrationSummary` logs expected providers on startup. -- [ ] Revocation manifest export (`dotnet run --project src/Authority/StellaOps.Authority`) succeeds. -- [ ] Monitoring dashboards show metrics resuming (see OPS5 deliverables). - +- **Mongo version:** keep dump/restore images pinned to the deployment version (compose uses `mongo:7`). Driver 3.5.0 requires MongoDB **4.2+**—clusters still on 4.0 must be upgraded before restore, and future driver releases will drop 4.0 entirely. citeturn1open1 + +## Verification Checklist +- [ ] `/ready` reports all identity providers ready. +- [ ] OAuth flows issue tokens signed by the restored keys. +- [ ] `PluginRegistrationSummary` logs expected providers on startup. +- [ ] Revocation manifest export (`dotnet run --project src/Authority/StellaOps.Authority`) succeeds. +- [ ] Monitoring dashboards show metrics resuming (see OPS5 deliverables). + diff --git a/docs/modules/authority/operations/grafana-dashboard.json b/docs/modules/authority/operations/grafana-dashboard.json index 9f4cfc02..816393d9 100644 --- a/docs/modules/authority/operations/grafana-dashboard.json +++ b/docs/modules/authority/operations/grafana-dashboard.json @@ -1,174 +1,174 @@ -{ - "title": "StellaOps Authority - Token & Access Monitoring", - "uid": "authority-token-monitoring", - "schemaVersion": 38, - "version": 1, - "editable": true, - "timezone": "", - "graphTooltip": 0, - "time": { - "from": "now-6h", - "to": "now" - }, - "templating": { - "list": [ - { - "name": "datasource", - "type": "datasource", - "query": "prometheus", - "refresh": 1, - "hide": 0, - "current": {} - } - ] - }, - "panels": [ - { - "id": 1, - "title": "Token Requests – Success vs Failure", - "type": "timeseries", - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "fieldConfig": { - "defaults": { - "unit": "req/s", - "displayName": "{{grant_type}} ({{status}})" - }, - "overrides": [] - }, - "targets": [ - { - "refId": "A", - "expr": "sum by (grant_type, status) (rate(http_server_duration_seconds_count{service_name=\"stellaops-authority\", http_route=\"/token\"}[5m]))", - "legendFormat": "{{grant_type}} {{status}}" - } - ], - "options": { - "legend": { - "displayMode": "table", - "placement": "bottom" - }, - "tooltip": { - "mode": "multi" - } - } - }, - { - "id": 2, - "title": "Rate Limiter Rejections", - "type": "timeseries", - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "fieldConfig": { - "defaults": { - "unit": "req/s", - "displayName": "{{limiter}}" - }, - "overrides": [] - }, - "targets": [ - { - "refId": "A", - "expr": "sum by (limiter) (rate(aspnetcore_rate_limiting_rejections_total{service_name=\"stellaops-authority\"}[5m]))", - "legendFormat": "{{limiter}}" - } - ] - }, - { - "id": 3, - "title": "Bypass Events (5m)", - "type": "stat", - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "fieldConfig": { - "defaults": { - "unit": "short", - "color": { - "mode": "thresholds" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { "color": "green", "value": null }, - { "color": "orange", "value": 1 }, - { "color": "red", "value": 5 } - ] - } - }, - "overrides": [] - }, - "targets": [ - { - "refId": "A", - "expr": "sum(rate(log_messages_total{message_template=\"Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}.\"}[5m]))" - } - ], - "options": { - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "orientation": "horizontal", - "textMode": "auto" - } - }, - { - "id": 4, - "title": "Lockout Events (15m)", - "type": "stat", - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "fieldConfig": { - "defaults": { - "unit": "short", - "color": { - "mode": "thresholds" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { "color": "green", "value": null }, - { "color": "orange", "value": 5 }, - { "color": "red", "value": 10 } - ] - } - }, - "overrides": [] - }, - "targets": [ - { - "refId": "A", - "expr": "sum(rate(log_messages_total{message_template=\"Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter}).\"}[15m]))" - } - ], - "options": { - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "orientation": "horizontal", - "textMode": "auto" - } - }, - { - "id": 5, - "title": "Trace Explorer Shortcut", - "type": "text", - "options": { - "mode": "markdown", - "content": "[Open Trace Explorer](#/explore?left={\"datasource\":\"tempo\",\"queries\":[{\"query\":\"{service.name=\\\"stellaops-authority\\\", span_name=~\\\"authority.token.*\\\"}\",\"refId\":\"A\"}]})" - } - } - ], - "links": [] -} +{ + "title": "StellaOps Authority - Token & Access Monitoring", + "uid": "authority-token-monitoring", + "schemaVersion": 38, + "version": 1, + "editable": true, + "timezone": "", + "graphTooltip": 0, + "time": { + "from": "now-6h", + "to": "now" + }, + "templating": { + "list": [ + { + "name": "datasource", + "type": "datasource", + "query": "prometheus", + "refresh": 1, + "hide": 0, + "current": {} + } + ] + }, + "panels": [ + { + "id": 1, + "title": "Token Requests – Success vs Failure", + "type": "timeseries", + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "unit": "req/s", + "displayName": "{{grant_type}} ({{status}})" + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "expr": "sum by (grant_type, status) (rate(http_server_duration_seconds_count{service_name=\"stellaops-authority\", http_route=\"/token\"}[5m]))", + "legendFormat": "{{grant_type}} {{status}}" + } + ], + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom" + }, + "tooltip": { + "mode": "multi" + } + } + }, + { + "id": 2, + "title": "Rate Limiter Rejections", + "type": "timeseries", + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "unit": "req/s", + "displayName": "{{limiter}}" + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "expr": "sum by (limiter) (rate(aspnetcore_rate_limiting_rejections_total{service_name=\"stellaops-authority\"}[5m]))", + "legendFormat": "{{limiter}}" + } + ] + }, + { + "id": 3, + "title": "Bypass Events (5m)", + "type": "stat", + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "unit": "short", + "color": { + "mode": "thresholds" + }, + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "orange", "value": 1 }, + { "color": "red", "value": 5 } + ] + } + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "expr": "sum(rate(log_messages_total{message_template=\"Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}.\"}[5m]))" + } + ], + "options": { + "reduceOptions": { + "calcs": ["last"], + "fields": "", + "values": false + }, + "orientation": "horizontal", + "textMode": "auto" + } + }, + { + "id": 4, + "title": "Lockout Events (15m)", + "type": "stat", + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "unit": "short", + "color": { + "mode": "thresholds" + }, + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "orange", "value": 5 }, + { "color": "red", "value": 10 } + ] + } + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "expr": "sum(rate(log_messages_total{message_template=\"Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter}).\"}[15m]))" + } + ], + "options": { + "reduceOptions": { + "calcs": ["last"], + "fields": "", + "values": false + }, + "orientation": "horizontal", + "textMode": "auto" + } + }, + { + "id": 5, + "title": "Trace Explorer Shortcut", + "type": "text", + "options": { + "mode": "markdown", + "content": "[Open Trace Explorer](#/explore?left={\"datasource\":\"tempo\",\"queries\":[{\"query\":\"{service.name=\\\"stellaops-authority\\\", span_name=~\\\"authority.token.*\\\"}\",\"refId\":\"A\"}]})" + } + } + ], + "links": [] +} diff --git a/docs/modules/authority/operations/key-rotation.md b/docs/modules/authority/operations/key-rotation.md index f1c88a13..33721b3d 100644 --- a/docs/modules/authority/operations/key-rotation.md +++ b/docs/modules/authority/operations/key-rotation.md @@ -1,94 +1,94 @@ -# Authority Signing Key Rotation Playbook - -> **Status:** Authored 2025-10-12 as part of OPS3.KEY-ROTATION rollout. -> Use together with `docs/11_AUTHORITY.md` (Authority service guide) and the automation shipped under `ops/authority/`. - -## 1. Overview - -Authority publishes JWKS and revocation bundles signed with ES256 keys. To rotate those keys without downtime we now provide: - -- **Automation script:** `ops/authority/key-rotation.sh` - Shell helper that POSTS to `/internal/signing/rotate`, supports metadata, dry-run, and confirms JWKS afterwards. -- **CI workflow:** `.gitea/workflows/authority-key-rotation.yml` - Manual dispatch workflow that pulls environment-specific secrets, runs the script, and records the result. Works across staging/production by passing the `environment` input. - -This playbook documents the repeatable sequence for all environments. - -## 2. Pre-requisites - -1. **Generate a new PEM key (per environment)** - ```bash - openssl ecparam -name prime256v1 -genkey -noout \ - -out certificates/authority-signing--.pem - chmod 600 certificates/authority-signing--.pem - ``` -2. **Stash the previous key** under the same volume so it can be referenced in `signing.additionalKeys` after rotation. -3. **Ensure secrets/vars exist in Gitea** - - `_AUTHORITY_BOOTSTRAP_KEY` - - `_AUTHORITY_URL` - - Optional shared defaults `AUTHORITY_BOOTSTRAP_KEY`, `AUTHORITY_URL`. - -## 3. Executing the rotation - -### Option A – via CI workflow (recommended) - -1. Navigate to **Actions → Authority Key Rotation**. -2. Provide inputs: - - `environment`: `staging`, `production`, etc. - - `key_id`: new `kid` (e.g. `authority-signing-2025-dev`). - - `key_path`: path as seen by the Authority service (e.g. `../certificates/authority-signing-2025-dev.pem`). - - Optional `metadata`: comma-separated `key=value` pairs (for audit trails). -3. Trigger. The workflow: - - Reads the bootstrap key/URL from secrets. - - Runs `ops/authority/key-rotation.sh`. - - Prints the JWKS response for verification. - -### Option B – manual shell invocation - -```bash -AUTHORITY_BOOTSTRAP_KEY=$(cat /secure/authority-bootstrap.key) \ -./ops/authority/key-rotation.sh \ - --authority-url https://authority.example.com \ - --key-id authority-signing-2025-dev \ - --key-path ../certificates/authority-signing-2025-dev.pem \ - --meta rotatedBy=ops --meta changeTicket=OPS-1234 -``` - -Use `--dry-run` to inspect the payload before execution. - -## 4. Post-rotation checklist - -1. Update `authority.yaml` (or environment-specific overrides): - - Set `signing.activeKeyId` to the new key. - - Set `signing.keyPath` to the new PEM. - - Append the previous key into `signing.additionalKeys`. - - Ensure `keySource`/`provider` match the values passed to the script. -2. Run `stellaops-cli auth revoke export` so revocation bundles are re-signed with the new key. -3. Confirm `/jwks` lists the new `kid` with `status: "active"` and the previous one as `retired`. -4. Archive the old key securely; keep it available until all tokens/bundles signed with it have expired. - -## 5. Development key state - -For the sample configuration (`etc/authority.yaml.sample`) we minted a placeholder dev key: - -- Active: `authority-signing-2025-dev` (`certificates/authority-signing-2025-dev.pem`) -- Retired: `authority-signing-dev` - -Treat these as examples; real environments must maintain their own PEM material. - -## 6. References - -- `docs/11_AUTHORITY.md` – Architecture and rotation SOP (Section 5). -- `docs/modules/authority/operations/backup-restore.md` – Recovery flow referencing this playbook. -- `ops/authority/README.md` – CLI usage and examples. -- `scripts/rotate-policy-cli-secret.sh` – Helper to mint new `policy-cli` shared secrets when policy scope bundles change. - -## 7. Appendix — Policy CLI secret rotation - -Scope migrations such as AUTH-POLICY-23-004 require issuing fresh credentials for the `policy-cli` client. Use the helper script committed with the repo to keep secrets deterministic across environments. - -```bash -./scripts/rotate-policy-cli-secret.sh --output etc/secrets/policy-cli.secret -``` - -The script writes a timestamped header and a random secret into the target file. Use `--dry-run` when generating material for external secret stores. After updating secrets in staging/production, recycle the Authority pods and confirm the new client credentials work before the next release freeze. +# Authority Signing Key Rotation Playbook + +> **Status:** Authored 2025-10-12 as part of OPS3.KEY-ROTATION rollout. +> Use together with `docs/11_AUTHORITY.md` (Authority service guide) and the automation shipped under `ops/authority/`. + +## 1. Overview + +Authority publishes JWKS and revocation bundles signed with ES256 keys. To rotate those keys without downtime we now provide: + +- **Automation script:** `ops/authority/key-rotation.sh` + Shell helper that POSTS to `/internal/signing/rotate`, supports metadata, dry-run, and confirms JWKS afterwards. +- **CI workflow:** `.gitea/workflows/authority-key-rotation.yml` + Manual dispatch workflow that pulls environment-specific secrets, runs the script, and records the result. Works across staging/production by passing the `environment` input. + +This playbook documents the repeatable sequence for all environments. + +## 2. Pre-requisites + +1. **Generate a new PEM key (per environment)** + ```bash + openssl ecparam -name prime256v1 -genkey -noout \ + -out certificates/authority-signing--.pem + chmod 600 certificates/authority-signing--.pem + ``` +2. **Stash the previous key** under the same volume so it can be referenced in `signing.additionalKeys` after rotation. +3. **Ensure secrets/vars exist in Gitea** + - `_AUTHORITY_BOOTSTRAP_KEY` + - `_AUTHORITY_URL` + - Optional shared defaults `AUTHORITY_BOOTSTRAP_KEY`, `AUTHORITY_URL`. + +## 3. Executing the rotation + +### Option A – via CI workflow (recommended) + +1. Navigate to **Actions → Authority Key Rotation**. +2. Provide inputs: + - `environment`: `staging`, `production`, etc. + - `key_id`: new `kid` (e.g. `authority-signing-2025-dev`). + - `key_path`: path as seen by the Authority service (e.g. `../certificates/authority-signing-2025-dev.pem`). + - Optional `metadata`: comma-separated `key=value` pairs (for audit trails). +3. Trigger. The workflow: + - Reads the bootstrap key/URL from secrets. + - Runs `ops/authority/key-rotation.sh`. + - Prints the JWKS response for verification. + +### Option B – manual shell invocation + +```bash +AUTHORITY_BOOTSTRAP_KEY=$(cat /secure/authority-bootstrap.key) \ +./ops/authority/key-rotation.sh \ + --authority-url https://authority.example.com \ + --key-id authority-signing-2025-dev \ + --key-path ../certificates/authority-signing-2025-dev.pem \ + --meta rotatedBy=ops --meta changeTicket=OPS-1234 +``` + +Use `--dry-run` to inspect the payload before execution. + +## 4. Post-rotation checklist + +1. Update `authority.yaml` (or environment-specific overrides): + - Set `signing.activeKeyId` to the new key. + - Set `signing.keyPath` to the new PEM. + - Append the previous key into `signing.additionalKeys`. + - Ensure `keySource`/`provider` match the values passed to the script. +2. Run `stellaops-cli auth revoke export` so revocation bundles are re-signed with the new key. +3. Confirm `/jwks` lists the new `kid` with `status: "active"` and the previous one as `retired`. +4. Archive the old key securely; keep it available until all tokens/bundles signed with it have expired. + +## 5. Development key state + +For the sample configuration (`etc/authority.yaml.sample`) we minted a placeholder dev key: + +- Active: `authority-signing-2025-dev` (`certificates/authority-signing-2025-dev.pem`) +- Retired: `authority-signing-dev` + +Treat these as examples; real environments must maintain their own PEM material. + +## 6. References + +- `docs/11_AUTHORITY.md` – Architecture and rotation SOP (Section 5). +- `docs/modules/authority/operations/backup-restore.md` – Recovery flow referencing this playbook. +- `ops/authority/README.md` – CLI usage and examples. +- `scripts/rotate-policy-cli-secret.sh` – Helper to mint new `policy-cli` shared secrets when policy scope bundles change. + +## 7. Appendix — Policy CLI secret rotation + +Scope migrations such as AUTH-POLICY-23-004 require issuing fresh credentials for the `policy-cli` client. Use the helper script committed with the repo to keep secrets deterministic across environments. + +```bash +./scripts/rotate-policy-cli-secret.sh --output etc/secrets/policy-cli.secret +``` + +The script writes a timestamped header and a random secret into the target file. Use `--dry-run` when generating material for external secret stores. After updating secrets in staging/production, recycle the Authority pods and confirm the new client credentials work before the next release freeze. diff --git a/docs/modules/authority/operations/monitoring.md b/docs/modules/authority/operations/monitoring.md index 2f5e8e5f..67ff07a7 100644 --- a/docs/modules/authority/operations/monitoring.md +++ b/docs/modules/authority/operations/monitoring.md @@ -1,83 +1,83 @@ -# Authority Monitoring & Alerting Playbook - -## Telemetry Sources -- **Traces:** Activity source `StellaOps.Authority` emits spans for every token flow (`authority.token.validate_*`, `authority.token.handle_*`, `authority.token.validate_access`). Key tags include `authority.endpoint`, `authority.grant_type`, `authority.username`, `authority.client_id`, and `authority.identity_provider`. -- **Metrics:** OpenTelemetry instrumentation (`AddAspNetCoreInstrumentation`, `AddHttpClientInstrumentation`, custom meter `StellaOps.Authority`) exports: - - `http.server.request.duration` histogram (`http_route`, `http_status_code`, `authority.endpoint` tag via `aspnetcore` enrichment). - - `process.runtime.gc.*`, `process.runtime.dotnet.*` (from `AddRuntimeInstrumentation`). -- **Logs:** Serilog writes structured events to stdout. Notable templates: - - `"Password grant verification failed ..."` and `"Plugin {PluginName} denied access ... due to lockout"` (lockout spike detector). - - `"Password grant validation failed for {Username}: provider '{Provider}' does not support MFA required for exception approvals."` (identifies users attempting `exceptions:approve` without MFA support; tie to fresh-auth errors). - - `"Client credentials validation failed for {ClientId}: exception scopes require tenant assignment."` (signals misconfigured exception service identities). - - `"Granting StellaOps bypass for remote {RemoteIp}"` (bypass usage). - - `"Rate limit exceeded for path {Path} from {RemoteIp}"` (limiter alerts). - -## Prometheus Metrics to Collect -| Metric | Query | Purpose | -| --- | --- | --- | -| `token_requests_total` | `sum by (grant_type, status) (rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token"}[5m]))` | Token issuance volume per grant type (`grant_type` comes via `authority.grant_type` span attribute → Exemplars in Grafana). | -| `token_failure_ratio` | `sum(rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token", http_status_code=~"4..|5.."}[5m])) / sum(rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token"}[5m]))` | Alert when > 5 % for 10 min. | -| `authorize_rate_limit_hits` | `sum(rate(aspnetcore_rate_limiting_rejections_total{service_name="stellaops-authority", limiter="authority-token"}[5m]))` | Detect rate limiting saturations (requires OTEL ASP.NET rate limiter exporter). | -| `lockout_events` | `sum by (plugin) (rate(log_messages_total{app="stellaops-authority", level="Warning", message_template="Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter})."}[5m]))` | Derived from Loki/Promtail log counter. | -| `bypass_usage_total` | `sum(rate(log_messages_total{app="stellaops-authority", level="Information", message_template="Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}."}[5m]))` | Track trusted bypass invocations. | - -> **Exporter note:** Enable `aspnetcore` meters (`dotnet-counters` name `Microsoft.AspNetCore.Hosting`), or configure the OpenTelemetry Collector `metrics` pipeline with `metric_statements` to remap histogram counts into the shown series. - -## Alert Rules -1. **Token Failure Surge** - - _Expression_: `token_failure_ratio > 0.05` - - _For_: `10m` - - _Labels_: `severity="critical"` - - _Annotations_: Include `topk(5, sum by (authority_identity_provider) (increase(authority_token_rejections_total[10m])))` as diagnostic hint (requires span → metric transformation). -2. **Lockout Spike** - - _Expression_: `sum(rate(log_messages_total{message_template="Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter})."}[15m])) > 10` - - _For_: `15m` - - Investigate credential stuffing; consider temporarily tightening `RateLimiting.Token`. -3. **Bypass Threshold** - - _Expression_: `sum(rate(log_messages_total{message_template="Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}."}[5m])) > 1` - - _For_: `5m` - - Alert severity `warning` — verify the calling host list. -4. **Rate Limiter Saturation** - - _Expression_: `sum(rate(aspnetcore_rate_limiting_rejections_total{service_name="stellaops-authority"}[5m])) > 0` - - Escalate if sustained for 5 min; confirm trusted clients aren’t misconfigured. - -## Grafana Dashboard -- Import `docs/modules/authority/operations/grafana-dashboard.json` to provision baseline panels: - - **Token Success vs Failure** – stacked rate visualization split by grant type. - - **Rate Limiter Hits** – bar chart showing `authority-token` and `authority-authorize`. - - **Bypass & Lockout Events** – dual-stat panel using Loki-derived counters. - - **Trace Explorer Link** – panel links to `StellaOps.Authority` span search pre-filtered by `authority.grant_type`. - -## Collector Configuration Snippets -```yaml -receivers: - otlp: - protocols: - http: -exporters: - prometheus: - endpoint: "0.0.0.0:9464" -processors: - batch: - attributes/token_grant: - actions: - - key: grant_type - action: upsert - from_attribute: authority.grant_type -service: - pipelines: - metrics: - receivers: [otlp] - processors: [attributes/token_grant, batch] - exporters: [prometheus] - logs: - receivers: [otlp] - processors: [batch] - exporters: [loki] -``` - -## Operational Checklist -- [ ] Confirm `STELLAOPS_AUTHORITY__OBSERVABILITY__EXPORTERS` enables OTLP in production builds. -- [ ] Ensure Promtail captures container stdout with Serilog structured formatting. -- [ ] Periodically validate alert noise by running load tests that trigger the rate limiter. -- [ ] Include dashboard JSON in Offline Kit for air-gapped clusters; update version header when metrics change. +# Authority Monitoring & Alerting Playbook + +## Telemetry Sources +- **Traces:** Activity source `StellaOps.Authority` emits spans for every token flow (`authority.token.validate_*`, `authority.token.handle_*`, `authority.token.validate_access`). Key tags include `authority.endpoint`, `authority.grant_type`, `authority.username`, `authority.client_id`, and `authority.identity_provider`. +- **Metrics:** OpenTelemetry instrumentation (`AddAspNetCoreInstrumentation`, `AddHttpClientInstrumentation`, custom meter `StellaOps.Authority`) exports: + - `http.server.request.duration` histogram (`http_route`, `http_status_code`, `authority.endpoint` tag via `aspnetcore` enrichment). + - `process.runtime.gc.*`, `process.runtime.dotnet.*` (from `AddRuntimeInstrumentation`). +- **Logs:** Serilog writes structured events to stdout. Notable templates: + - `"Password grant verification failed ..."` and `"Plugin {PluginName} denied access ... due to lockout"` (lockout spike detector). + - `"Password grant validation failed for {Username}: provider '{Provider}' does not support MFA required for exception approvals."` (identifies users attempting `exceptions:approve` without MFA support; tie to fresh-auth errors). + - `"Client credentials validation failed for {ClientId}: exception scopes require tenant assignment."` (signals misconfigured exception service identities). + - `"Granting StellaOps bypass for remote {RemoteIp}"` (bypass usage). + - `"Rate limit exceeded for path {Path} from {RemoteIp}"` (limiter alerts). + +## Prometheus Metrics to Collect +| Metric | Query | Purpose | +| --- | --- | --- | +| `token_requests_total` | `sum by (grant_type, status) (rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token"}[5m]))` | Token issuance volume per grant type (`grant_type` comes via `authority.grant_type` span attribute → Exemplars in Grafana). | +| `token_failure_ratio` | `sum(rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token", http_status_code=~"4..|5.."}[5m])) / sum(rate(http_server_duration_seconds_count{service_name="stellaops-authority", http_route="/token"}[5m]))` | Alert when > 5 % for 10 min. | +| `authorize_rate_limit_hits` | `sum(rate(aspnetcore_rate_limiting_rejections_total{service_name="stellaops-authority", limiter="authority-token"}[5m]))` | Detect rate limiting saturations (requires OTEL ASP.NET rate limiter exporter). | +| `lockout_events` | `sum by (plugin) (rate(log_messages_total{app="stellaops-authority", level="Warning", message_template="Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter})."}[5m]))` | Derived from Loki/Promtail log counter. | +| `bypass_usage_total` | `sum(rate(log_messages_total{app="stellaops-authority", level="Information", message_template="Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}."}[5m]))` | Track trusted bypass invocations. | + +> **Exporter note:** Enable `aspnetcore` meters (`dotnet-counters` name `Microsoft.AspNetCore.Hosting`), or configure the OpenTelemetry Collector `metrics` pipeline with `metric_statements` to remap histogram counts into the shown series. + +## Alert Rules +1. **Token Failure Surge** + - _Expression_: `token_failure_ratio > 0.05` + - _For_: `10m` + - _Labels_: `severity="critical"` + - _Annotations_: Include `topk(5, sum by (authority_identity_provider) (increase(authority_token_rejections_total[10m])))` as diagnostic hint (requires span → metric transformation). +2. **Lockout Spike** + - _Expression_: `sum(rate(log_messages_total{message_template="Plugin {PluginName} denied access for {Username} due to lockout (retry after {RetryAfter})."}[15m])) > 10` + - _For_: `15m` + - Investigate credential stuffing; consider temporarily tightening `RateLimiting.Token`. +3. **Bypass Threshold** + - _Expression_: `sum(rate(log_messages_total{message_template="Granting StellaOps bypass for remote {RemoteIp}; required scopes {RequiredScopes}."}[5m])) > 1` + - _For_: `5m` + - Alert severity `warning` — verify the calling host list. +4. **Rate Limiter Saturation** + - _Expression_: `sum(rate(aspnetcore_rate_limiting_rejections_total{service_name="stellaops-authority"}[5m])) > 0` + - Escalate if sustained for 5 min; confirm trusted clients aren’t misconfigured. + +## Grafana Dashboard +- Import `docs/modules/authority/operations/grafana-dashboard.json` to provision baseline panels: + - **Token Success vs Failure** – stacked rate visualization split by grant type. + - **Rate Limiter Hits** – bar chart showing `authority-token` and `authority-authorize`. + - **Bypass & Lockout Events** – dual-stat panel using Loki-derived counters. + - **Trace Explorer Link** – panel links to `StellaOps.Authority` span search pre-filtered by `authority.grant_type`. + +## Collector Configuration Snippets +```yaml +receivers: + otlp: + protocols: + http: +exporters: + prometheus: + endpoint: "0.0.0.0:9464" +processors: + batch: + attributes/token_grant: + actions: + - key: grant_type + action: upsert + from_attribute: authority.grant_type +service: + pipelines: + metrics: + receivers: [otlp] + processors: [attributes/token_grant, batch] + exporters: [prometheus] + logs: + receivers: [otlp] + processors: [batch] + exporters: [loki] +``` + +## Operational Checklist +- [ ] Confirm `STELLAOPS_AUTHORITY__OBSERVABILITY__EXPORTERS` enables OTLP in production builds. +- [ ] Ensure Promtail captures container stdout with Serilog structured formatting. +- [ ] Periodically validate alert noise by running load tests that trigger the rate limiter. +- [ ] Include dashboard JSON in Offline Kit for air-gapped clusters; update version header when metrics change. diff --git a/docs/modules/ci/AGENTS.md b/docs/modules/ci/AGENTS.md index af0dc9c7..16fe4ced 100644 --- a/docs/modules/ci/AGENTS.md +++ b/docs/modules/ci/AGENTS.md @@ -1,22 +1,22 @@ -# CI Recipes agent guide - -## Mission -CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +# CI Recipes agent guide + +## Mission +CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. - Update runbooks/observability assets when operational characteristics change. \ No newline at end of file diff --git a/docs/modules/ci/README.md b/docs/modules/ci/README.md index c6465332..fa8ef6d6 100644 --- a/docs/modules/ci/README.md +++ b/docs/modules/ci/README.md @@ -1,29 +1,29 @@ -# StellaOps CI Recipes - -CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. - -## Responsibilities -- Provide ready-to-use pipeline snippets for ingestion, scanning, policy evaluation, and exports. -- Document required secrets/scopes and deterministic build knobs. -- Highlight offline-compatible workflows and cache strategies. - -## Key components -- Recipe catalogue in ./recipes.md. - -## Integrations & dependencies -- DevOps release workflows. -- Module-specific test suites referenced in recipes. - -## Operational notes -- Encourage reuse through templated YAML/JSON fragments. - -## Related resources -- ./recipes.md - -## Backlog references -- CI recipes refresh tracked in ../../TASKS.md under DOCS-CI stories. - -## Epic alignment -- **Epic 1 – AOC enforcement:** bake ingestion/verifier guardrails into CI recipes. -- **Epic 10 – Export Center:** provide pipeline snippets for export packaging, signing, and Offline Kit publication. -- **Epic 11 – Notifications Studio:** offer CI hooks for notification previews/tests where relevant. +# StellaOps CI Recipes + +CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. + +## Responsibilities +- Provide ready-to-use pipeline snippets for ingestion, scanning, policy evaluation, and exports. +- Document required secrets/scopes and deterministic build knobs. +- Highlight offline-compatible workflows and cache strategies. + +## Key components +- Recipe catalogue in ./recipes.md. + +## Integrations & dependencies +- DevOps release workflows. +- Module-specific test suites referenced in recipes. + +## Operational notes +- Encourage reuse through templated YAML/JSON fragments. + +## Related resources +- ./recipes.md + +## Backlog references +- CI recipes refresh tracked in ../../TASKS.md under DOCS-CI stories. + +## Epic alignment +- **Epic 1 – AOC enforcement:** bake ingestion/verifier guardrails into CI recipes. +- **Epic 10 – Export Center:** provide pipeline snippets for export packaging, signing, and Offline Kit publication. +- **Epic 11 – Notifications Studio:** offer CI hooks for notification previews/tests where relevant. diff --git a/docs/modules/ci/TASKS.md b/docs/modules/ci/TASKS.md index 3438e11c..9d9e8799 100644 --- a/docs/modules/ci/TASKS.md +++ b/docs/modules/ci/TASKS.md @@ -1,9 +1,9 @@ -# Task board — CI Recipes - -> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. - -| ID | Status | Owner(s) | Description | Notes | -|----|--------|----------|-------------|-------| -| CI RECIPES-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | -| CI RECIPES-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CI RECIPES-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +# Task board — CI Recipes + +> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. + +| ID | Status | Owner(s) | Description | Notes | +|----|--------|----------|-------------|-------| +| CI RECIPES-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | +| CI RECIPES-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | +| CI RECIPES-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/ci/architecture.md b/docs/modules/ci/architecture.md index 418dcdfa..af8507a4 100644 --- a/docs/modules/ci/architecture.md +++ b/docs/modules/ci/architecture.md @@ -1,7 +1,7 @@ -# CI Recipes architecture - -> Reference the AOC guardrails, export workflows, and notification patterns documented in the Authority, Export Center, and Notify module guides when designing CI templates. - -This placeholder summarises the planned architecture for CI Recipes. Consolidate design details from implementation plans and upcoming epics before coding. - -Refer to the module README and implementation plan for immediate context, and update this document once component boundaries and data flows are finalised. +# CI Recipes architecture + +> Reference the AOC guardrails, export workflows, and notification patterns documented in the Authority, Export Center, and Notify module guides when designing CI templates. + +This placeholder summarises the planned architecture for CI Recipes. Consolidate design details from implementation plans and upcoming epics before coding. + +Refer to the module README and implementation plan for immediate context, and update this document once component boundaries and data flows are finalised. diff --git a/docs/modules/ci/implementation_plan.md b/docs/modules/ci/implementation_plan.md index 2a03174a..549370ac 100644 --- a/docs/modules/ci/implementation_plan.md +++ b/docs/modules/ci/implementation_plan.md @@ -1,21 +1,21 @@ -# Implementation plan — CI Recipes - -## Current objectives -- Maintain deterministic behaviour and offline parity across releases. -- Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes. - -## Workstreams -- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap. -- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs. -- Validation: extend tests/fixtures to preserve determinism and provenance requirements. - -## Epic milestones -- **Epic 1 – AOC enforcement:** ensure pipelines enforce schemas, provenance, and verifier jobs. -- **Epic 10 – Export Center:** add export/signing/Offline Kit automation templates. -- **Epic 11 – Notifications Studio:** document CI hooks for notification previews/tests. -- Track DOCS-CI stories in ../../TASKS.md. - -## Coordination -- Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. -- Update this plan whenever scope, dependencies, or guardrails change. +# Implementation plan — CI Recipes + +## Current objectives +- Maintain deterministic behaviour and offline parity across releases. +- Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes. + +## Workstreams +- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap. +- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs. +- Validation: extend tests/fixtures to preserve determinism and provenance requirements. + +## Epic milestones +- **Epic 1 – AOC enforcement:** ensure pipelines enforce schemas, provenance, and verifier jobs. +- **Epic 10 – Export Center:** add export/signing/Offline Kit automation templates. +- **Epic 11 – Notifications Studio:** document CI hooks for notification previews/tests. +- Track DOCS-CI stories in ../../TASKS.md. + +## Coordination +- Review ./AGENTS.md before picking up new work. +- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/ci/recipes.md b/docs/modules/ci/recipes.md index 2b21a5f8..38ff1172 100755 --- a/docs/modules/ci/recipes.md +++ b/docs/modules/ci/recipes.md @@ -1,353 +1,353 @@ -# Stella Ops CI Recipes — (2025‑08‑04) - -## 0 · Key variables (export these once) - -| Variable | Meaning | Typical value | -| ------------- | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | -| `STELLA_URL` | Host that: ① stores the **CLI** & **SBOM‑builder** images under `/registry` **and** ② receives API calls at `https://$STELLA_URL` | `stella-ops.ci.acme.example` | -| `DOCKER_HOST` | How containers reach your Docker daemon (because we no longer mount `/var/run/docker.sock`) | `tcp://docker:2375` | -| `WORKSPACE` | Directory where the pipeline stores artefacts (SBOM file) | `$(pwd)` | -| `IMAGE` | The image you are building & scanning | `acme/backend:sha-${COMMIT_SHA}` | -| `SBOM_FILE` | Immutable SBOM name – `‑YYYYMMDDThhmmssZ.sbom.json` | `acme_backend_sha‑abc123‑20250804T153050Z.sbom.json` | - -> **Authority graph scopes note (2025-10-27):** CI stages that spin up the Authority compose profile now rely on the checked-in `etc/authority.yaml`. Before running integration smoke jobs, inject real secrets for every `etc/secrets/*.secret` file (Cartographer, Graph API, Policy Engine, Concelier, Excititor). The repository defaults contain `*-change-me` placeholders and Authority will reject tokens if those secrets are not overridden. Reissue CI tokens that previously used `policy:write`/`policy:submit`/`policy:edit` scopes—new bundles must request `policy:read`, `policy:author`, `policy:review`, `policy:simulate`, and (`policy:approve`/`policy:operate`/`policy:activate` when pipelines promote policies). - -```bash -export STELLA_URL="stella-ops.ci.acme.example" -export DOCKER_HOST="tcp://docker:2375" # Jenkins/Circle often expose it like this -export WORKSPACE="$(pwd)" -export IMAGE="acme/backend:sha-${COMMIT_SHA}" -export SBOM_FILE="$(echo "${IMAGE}" | tr '/:+' '__')-$(date -u +%Y%m%dT%H%M%SZ).sbom.json" -``` - ---- - -## 1 · SBOM creation strategies - -### Option A – **Buildx attested SBOM** (preferred if you can use BuildKit) - -You pass **two build args** so the Dockerfile can run the builder and copy the result out of the build context. - -```bash -docker buildx build \ - --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ - --provenance=true --sbom=true \ - --build-arg SBOM_FILE="$SBOM_FILE" \ - -t "$IMAGE" . -``` - -**If you **cannot** use Buildx, use Option B below.** The older “run a builder stage inside the Dockerfile” pattern is unreliable for producing an SBOM of the final image. - -```Dockerfile - -ARG STELLA_SBOM_BUILDER -ARG SBOM_FILE - -FROM $STELLA_SBOM_BUILDER as sbom -ARG IMAGE -ARG SBOM_FILE -RUN $STELLA_SBOM_BUILDER build --image $IMAGE --output /out/$SBOM_FILE - -# ---- actual build stages … ---- -FROM alpine:3.20 -COPY --from=sbom /out/$SBOM_FILE / # (optional) keep or discard - -# (rest of your Dockerfile) -``` - -### Option B – **External builder step** (works everywhere; recommended baseline if Buildx isn’t available) - -*(keep this block if your pipeline already has an image‑build step that you can’t modify)* - -```bash -docker run --rm \ - -e DOCKER_HOST="$DOCKER_HOST" \ # let builder reach the daemon remotely - -v "$WORKSPACE:/workspace" \ # place SBOM beside the source code - "$STELLA_URL/registry/stella-sbom-builder:latest" \ - build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" -``` - ---- - -## 2 · Scan the image & upload results - -```bash -docker run --rm \ - -e DOCKER_HOST="$DOCKER_HOST" \ # remote‑daemon pointer - -v "$WORKSPACE/${SBOM_FILE}:/${SBOM_FILE}:ro" \ # mount SBOM under same name at container root - -e STELLA_OPS_URL="https://${STELLA_URL}" \ # where the CLI posts findings - "$STELLA_URL/registry/stella-cli:latest" \ - scan --sbom "/${SBOM_FILE}" "$IMAGE" -``` - -The CLI returns **exit 0** if policies pass, **>0** if blocked — perfect for failing the job. - ---- - -## 3 · CI templates - -Below are minimal, cut‑and‑paste snippets. -**Feel free to delete Option B** if you adopt Option A. - -### 3.1 Jenkins (Declarative Pipeline) - -```groovy -pipeline { - agent { docker { image 'docker:25' args '--privileged' } } // gives us /usr/bin/docker - environment { - STELLA_URL = 'stella-ops.ci.acme.example' - DOCKER_HOST = 'tcp://docker:2375' - IMAGE = "acme/backend:${env.BUILD_NUMBER}" - SBOM_FILE = "acme_backend_${env.BUILD_NUMBER}-${new Date().format('yyyyMMdd\'T\'HHmmss\'Z\'', TimeZone.getTimeZone('UTC'))}.sbom.json" - } - stages { - stage('Build image + SBOM (Option A)') { - steps { - sh ''' - docker build \ - --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ - --build-arg SBOM_FILE="$SBOM_FILE" \ - -t "$IMAGE" . - ''' - } - } - /* ---------- Option B fallback (when you must keep the existing build step as‑is) ---------- - stage('SBOM builder (Option B)') { - steps { - sh ''' - docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - -v "$WORKSPACE:/workspace" \ - "$STELLA_URL/registry/stella-sbom-builder:latest" \ - build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" - ''' - } - } - ------------------------------------------------------------------------------------------ */ - stage('Scan & upload') { - steps { - sh ''' - docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - -v "$WORKSPACE/${SBOM_FILE}:/${SBOM_FILE}:ro" \ - -e STELLA_OPS_URL="https://$STELLA_URL" \ - "$STELLA_URL/registry/stella-cli:latest" \ - scan --sbom "/${SBOM_FILE}" "$IMAGE" - ''' - } - } - } -} -``` - ---- - -### 3.2 CircleCI `.circleci/config.yml` - -```yaml -version: 2.1 -jobs: - stella_scan: - docker: - - image: cimg/base:stable # baremetal image with Docker CLI - environment: - STELLA_URL: stella-ops.ci.acme.example - DOCKER_HOST: tcp://docker:2375 # Circle’s “remote Docker” socket - steps: - - checkout - - - run: - name: Compute vars - command: | - echo 'export IMAGE="acme/backend:${CIRCLE_SHA1}"' >> $BASH_ENV - echo 'export SBOM_FILE="$(echo acme/backend:${CIRCLE_SHA1} | tr "/:+" "__")-$(date -u +%Y%m%dT%H%M%SZ).sbom.json"' >> $BASH_ENV - - run: - name: Build image + SBOM (Option A) - command: | - docker build \ - --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ - --build-arg SBOM_FILE="$SBOM_FILE" \ - -t "$IMAGE" . - # --- Option B fallback (when you must keep the existing build step as‑is) --- - #- run: - # name: SBOM builder (Option B) - # command: | - # docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - # -v "$PWD:/workspace" \ - # "$STELLA_URL/registry/stella-sbom-builder:latest" \ - # build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" - - run: - name: Scan - command: | - docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - -v "$PWD/${SBOM_FILE}:/${SBOM_FILE}:ro" \ - -e STELLA_OPS_URL="https://$STELLA_URL" \ - "$STELLA_URL/registry/stella-cli:latest" \ - scan --sbom "/${SBOM_FILE}" "$IMAGE" -workflows: - stella: - jobs: [stella_scan] -``` - ---- - -### 3.3 Gitea Actions `.gitea/workflows/stella.yml` - -*(Gitea 1.22+ ships native Actions compatible with GitHub syntax)* - -```yaml -name: Stella Scan -on: [push] - -jobs: - stella: - runs-on: ubuntu-latest - env: - STELLA_URL: ${{ secrets.STELLA_URL }} - DOCKER_HOST: tcp://docker:2375 # provided by the docker:dind service - services: - docker: - image: docker:dind - options: >- - --privileged - steps: - - uses: actions/checkout@v4 - - - name: Compute vars - id: vars - run: | - echo "IMAGE=ghcr.io/${{ gitea.repository }}:${{ gitea.sha }}" >> $GITEA_OUTPUT - echo "SBOM_FILE=$(echo ghcr.io/${{ gitea.repository }}:${{ gitea.sha }} | tr '/:+' '__')-$(date -u +%Y%m%dT%H%M%SZ).sbom.json" >> $GITEA_OUTPUT - - - name: Build image + SBOM (Option A) - run: | - docker build \ - --build-arg STELLA_SBOM_BUILDER="${STELLA_URL}/registry/stella-sbom-builder:latest" \ - --build-arg SBOM_FILE="${{ steps.vars.outputs.SBOM_FILE }}" \ - -t "${{ steps.vars.outputs.IMAGE }}" . - - # --- Option B fallback (when you must keep the existing build step as‑is) --- - #- name: SBOM builder (Option B) - # run: | - # docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - # -v "$(pwd):/workspace" \ - # "${STELLA_URL}/registry/stella-sbom-builder:latest" \ - # build --image "${{ steps.vars.outputs.IMAGE }}" --output "/workspace/${{ steps.vars.outputs.SBOM_FILE }}" - - - name: Scan - run: | - docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ - -v "$(pwd)/${{ steps.vars.outputs.SBOM_FILE }}:/${{ steps.vars.outputs.SBOM_FILE }}:ro" \ - -e STELLA_OPS_URL="https://${STELLA_URL}" \ - "${STELLA_URL}/registry/stella-cli:latest" \ - scan --sbom "/${{ steps.vars.outputs.SBOM_FILE }}" "${{ steps.vars.outputs.IMAGE }}" -``` - ---- - -## 4 · Docs CI (Gitea Actions & Offline Mirror) - -StellaOps ships a dedicated Docs workflow at `.gitea/workflows/docs.yml`. When mirroring the pipeline offline or running it locally, install the same toolchain so markdown linting, schema validation, and HTML preview stay deterministic. - -### 4.1 Toolchain bootstrap - -```bash -# Node.js 20.x is required; install once per runner -npm install --no-save \ - markdown-link-check \ - remark-cli \ - remark-preset-lint-recommended \ - ajv \ - ajv-cli \ - ajv-formats - -# Python 3.11+ powers the preview renderer -python -m pip install --upgrade pip -python -m pip install markdown pygments -``` - -> **No `pip` available?** Some hardened Python builds (including the repo’s `tmp/docenv` -> interpreter) ship without `pip`/`ensurepip`. In that case download the pure‑Python -> sdists (e.g. `Markdown-3.x.tar.gz`, `pygments-2.x.tar.gz`) and extract their -> packages directly into the virtualenv’s `lib/python*/site-packages/` folder. -> This keeps the renderer working even when package managers are disabled. - -**Offline tip.** Add the packages above to your artifact mirror (for example `ops/devops/offline-kit.json`) so runners can install them via `npm --offline` / `pip --no-index`. - -### 4.2 Schema validation step - -Ajv compiles every event schema to guard against syntax or format regressions. The workflow uses `ajv-formats` for UUID/date-time support. - -```bash -for schema in docs/events/*.json; do - npx ajv compile -c ajv-formats -s "$schema" -done -``` - -Run this loop before committing schema changes. For new references, append `-r additional-file.json` so CI and local runs stay aligned. - -### 4.3 Preview build - -```bash -python scripts/render_docs.py --source docs --output artifacts/docs-preview --clean -``` - -Host the resulting bundle via any static file server for review (for example `python -m http.server`). - -### 4.4 Publishing checklist - -- [ ] Toolchain installs succeed without hitting the public internet (mirror or cached tarballs). -- [ ] Ajv validation passes for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, `attestor.logged@1`. -- [ ] Markdown link check (`npx markdown-link-check`) reports no broken references. -- [ ] Preview bundle archived (or attached) for stakeholders. - -### 4.5 Policy DSL lint stage - -Policy Engine v2 pipelines now fail fast if policy documents are malformed. After checkout and dotnet restore, run: - -```bash -dotnet run \ - --project src/Tools/PolicyDslValidator/PolicyDslValidator.csproj \ - -- \ - --strict docs/examples/policies/*.yaml -``` - -- `--strict` treats warnings as errors so missing metadata doesn’t slip through. -- The validator accepts globs, so you can point it at tenant policy directories later (`policies/**/*.yaml`). -- Exit codes follow UNIX conventions: `0` success, `1` parse/errors, `2` warnings when `--strict` is set, `64` usage mistakes. - -Capture the validator output as part of your build logs; Support uses it when triaging policy rollout issues. - -### 4.6 Policy simulation smoke - -Catch unexpected policy regressions by exercising a small set of golden SBOM findings via the simulation smoke tool: - -```bash -dotnet run \ - --project src/Tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \ - -- \ - --scenario-root samples/policy/simulations \ - --output artifacts/policy-simulations -``` - -- The tool loads each `scenario.json` under `samples/policy/simulations`, evaluates the referenced policy, and fails the build if projected verdicts change. -- In CI the command runs twice (to `run1/` and `run2/`) and `diff -u` compares the summaries—any mismatch signals a determinism regression. -- Artifacts land in `artifacts/policy-simulations/policy-simulation-summary.json`; upload them for later inspection (see CI workflow). -- Expand scenarios by copying real-world findings into the samples directory—ensure expected statuses are recorded so regressions trip the pipeline. - ---- - -## 5 · Troubleshooting cheat‑sheet - -| Symptom | Root cause | First things to try | -| ------------------------------------- | --------------------------- | --------------------------------------------------------------- | -| `no such host $STELLA_URL` | DNS typo or VPN outage | `ping $STELLA_URL` from runner | -| `connection refused` when CLI uploads | Port 443 blocked | open firewall / check ingress | -| `failed to stat /.json` | SBOM wasn’t produced | Did Option A actually run builder? If not, enable Option B | -| `registry unauthorized` | Runner lacks registry creds | `docker login $STELLA_URL/registry` (store creds in CI secrets) | -| Non‑zero scan exit | Blocking vuln/licence | Open project in Ops UI → triage or waive | - ---- - -### Change log - -* **2025‑10‑18** – Documented Docs CI toolchain (Ajv validation, static preview) and offline checklist. -* **2025‑08‑04** – Variable clean‑up, removed Docker‑socket & cache mounts, added Jenkins / CircleCI / Gitea examples, clarified Option B comment. +# Stella Ops CI Recipes — (2025‑08‑04) + +## 0 · Key variables (export these once) + +| Variable | Meaning | Typical value | +| ------------- | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | +| `STELLA_URL` | Host that: ① stores the **CLI** & **SBOM‑builder** images under `/registry` **and** ② receives API calls at `https://$STELLA_URL` | `stella-ops.ci.acme.example` | +| `DOCKER_HOST` | How containers reach your Docker daemon (because we no longer mount `/var/run/docker.sock`) | `tcp://docker:2375` | +| `WORKSPACE` | Directory where the pipeline stores artefacts (SBOM file) | `$(pwd)` | +| `IMAGE` | The image you are building & scanning | `acme/backend:sha-${COMMIT_SHA}` | +| `SBOM_FILE` | Immutable SBOM name – `‑YYYYMMDDThhmmssZ.sbom.json` | `acme_backend_sha‑abc123‑20250804T153050Z.sbom.json` | + +> **Authority graph scopes note (2025-10-27):** CI stages that spin up the Authority compose profile now rely on the checked-in `etc/authority.yaml`. Before running integration smoke jobs, inject real secrets for every `etc/secrets/*.secret` file (Cartographer, Graph API, Policy Engine, Concelier, Excititor). The repository defaults contain `*-change-me` placeholders and Authority will reject tokens if those secrets are not overridden. Reissue CI tokens that previously used `policy:write`/`policy:submit`/`policy:edit` scopes—new bundles must request `policy:read`, `policy:author`, `policy:review`, `policy:simulate`, and (`policy:approve`/`policy:operate`/`policy:activate` when pipelines promote policies). + +```bash +export STELLA_URL="stella-ops.ci.acme.example" +export DOCKER_HOST="tcp://docker:2375" # Jenkins/Circle often expose it like this +export WORKSPACE="$(pwd)" +export IMAGE="acme/backend:sha-${COMMIT_SHA}" +export SBOM_FILE="$(echo "${IMAGE}" | tr '/:+' '__')-$(date -u +%Y%m%dT%H%M%SZ).sbom.json" +``` + +--- + +## 1 · SBOM creation strategies + +### Option A – **Buildx attested SBOM** (preferred if you can use BuildKit) + +You pass **two build args** so the Dockerfile can run the builder and copy the result out of the build context. + +```bash +docker buildx build \ + --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ + --provenance=true --sbom=true \ + --build-arg SBOM_FILE="$SBOM_FILE" \ + -t "$IMAGE" . +``` + +**If you **cannot** use Buildx, use Option B below.** The older “run a builder stage inside the Dockerfile” pattern is unreliable for producing an SBOM of the final image. + +```Dockerfile + +ARG STELLA_SBOM_BUILDER +ARG SBOM_FILE + +FROM $STELLA_SBOM_BUILDER as sbom +ARG IMAGE +ARG SBOM_FILE +RUN $STELLA_SBOM_BUILDER build --image $IMAGE --output /out/$SBOM_FILE + +# ---- actual build stages … ---- +FROM alpine:3.20 +COPY --from=sbom /out/$SBOM_FILE / # (optional) keep or discard + +# (rest of your Dockerfile) +``` + +### Option B – **External builder step** (works everywhere; recommended baseline if Buildx isn’t available) + +*(keep this block if your pipeline already has an image‑build step that you can’t modify)* + +```bash +docker run --rm \ + -e DOCKER_HOST="$DOCKER_HOST" \ # let builder reach the daemon remotely + -v "$WORKSPACE:/workspace" \ # place SBOM beside the source code + "$STELLA_URL/registry/stella-sbom-builder:latest" \ + build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" +``` + +--- + +## 2 · Scan the image & upload results + +```bash +docker run --rm \ + -e DOCKER_HOST="$DOCKER_HOST" \ # remote‑daemon pointer + -v "$WORKSPACE/${SBOM_FILE}:/${SBOM_FILE}:ro" \ # mount SBOM under same name at container root + -e STELLA_OPS_URL="https://${STELLA_URL}" \ # where the CLI posts findings + "$STELLA_URL/registry/stella-cli:latest" \ + scan --sbom "/${SBOM_FILE}" "$IMAGE" +``` + +The CLI returns **exit 0** if policies pass, **>0** if blocked — perfect for failing the job. + +--- + +## 3 · CI templates + +Below are minimal, cut‑and‑paste snippets. +**Feel free to delete Option B** if you adopt Option A. + +### 3.1 Jenkins (Declarative Pipeline) + +```groovy +pipeline { + agent { docker { image 'docker:25' args '--privileged' } } // gives us /usr/bin/docker + environment { + STELLA_URL = 'stella-ops.ci.acme.example' + DOCKER_HOST = 'tcp://docker:2375' + IMAGE = "acme/backend:${env.BUILD_NUMBER}" + SBOM_FILE = "acme_backend_${env.BUILD_NUMBER}-${new Date().format('yyyyMMdd\'T\'HHmmss\'Z\'', TimeZone.getTimeZone('UTC'))}.sbom.json" + } + stages { + stage('Build image + SBOM (Option A)') { + steps { + sh ''' + docker build \ + --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ + --build-arg SBOM_FILE="$SBOM_FILE" \ + -t "$IMAGE" . + ''' + } + } + /* ---------- Option B fallback (when you must keep the existing build step as‑is) ---------- + stage('SBOM builder (Option B)') { + steps { + sh ''' + docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + -v "$WORKSPACE:/workspace" \ + "$STELLA_URL/registry/stella-sbom-builder:latest" \ + build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" + ''' + } + } + ------------------------------------------------------------------------------------------ */ + stage('Scan & upload') { + steps { + sh ''' + docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + -v "$WORKSPACE/${SBOM_FILE}:/${SBOM_FILE}:ro" \ + -e STELLA_OPS_URL="https://$STELLA_URL" \ + "$STELLA_URL/registry/stella-cli:latest" \ + scan --sbom "/${SBOM_FILE}" "$IMAGE" + ''' + } + } + } +} +``` + +--- + +### 3.2 CircleCI `.circleci/config.yml` + +```yaml +version: 2.1 +jobs: + stella_scan: + docker: + - image: cimg/base:stable # baremetal image with Docker CLI + environment: + STELLA_URL: stella-ops.ci.acme.example + DOCKER_HOST: tcp://docker:2375 # Circle’s “remote Docker” socket + steps: + - checkout + + - run: + name: Compute vars + command: | + echo 'export IMAGE="acme/backend:${CIRCLE_SHA1}"' >> $BASH_ENV + echo 'export SBOM_FILE="$(echo acme/backend:${CIRCLE_SHA1} | tr "/:+" "__")-$(date -u +%Y%m%dT%H%M%SZ).sbom.json"' >> $BASH_ENV + - run: + name: Build image + SBOM (Option A) + command: | + docker build \ + --build-arg STELLA_SBOM_BUILDER="$STELLA_URL/registry/stella-sbom-builder:latest" \ + --build-arg SBOM_FILE="$SBOM_FILE" \ + -t "$IMAGE" . + # --- Option B fallback (when you must keep the existing build step as‑is) --- + #- run: + # name: SBOM builder (Option B) + # command: | + # docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + # -v "$PWD:/workspace" \ + # "$STELLA_URL/registry/stella-sbom-builder:latest" \ + # build --image "$IMAGE" --output "/workspace/${SBOM_FILE}" + - run: + name: Scan + command: | + docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + -v "$PWD/${SBOM_FILE}:/${SBOM_FILE}:ro" \ + -e STELLA_OPS_URL="https://$STELLA_URL" \ + "$STELLA_URL/registry/stella-cli:latest" \ + scan --sbom "/${SBOM_FILE}" "$IMAGE" +workflows: + stella: + jobs: [stella_scan] +``` + +--- + +### 3.3 Gitea Actions `.gitea/workflows/stella.yml` + +*(Gitea 1.22+ ships native Actions compatible with GitHub syntax)* + +```yaml +name: Stella Scan +on: [push] + +jobs: + stella: + runs-on: ubuntu-latest + env: + STELLA_URL: ${{ secrets.STELLA_URL }} + DOCKER_HOST: tcp://docker:2375 # provided by the docker:dind service + services: + docker: + image: docker:dind + options: >- + --privileged + steps: + - uses: actions/checkout@v4 + + - name: Compute vars + id: vars + run: | + echo "IMAGE=ghcr.io/${{ gitea.repository }}:${{ gitea.sha }}" >> $GITEA_OUTPUT + echo "SBOM_FILE=$(echo ghcr.io/${{ gitea.repository }}:${{ gitea.sha }} | tr '/:+' '__')-$(date -u +%Y%m%dT%H%M%SZ).sbom.json" >> $GITEA_OUTPUT + + - name: Build image + SBOM (Option A) + run: | + docker build \ + --build-arg STELLA_SBOM_BUILDER="${STELLA_URL}/registry/stella-sbom-builder:latest" \ + --build-arg SBOM_FILE="${{ steps.vars.outputs.SBOM_FILE }}" \ + -t "${{ steps.vars.outputs.IMAGE }}" . + + # --- Option B fallback (when you must keep the existing build step as‑is) --- + #- name: SBOM builder (Option B) + # run: | + # docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + # -v "$(pwd):/workspace" \ + # "${STELLA_URL}/registry/stella-sbom-builder:latest" \ + # build --image "${{ steps.vars.outputs.IMAGE }}" --output "/workspace/${{ steps.vars.outputs.SBOM_FILE }}" + + - name: Scan + run: | + docker run --rm -e DOCKER_HOST="$DOCKER_HOST" \ + -v "$(pwd)/${{ steps.vars.outputs.SBOM_FILE }}:/${{ steps.vars.outputs.SBOM_FILE }}:ro" \ + -e STELLA_OPS_URL="https://${STELLA_URL}" \ + "${STELLA_URL}/registry/stella-cli:latest" \ + scan --sbom "/${{ steps.vars.outputs.SBOM_FILE }}" "${{ steps.vars.outputs.IMAGE }}" +``` + +--- + +## 4 · Docs CI (Gitea Actions & Offline Mirror) + +StellaOps ships a dedicated Docs workflow at `.gitea/workflows/docs.yml`. When mirroring the pipeline offline or running it locally, install the same toolchain so markdown linting, schema validation, and HTML preview stay deterministic. + +### 4.1 Toolchain bootstrap + +```bash +# Node.js 20.x is required; install once per runner +npm install --no-save \ + markdown-link-check \ + remark-cli \ + remark-preset-lint-recommended \ + ajv \ + ajv-cli \ + ajv-formats + +# Python 3.11+ powers the preview renderer +python -m pip install --upgrade pip +python -m pip install markdown pygments +``` + +> **No `pip` available?** Some hardened Python builds (including the repo’s `tmp/docenv` +> interpreter) ship without `pip`/`ensurepip`. In that case download the pure‑Python +> sdists (e.g. `Markdown-3.x.tar.gz`, `pygments-2.x.tar.gz`) and extract their +> packages directly into the virtualenv’s `lib/python*/site-packages/` folder. +> This keeps the renderer working even when package managers are disabled. + +**Offline tip.** Add the packages above to your artifact mirror (for example `ops/devops/offline-kit.json`) so runners can install them via `npm --offline` / `pip --no-index`. + +### 4.2 Schema validation step + +Ajv compiles every event schema to guard against syntax or format regressions. The workflow uses `ajv-formats` for UUID/date-time support. + +```bash +for schema in docs/events/*.json; do + npx ajv compile -c ajv-formats -s "$schema" +done +``` + +Run this loop before committing schema changes. For new references, append `-r additional-file.json` so CI and local runs stay aligned. + +### 4.3 Preview build + +```bash +python scripts/render_docs.py --source docs --output artifacts/docs-preview --clean +``` + +Host the resulting bundle via any static file server for review (for example `python -m http.server`). + +### 4.4 Publishing checklist + +- [ ] Toolchain installs succeed without hitting the public internet (mirror or cached tarballs). +- [ ] Ajv validation passes for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, `attestor.logged@1`. +- [ ] Markdown link check (`npx markdown-link-check`) reports no broken references. +- [ ] Preview bundle archived (or attached) for stakeholders. + +### 4.5 Policy DSL lint stage + +Policy Engine v2 pipelines now fail fast if policy documents are malformed. After checkout and dotnet restore, run: + +```bash +dotnet run \ + --project src/Tools/PolicyDslValidator/PolicyDslValidator.csproj \ + -- \ + --strict docs/examples/policies/*.yaml +``` + +- `--strict` treats warnings as errors so missing metadata doesn’t slip through. +- The validator accepts globs, so you can point it at tenant policy directories later (`policies/**/*.yaml`). +- Exit codes follow UNIX conventions: `0` success, `1` parse/errors, `2` warnings when `--strict` is set, `64` usage mistakes. + +Capture the validator output as part of your build logs; Support uses it when triaging policy rollout issues. + +### 4.6 Policy simulation smoke + +Catch unexpected policy regressions by exercising a small set of golden SBOM findings via the simulation smoke tool: + +```bash +dotnet run \ + --project src/Tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \ + -- \ + --scenario-root samples/policy/simulations \ + --output artifacts/policy-simulations +``` + +- The tool loads each `scenario.json` under `samples/policy/simulations`, evaluates the referenced policy, and fails the build if projected verdicts change. +- In CI the command runs twice (to `run1/` and `run2/`) and `diff -u` compares the summaries—any mismatch signals a determinism regression. +- Artifacts land in `artifacts/policy-simulations/policy-simulation-summary.json`; upload them for later inspection (see CI workflow). +- Expand scenarios by copying real-world findings into the samples directory—ensure expected statuses are recorded so regressions trip the pipeline. + +--- + +## 5 · Troubleshooting cheat‑sheet + +| Symptom | Root cause | First things to try | +| ------------------------------------- | --------------------------- | --------------------------------------------------------------- | +| `no such host $STELLA_URL` | DNS typo or VPN outage | `ping $STELLA_URL` from runner | +| `connection refused` when CLI uploads | Port 443 blocked | open firewall / check ingress | +| `failed to stat /.json` | SBOM wasn’t produced | Did Option A actually run builder? If not, enable Option B | +| `registry unauthorized` | Runner lacks registry creds | `docker login $STELLA_URL/registry` (store creds in CI secrets) | +| Non‑zero scan exit | Blocking vuln/licence | Open project in Ops UI → triage or waive | + +--- + +### Change log + +* **2025‑10‑18** – Documented Docs CI toolchain (Ajv validation, static preview) and offline checklist. +* **2025‑08‑04** – Variable clean‑up, removed Docker‑socket & cache mounts, added Jenkins / CircleCI / Gitea examples, clarified Option B comment. diff --git a/docs/modules/cli/AGENTS.md b/docs/modules/cli/AGENTS.md index 769da4d7..1557cea8 100644 --- a/docs/modules/cli/AGENTS.md +++ b/docs/modules/cli/AGENTS.md @@ -1,22 +1,22 @@ -# CLI agent guide - -## Mission -The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +# CLI agent guide + +## Mission +The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. - Update runbooks/observability assets when operational characteristics change. \ No newline at end of file diff --git a/docs/modules/cli/README.md b/docs/modules/cli/README.md index ee7f1089..f0535419 100644 --- a/docs/modules/cli/README.md +++ b/docs/modules/cli/README.md @@ -1,40 +1,40 @@ -# StellaOps CLI - -The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. - -## Responsibilities -- Deliver deterministic verbs for scan, diff, export, policy, and observability operations. -- Handle interactive and non-interactive authentication via Authority (device code, client credentials). -- Support offline kit workflows including bundle verification and seed installation. -- Expose JSON outputs suitable for CI parity and golden tests. - -## Key components -- `StellaOps.Cli` native AOT host. -- Shared helpers in `StellaOps.Cli.Core`. -- Restart-time plug-ins under `StellaOps.Cli.Plugins.*`. - -## Integrations & dependencies -- Authority for token exchange. -- Backend APIs (Scanner, Policy, Export Center, Notify). -- Offline kit bundles and local keychain/DPoP storage. - -## Operational notes -- Deterministic output fixtures under `src/Cli/StellaOps.Cli.Tests`. -- Versioned command docs in `docs/modules/cli/guides`. -- Plugin catalogue in `plugins/cli/**` (restart-only). - -## Related resources -- ./guides/20_REFERENCE.md -- ./guides/cli-reference.md -- ./guides/policy.md - -## Backlog references -- DOCS-CLI-OBS-52-001 / DOCS-CLI-FORENSICS-53-001 in ../../TASKS.md. -- CLI-CORE-41-001 epic in `src/Cli/StellaOps.Cli/TASKS.md`. - -## Epic alignment -- **Epic 2 – Policy Engine & Editor:** deliver deterministic policy authoring, simulation, and explain verbs. -- **Epic 4 – Policy Studio:** integrate registry/promotion workflows, approvals, and lint tooling. -- **Epic 6 – Vulnerability Explorer:** surface triage and ledger operations. -- **Epic 10 – Export Center:** orchestrate export requests, verification, and Offline Kit automation. -- **Epic 11 – Notifications Studio:** manage notification authoring/previews from the command line. +# StellaOps CLI + +The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. + +## Responsibilities +- Deliver deterministic verbs for scan, diff, export, policy, and observability operations. +- Handle interactive and non-interactive authentication via Authority (device code, client credentials). +- Support offline kit workflows including bundle verification and seed installation. +- Expose JSON outputs suitable for CI parity and golden tests. + +## Key components +- `StellaOps.Cli` native AOT host. +- Shared helpers in `StellaOps.Cli.Core`. +- Restart-time plug-ins under `StellaOps.Cli.Plugins.*`. + +## Integrations & dependencies +- Authority for token exchange. +- Backend APIs (Scanner, Policy, Export Center, Notify). +- Offline kit bundles and local keychain/DPoP storage. + +## Operational notes +- Deterministic output fixtures under `src/Cli/StellaOps.Cli.Tests`. +- Versioned command docs in `docs/modules/cli/guides`. +- Plugin catalogue in `plugins/cli/**` (restart-only). + +## Related resources +- ./guides/20_REFERENCE.md +- ./guides/cli-reference.md +- ./guides/policy.md + +## Backlog references +- DOCS-CLI-OBS-52-001 / DOCS-CLI-FORENSICS-53-001 in ../../TASKS.md. +- CLI-CORE-41-001 epic in `src/Cli/StellaOps.Cli/TASKS.md`. + +## Epic alignment +- **Epic 2 – Policy Engine & Editor:** deliver deterministic policy authoring, simulation, and explain verbs. +- **Epic 4 – Policy Studio:** integrate registry/promotion workflows, approvals, and lint tooling. +- **Epic 6 – Vulnerability Explorer:** surface triage and ledger operations. +- **Epic 10 – Export Center:** orchestrate export requests, verification, and Offline Kit automation. +- **Epic 11 – Notifications Studio:** manage notification authoring/previews from the command line. diff --git a/docs/modules/cli/TASKS.md b/docs/modules/cli/TASKS.md index 5f85becd..6f4020bf 100644 --- a/docs/modules/cli/TASKS.md +++ b/docs/modules/cli/TASKS.md @@ -1,9 +1,9 @@ -# Task board — CLI - -> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. - -| ID | Status | Owner(s) | Description | Notes | -|----|--------|----------|-------------|-------| -| CLI-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | -| CLI-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CLI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +# Task board — CLI + +> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable. + +| ID | Status | Owner(s) | Description | Notes | +|----|--------|----------|-------------|-------| +| CLI-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | +| CLI-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | +| CLI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/cli/guides/20_REFERENCE.md b/docs/modules/cli/guides/20_REFERENCE.md index dbc092af..30921830 100755 --- a/docs/modules/cli/guides/20_REFERENCE.md +++ b/docs/modules/cli/guides/20_REFERENCE.md @@ -1,8 +1,8 @@ -# CLI Reference (`stella --help`) - -> **Auto‑generated file — do not edit manually.** -> On every tagged release the CI pipeline runs -> `stella --help --markdown > docs/modules/cli/guides/20_REFERENCE.md` -> ensuring this document always matches the shipped binary. - -*(The reference will appear after the first public α release.)* +# CLI Reference (`stella --help`) + +> **Auto‑generated file — do not edit manually.** +> On every tagged release the CI pipeline runs +> `stella --help --markdown > docs/modules/cli/guides/20_REFERENCE.md` +> ensuring this document always matches the shipped binary. + +*(The reference will appear after the first public α release.)* diff --git a/docs/modules/cli/guides/cli-reference.md b/docs/modules/cli/guides/cli-reference.md index 0bcfeded..e516eb11 100644 --- a/docs/modules/cli/guides/cli-reference.md +++ b/docs/modules/cli/guides/cli-reference.md @@ -1,316 +1,316 @@ -# CLI AOC Commands Reference - -> **Audience:** DevEx engineers, operators, and CI authors integrating the `stella` CLI with Aggregation-Only Contract (AOC) workflows. -> **Scope:** Command synopsis, options, exit codes, and offline considerations for `stella sources ingest --dry-run` and `stella aoc verify` as introduced in Sprint 19. - +# CLI AOC Commands Reference + +> **Audience:** DevEx engineers, operators, and CI authors integrating the `stella` CLI with Aggregation-Only Contract (AOC) workflows. +> **Scope:** Command synopsis, options, exit codes, and offline considerations for `stella sources ingest --dry-run` and `stella aoc verify` as introduced in Sprint 19. + Both commands are designed to enforce the AOC guardrails documented in the [aggregation-only reference](../../../ingestion/aggregation-only-contract.md) and the [architecture overview](../architecture.md). They consume Authority-issued tokens with tenant scopes and never mutate ingestion stores. - ---- - -## 1 · Prerequisites - -- CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled). -- Required scopes (DPoP-bound): - - `advisory:read` for Concelier sources. - - `vex:read` for Excititor sources (optional but required for VEX checks). - - `aoc:verify` to invoke guard verification endpoints. - - `tenant:select` if your deployment uses tenant switching. -- Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4). -- Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache. - ---- - -## 2 · `stella sources ingest --dry-run` - -### 2.1 Synopsis - -```bash -stella sources ingest --dry-run \ - --source \ - --input \ - [--tenant ] \ - [--format json|table] \ - [--no-color] \ - [--output ] -``` - -### 2.2 Description - -Previews an ingestion write without touching MongoDB. The command loads an upstream advisory or VEX document, computes the would-write payload, runs it through the `AOCWriteGuard`, and reports any forbidden fields, provenance gaps, or idempotency issues. Use it during connector development, CI validation, or while triaging incidents. - -### 2.3 Options - -| Option | Description | -|--------|-------------| -| `--source ` | Logical source name (`redhat`, `ubuntu`, `osv`, etc.). Mirrors connector configuration. | -| `--input ` | Path to local CSAF/OSV/VEX file or HTTPS URI. CLI normalises transport (gzip/base64) before guard evaluation. | -| `--tenant ` | Overrides default tenant for multi-tenant deployments. Mandatory when `STELLA_TENANT` is not set. | -| `--format json|table` | Output format. `table` (default) prints summary with highlighted violations; `json` emits machine-readable report (see below). | -| `--no-color` | Disables ANSI colour output for CI logs. | -| `--output ` | Writes the JSON report to file while still printing human-readable summary to stdout. | - -### 2.4 Output schema (JSON) - -```json -{ - "source": "redhat", - "tenant": "default", - "guardVersion": "1.0.0", - "status": "ok", - "document": { - "contentHash": "sha256:…", - "supersedes": null, - "provenance": { - "signature": { "format": "pgp", "present": true } - } - }, - "violations": [] -} -``` - -When violations exist, `status` becomes `error` and `violations` contains entries with `code` (`ERR_AOC_00x`), a short `message`, and JSON Pointer `path` values indicating offending fields. - -### 2.5 Exit codes - -| Exit code | Meaning | -|-----------|---------| -| `0` | Guard passed; would-write payload is AOC compliant. | -| `11` | `ERR_AOC_001` – Forbidden field (`severity`, `cvss`, etc.) detected. | -| `12` | `ERR_AOC_002` – Merge attempt (multiple upstream sources fused). | -| `13` | `ERR_AOC_003` – Idempotency violation (duplicate without supersedes). | -| `14` | `ERR_AOC_004` – Missing provenance fields. | -| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | -| `16` | `ERR_AOC_006` – Effective findings present (Policy-only data). | -| `17` | `ERR_AOC_007` – Unknown top-level fields / schema violation. | -| `70` | Transport error (network, auth, malformed input). | - -> Exit codes map directly to the `ERR_AOC_00x` table for scripting consistency. Multiple violations yield the highest-priority code (e.g., 11 takes precedence over 14). - -### 2.6 Examples - -Dry-run a local CSAF file: - -```bash -stella sources ingest --dry-run \ - --source redhat \ - --input ./fixtures/redhat/RHSA-2025-1234.json -``` - -Stream from HTTPS and emit JSON for CI: - -```bash -stella sources ingest --dry-run \ - --source osv \ - --input https://osv.dev/vulnerability/GHSA-aaaa-bbbb \ - --format json \ - --output artifacts/osv-dry-run.json - -cat artifacts/osv-dry-run.json | jq '.violations' -``` - -### 2.7 Offline notes - -When operating in sealed/offline mode: - -- Use `--input` paths pointing to Offline Kit snapshots (`offline-kit/advisories/*.json`). -- Provide `--tenant` explicitly if the offline bundle contains multiple tenants. -- The command does not attempt network access when given a file path. -- Store reports with `--output` to include in transfer packages for policy review. - ---- - -## 3 · `stella aoc verify` - -### 3.1 Synopsis - -```bash -stella aoc verify \ - [--since ] \ - [--limit ] \ - [--sources ] \ - [--codes ] \ - [--format table|json] \ - [--export ] \ - [--tenant ] \ - [--no-color] -``` - -### 3.2 Description - -Replays the AOC guard against stored raw documents. By default it checks all advisories and VEX statements ingested in the last 24 hours for the active tenant, reporting totals, top violation codes, and sample documents. Use it in CI pipelines, scheduled verifications, or during incident response. - -### 3.3 Options - -| Option | Description | -|--------|-------------| -| `--since ` | Verification window. Accepts ISO 8601 timestamp (`2025-10-25T12:00:00Z`) or duration (`48h`, `7d`). Defaults to `24h`. | -| `--limit ` | Maximum number of violations to display (per code). `0` means show all. Defaults to `20`. | -| `--sources ` | Comma-separated list of sources (`redhat,ubuntu,osv`). Filters both advisories and VEX entries. | -| `--codes ` | Restricts output to specific `ERR_AOC_00x` codes. Useful for regression tracking. | -| `--format table|json` | `table` (default) prints summary plus top violations; `json` outputs machine-readable report identical to the `/aoc/verify` API. | -| `--export ` | Writes the JSON report to disk (useful for audits/offline uploads). | -| `--tenant ` | Overrides tenant context. Required for cross-tenant verifications when run by platform operators. | -| `--no-color` | Disables ANSI colours. | - -`table` mode prints a summary showing the active tenant, evaluated window, counts of checked advisories/VEX statements, the active limit, total writes/violations, and whether the page was truncated. Status is colour-coded as `ok`, `violations`, or `truncated`. When violations exist the detail table lists the code, total occurrences, first sample document (`source` + `documentId` + `contentHash`), and JSON pointer path. - -### 3.4 Report structure (JSON) - -```json -{ - "tenant": "default", - "window": { - "from": "2025-10-25T12:00:00Z", - "to": "2025-10-26T12:00:00Z" - }, - "checked": { - "advisories": 482, - "vex": 75 - }, - "violations": [ - { - "code": "ERR_AOC_001", - "count": 2, - "examples": [ - { - "source": "redhat", - "documentId": "advisory_raw:redhat:RHSA-2025:1", - "contentHash": "sha256:…", - "path": "/content/raw/cvss" - } - ] - } - ], - "metrics": { - "ingestion_write_total": 557, - "aoc_violation_total": 2 - }, - "truncated": false -} -``` - -### 3.5 Exit codes - -| Exit code | Meaning | -|-----------|---------| -| `0` | Verification succeeded with zero violations. | -| `11…17` | Same mapping as § 2.5 when violations are detected. Highest-priority code returned. | -| `18` | Verification ran but results truncated (limit reached) – treat as warning; rerun with higher `--limit`. | -| `70` | Transport/authentication error. | -| `71` | CLI misconfiguration (missing tenant, invalid `--since`, etc.). | - -### 3.6 Examples - -Daily verification across all sources: - -```bash -stella aoc verify --since 24h --format table -``` - -CI pipeline focusing on errant sources and exporting evidence: - -```bash -stella aoc verify \ - --sources redhat,ubuntu \ - --codes ERR_AOC_001,ERR_AOC_004 \ - --format json \ - --limit 100 \ - --export artifacts/aoc-verify.json - -jq '.violations[] | {code, count}' artifacts/aoc-verify.json -``` - -Air-gapped verification using Offline Kit snapshot (example script): - -```bash -stella aoc verify \ - --since 7d \ - --format json \ - --export /mnt/offline/aoc-verify-$(date +%F).json - -sha256sum /mnt/offline/aoc-verify-*.json > /mnt/offline/checksums.txt -``` - -### 3.7 Automation tips - -- Schedule with `cron` or platform scheduler and fail the job when exit code ≥ 11. -- Pair with `stella sources ingest --dry-run` for pre-flight validation before re-enabling a paused source. -- Push JSON exports to observability pipelines for historical tracking of violation counts. - -### 3.8 Offline notes - -- Works against Offline Kit Mongo snapshots when CLI is pointed at the local API gateway included in the bundle. -- When fully disconnected, run against exported `aoc verify` reports generated on production and replay them using `--format json --export` (automation recipe above). -- Include verification output in compliance packages alongside Offline Kit manifests. - ---- - -## 4 · Global exit-code reference - -| Code | Summary | -|------|---------| -| `0` | Success / no violations. | -| `11` | `ERR_AOC_001` – Forbidden field present. | -| `12` | `ERR_AOC_002` – Merge attempt detected. | -| `13` | `ERR_AOC_003` – Idempotency violation. | -| `14` | `ERR_AOC_004` – Missing provenance/signature metadata. | -| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | -| `16` | `ERR_AOC_006` – Effective findings in ingestion payload. | -| `17` | `ERR_AOC_007` – Schema violation / unknown fields. | -| `18` | Partial verification (limit reached). | -| `70` | Transport or HTTP failure. | -| `71` | CLI usage error (invalid arguments, missing tenant). | - -Use these codes in CI to map outcomes to build statuses or alert severities. - ---- - -## 4 · `stella vuln observations` (Overlay paging) - -`stella vuln observations` lists raw advisory observations for downstream overlays (Graph Explorer, Policy simulations, Console). Large tenants can now page through results deterministically. - -| Option | Description | -|--------|-------------| -| `--limit ` | Caps the number of observations returned in a single call. Defaults to `200`; values above `500` are clamped server-side. | -| `--cursor ` | Opaque continuation token produced by the previous page (`nextCursor` in JSON output). Pass it back to resume iteration. | - -Additional notes: - -- Table mode prints a hint when `hasMore` is `true`: - `[yellow]More observations available. Continue with --cursor [/]`. -- JSON mode returns `nextCursor` and `hasMore` alongside the observation list so automation can loop until `hasMore` is `false`. -- Supplying a non-positive limit falls back to the default (`200`). Invalid/expired cursors yield `400 Bad Request`; restart without `--cursor` to begin a fresh iteration. - ---- - -## 5 · Related references - + +--- + +## 1 · Prerequisites + +- CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled). +- Required scopes (DPoP-bound): + - `advisory:read` for Concelier sources. + - `vex:read` for Excititor sources (optional but required for VEX checks). + - `aoc:verify` to invoke guard verification endpoints. + - `tenant:select` if your deployment uses tenant switching. +- Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4). +- Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache. + +--- + +## 2 · `stella sources ingest --dry-run` + +### 2.1 Synopsis + +```bash +stella sources ingest --dry-run \ + --source \ + --input \ + [--tenant ] \ + [--format json|table] \ + [--no-color] \ + [--output ] +``` + +### 2.2 Description + +Previews an ingestion write without touching MongoDB. The command loads an upstream advisory or VEX document, computes the would-write payload, runs it through the `AOCWriteGuard`, and reports any forbidden fields, provenance gaps, or idempotency issues. Use it during connector development, CI validation, or while triaging incidents. + +### 2.3 Options + +| Option | Description | +|--------|-------------| +| `--source ` | Logical source name (`redhat`, `ubuntu`, `osv`, etc.). Mirrors connector configuration. | +| `--input ` | Path to local CSAF/OSV/VEX file or HTTPS URI. CLI normalises transport (gzip/base64) before guard evaluation. | +| `--tenant ` | Overrides default tenant for multi-tenant deployments. Mandatory when `STELLA_TENANT` is not set. | +| `--format json|table` | Output format. `table` (default) prints summary with highlighted violations; `json` emits machine-readable report (see below). | +| `--no-color` | Disables ANSI colour output for CI logs. | +| `--output ` | Writes the JSON report to file while still printing human-readable summary to stdout. | + +### 2.4 Output schema (JSON) + +```json +{ + "source": "redhat", + "tenant": "default", + "guardVersion": "1.0.0", + "status": "ok", + "document": { + "contentHash": "sha256:…", + "supersedes": null, + "provenance": { + "signature": { "format": "pgp", "present": true } + } + }, + "violations": [] +} +``` + +When violations exist, `status` becomes `error` and `violations` contains entries with `code` (`ERR_AOC_00x`), a short `message`, and JSON Pointer `path` values indicating offending fields. + +### 2.5 Exit codes + +| Exit code | Meaning | +|-----------|---------| +| `0` | Guard passed; would-write payload is AOC compliant. | +| `11` | `ERR_AOC_001` – Forbidden field (`severity`, `cvss`, etc.) detected. | +| `12` | `ERR_AOC_002` – Merge attempt (multiple upstream sources fused). | +| `13` | `ERR_AOC_003` – Idempotency violation (duplicate without supersedes). | +| `14` | `ERR_AOC_004` – Missing provenance fields. | +| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | +| `16` | `ERR_AOC_006` – Effective findings present (Policy-only data). | +| `17` | `ERR_AOC_007` – Unknown top-level fields / schema violation. | +| `70` | Transport error (network, auth, malformed input). | + +> Exit codes map directly to the `ERR_AOC_00x` table for scripting consistency. Multiple violations yield the highest-priority code (e.g., 11 takes precedence over 14). + +### 2.6 Examples + +Dry-run a local CSAF file: + +```bash +stella sources ingest --dry-run \ + --source redhat \ + --input ./fixtures/redhat/RHSA-2025-1234.json +``` + +Stream from HTTPS and emit JSON for CI: + +```bash +stella sources ingest --dry-run \ + --source osv \ + --input https://osv.dev/vulnerability/GHSA-aaaa-bbbb \ + --format json \ + --output artifacts/osv-dry-run.json + +cat artifacts/osv-dry-run.json | jq '.violations' +``` + +### 2.7 Offline notes + +When operating in sealed/offline mode: + +- Use `--input` paths pointing to Offline Kit snapshots (`offline-kit/advisories/*.json`). +- Provide `--tenant` explicitly if the offline bundle contains multiple tenants. +- The command does not attempt network access when given a file path. +- Store reports with `--output` to include in transfer packages for policy review. + +--- + +## 3 · `stella aoc verify` + +### 3.1 Synopsis + +```bash +stella aoc verify \ + [--since ] \ + [--limit ] \ + [--sources ] \ + [--codes ] \ + [--format table|json] \ + [--export ] \ + [--tenant ] \ + [--no-color] +``` + +### 3.2 Description + +Replays the AOC guard against stored raw documents. By default it checks all advisories and VEX statements ingested in the last 24 hours for the active tenant, reporting totals, top violation codes, and sample documents. Use it in CI pipelines, scheduled verifications, or during incident response. + +### 3.3 Options + +| Option | Description | +|--------|-------------| +| `--since ` | Verification window. Accepts ISO 8601 timestamp (`2025-10-25T12:00:00Z`) or duration (`48h`, `7d`). Defaults to `24h`. | +| `--limit ` | Maximum number of violations to display (per code). `0` means show all. Defaults to `20`. | +| `--sources ` | Comma-separated list of sources (`redhat,ubuntu,osv`). Filters both advisories and VEX entries. | +| `--codes ` | Restricts output to specific `ERR_AOC_00x` codes. Useful for regression tracking. | +| `--format table|json` | `table` (default) prints summary plus top violations; `json` outputs machine-readable report identical to the `/aoc/verify` API. | +| `--export ` | Writes the JSON report to disk (useful for audits/offline uploads). | +| `--tenant ` | Overrides tenant context. Required for cross-tenant verifications when run by platform operators. | +| `--no-color` | Disables ANSI colours. | + +`table` mode prints a summary showing the active tenant, evaluated window, counts of checked advisories/VEX statements, the active limit, total writes/violations, and whether the page was truncated. Status is colour-coded as `ok`, `violations`, or `truncated`. When violations exist the detail table lists the code, total occurrences, first sample document (`source` + `documentId` + `contentHash`), and JSON pointer path. + +### 3.4 Report structure (JSON) + +```json +{ + "tenant": "default", + "window": { + "from": "2025-10-25T12:00:00Z", + "to": "2025-10-26T12:00:00Z" + }, + "checked": { + "advisories": 482, + "vex": 75 + }, + "violations": [ + { + "code": "ERR_AOC_001", + "count": 2, + "examples": [ + { + "source": "redhat", + "documentId": "advisory_raw:redhat:RHSA-2025:1", + "contentHash": "sha256:…", + "path": "/content/raw/cvss" + } + ] + } + ], + "metrics": { + "ingestion_write_total": 557, + "aoc_violation_total": 2 + }, + "truncated": false +} +``` + +### 3.5 Exit codes + +| Exit code | Meaning | +|-----------|---------| +| `0` | Verification succeeded with zero violations. | +| `11…17` | Same mapping as § 2.5 when violations are detected. Highest-priority code returned. | +| `18` | Verification ran but results truncated (limit reached) – treat as warning; rerun with higher `--limit`. | +| `70` | Transport/authentication error. | +| `71` | CLI misconfiguration (missing tenant, invalid `--since`, etc.). | + +### 3.6 Examples + +Daily verification across all sources: + +```bash +stella aoc verify --since 24h --format table +``` + +CI pipeline focusing on errant sources and exporting evidence: + +```bash +stella aoc verify \ + --sources redhat,ubuntu \ + --codes ERR_AOC_001,ERR_AOC_004 \ + --format json \ + --limit 100 \ + --export artifacts/aoc-verify.json + +jq '.violations[] | {code, count}' artifacts/aoc-verify.json +``` + +Air-gapped verification using Offline Kit snapshot (example script): + +```bash +stella aoc verify \ + --since 7d \ + --format json \ + --export /mnt/offline/aoc-verify-$(date +%F).json + +sha256sum /mnt/offline/aoc-verify-*.json > /mnt/offline/checksums.txt +``` + +### 3.7 Automation tips + +- Schedule with `cron` or platform scheduler and fail the job when exit code ≥ 11. +- Pair with `stella sources ingest --dry-run` for pre-flight validation before re-enabling a paused source. +- Push JSON exports to observability pipelines for historical tracking of violation counts. + +### 3.8 Offline notes + +- Works against Offline Kit Mongo snapshots when CLI is pointed at the local API gateway included in the bundle. +- When fully disconnected, run against exported `aoc verify` reports generated on production and replay them using `--format json --export` (automation recipe above). +- Include verification output in compliance packages alongside Offline Kit manifests. + +--- + +## 4 · Global exit-code reference + +| Code | Summary | +|------|---------| +| `0` | Success / no violations. | +| `11` | `ERR_AOC_001` – Forbidden field present. | +| `12` | `ERR_AOC_002` – Merge attempt detected. | +| `13` | `ERR_AOC_003` – Idempotency violation. | +| `14` | `ERR_AOC_004` – Missing provenance/signature metadata. | +| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | +| `16` | `ERR_AOC_006` – Effective findings in ingestion payload. | +| `17` | `ERR_AOC_007` – Schema violation / unknown fields. | +| `18` | Partial verification (limit reached). | +| `70` | Transport or HTTP failure. | +| `71` | CLI usage error (invalid arguments, missing tenant). | + +Use these codes in CI to map outcomes to build statuses or alert severities. + +--- + +## 4 · `stella vuln observations` (Overlay paging) + +`stella vuln observations` lists raw advisory observations for downstream overlays (Graph Explorer, Policy simulations, Console). Large tenants can now page through results deterministically. + +| Option | Description | +|--------|-------------| +| `--limit ` | Caps the number of observations returned in a single call. Defaults to `200`; values above `500` are clamped server-side. | +| `--cursor ` | Opaque continuation token produced by the previous page (`nextCursor` in JSON output). Pass it back to resume iteration. | + +Additional notes: + +- Table mode prints a hint when `hasMore` is `true`: + `[yellow]More observations available. Continue with --cursor [/]`. +- JSON mode returns `nextCursor` and `hasMore` alongside the observation list so automation can loop until `hasMore` is `false`. +- Supplying a non-positive limit falls back to the default (`200`). Invalid/expired cursors yield `400 Bad Request`; restart without `--cursor` to begin a fresh iteration. + +--- + +## 5 · Related references + - [Aggregation-Only Contract reference](../../../ingestion/aggregation-only-contract.md) -- [Architecture overview](../../platform/architecture-overview.md) +- [Architecture overview](../../platform/architecture-overview.md) - [Console AOC dashboard](../../../ui/console.md) -- [Authority scopes](../../authority/architecture.md) - ---- - -## 6 · Compliance checklist - -- [ ] Usage documented for both table and JSON formats. -- [ ] Exit-code mapping matches `ERR_AOC_00x` definitions and automation guidance. -- [ ] Offline/air-gap workflow captured for both commands. -- [ ] References to AOC architecture and console docs included. -- [ ] Examples validated against current CLI syntax (update post-implementation). -- [ ] Docs guild screenshot/narrative placeholder logged for release notes (pending CLI team capture). - ---- - -*Last updated: 2025-10-29 (Sprint 24).* - -## 13. Authority configuration quick reference - -| Setting | Purpose | How to set | -|---------|---------|------------| -| `StellaOps:Authority:OperatorReason` | Incident/change description recorded with `orch:operate` tokens. | CLI flag `--Authority:OperatorReason=...` or env `STELLAOPS_ORCH_REASON`. | -| `StellaOps:Authority:OperatorTicket` | Change/incident ticket reference paired with orchestrator control actions. | CLI flag `--Authority:OperatorTicket=...` or env `STELLAOPS_ORCH_TICKET`. | - -> Tokens requesting `orch:operate` will fail with `invalid_request` unless both values are present. Choose concise strings (≤256 chars for reason, ≤128 chars for ticket) and avoid sensitive data. - +- [Authority scopes](../../authority/architecture.md) + +--- + +## 6 · Compliance checklist + +- [ ] Usage documented for both table and JSON formats. +- [ ] Exit-code mapping matches `ERR_AOC_00x` definitions and automation guidance. +- [ ] Offline/air-gap workflow captured for both commands. +- [ ] References to AOC architecture and console docs included. +- [ ] Examples validated against current CLI syntax (update post-implementation). +- [ ] Docs guild screenshot/narrative placeholder logged for release notes (pending CLI team capture). + +--- + +*Last updated: 2025-10-29 (Sprint 24).* + +## 13. Authority configuration quick reference + +| Setting | Purpose | How to set | +|---------|---------|------------| +| `StellaOps:Authority:OperatorReason` | Incident/change description recorded with `orch:operate` tokens. | CLI flag `--Authority:OperatorReason=...` or env `STELLAOPS_ORCH_REASON`. | +| `StellaOps:Authority:OperatorTicket` | Change/incident ticket reference paired with orchestrator control actions. | CLI flag `--Authority:OperatorTicket=...` or env `STELLAOPS_ORCH_TICKET`. | + +> Tokens requesting `orch:operate` will fail with `invalid_request` unless both values are present. Choose concise strings (≤256 chars for reason, ≤128 chars for ticket) and avoid sensitive data. + diff --git a/docs/modules/cli/guides/policy.md b/docs/modules/cli/guides/policy.md index 6c791c3e..a5ca2693 100644 --- a/docs/modules/cli/guides/policy.md +++ b/docs/modules/cli/guides/policy.md @@ -1,318 +1,318 @@ -# Stella CLI — Policy Commands - -> **Audience:** Policy authors, reviewers, operators, and CI engineers using the `stella` CLI to interact with Policy Engine. -> **Supported from:** `stella` CLI ≥ 0.20.0 (Policy Engine v2 sprint line). -> **Prerequisites:** Authority-issued bearer token with the scopes noted per command (export `STELLA_TOKEN` or pass `--token`). -> **2025-10-27 scope update:** CLI/CI tokens issued prior to Sprint 23 (AUTH-POLICY-23-001) must drop `policy:write`/`policy:submit`/`policy:edit` and instead request `policy:read`, `policy:author`, `policy:review`, and `policy:simulate` (plus `policy:approve`/`policy:operate`/`policy:activate` for promotion pipelines). - ---- - -## 1 · Global Options & Output Modes - -All `stella policy *` commands honour the common CLI options: - -| Flag | Default | Description | -|------|---------|-------------| -| `--server ` | `https://stella.local` | Policy Engine gateway root. | -| `--tenant ` | token default | Override tenant for multi-tenant installs. | -| `--format ` | `table` for TTY, `json` otherwise | Output format for listings/diffs. | -| `--output ` | stdout | Write full JSON payload to file. | -| `--sealed` | false | Force sealed-mode behaviour (no outbound fetch). | -| `--trace` | false | Emit verbose timing/log correlation info. | - -> **Tip:** Set `STELLA_PROFILE=policy` in CI to load saved defaults from `~/.stella/profiles/policy.toml`. - ---- - -## 2 · Authoring & Drafting Commands - -### 2.1 `stella policy new` - -Create a draft policy from a template or scratch. - -``` -stella policy new --policy-id P-7 --name "Default Org Policy" \ - --template baseline --output-path policies/P-7.stella -``` - -Options: - -| Flag | Description | -|------|-------------| -| `--policy-id` *(required)* | Stable identifier (e.g., `P-7`). | -| `--name` | Friendly display name. | -| `--template` | `baseline`, `serverless`, `blank`. | -| `--from` | Start from existing version (`policyId@version`). | -| `--open` | Launches `$EDITOR` after creation. | - -Writes DSL to local file and registers draft version (`status=draft`). Requires `policy:write`. - -### 2.2 `stella policy edit` - -Open an existing draft in the local editor. - -``` -stella policy edit P-7 --version 4 -``` - -- Auto-checks out latest draft if `--version` omitted. -- Saves to temp file, uploads on editor exit (unless `--no-upload`). -- Use `--watch` to keep command alive and re-upload on every save. - -### 2.3 `stella policy lint` - -Static validation without submitting. - -``` -stella policy lint policies/P-7.stella --format json -``` - -Outputs diagnostics (line/column, code, message). Exit codes: - -| Code | Meaning | -|------|---------| -| `0` | No lint errors. | -| `10` | Syntax/compile errors (`ERR_POL_001`). | -| `11` | Unsupported syntax version. | - -### 2.4 `stella policy compile` - -Emits IR digest and rule summary. - -``` -stella policy compile P-7 --version 4 -``` - -Returns JSON with `digest`, `rules.count`, action counts. Exit `0` success, `10` on compile errors. - ---- - -## 3 · Lifecycle Workflow - -### 3.1 Submit - -``` -stella policy submit P-7 --version 4 \ - --reviewer user:kay --reviewer group:sec-reviewers \ - --note "Simulated against golden SBOM set" \ - --attach sims/P-7-v4-vs-v3.json -``` - -Requires `policy:submit`. CLI validates that lint/compile run within 24 h and bundle attachments exist. - -### 3.2 Review - -``` -stella policy review P-7 --version 4 --approve \ - --note "Looks good; ensure incident playbook updated." -``` - -- `--approve`, `--request-changes`, or `--comment`. -- Provide `--blocking` to mark comment as blocking. -- Requires `policy:review`. - -### 3.3 Approve - -``` -stella policy approve P-7 --version 4 \ - --note "Determinism CI green; simulation diff attached." \ - --attach sims/P-7-v4-vs-v3.json -``` - -Prompts for confirmation; refuses if approver == submitter. Requires `policy:approve`. - -### 3.4 Activate - -``` -stella policy activate P-7 --version 4 --run-now --priority high -``` - -- Optional `--scheduled-at 2025-10-27T02:00:00Z`. -- Requires `policy:activate` and `policy:run`. - -**Options** - -- `--version ` (required) – target revision to promote. -- `--note ` – record an activation note alongside the approval. -- `--run-now` – enqueue an immediate full run after activation. -- `--scheduled-at ` – schedule activation for a specific UTC time (ISO-8601 format). -- `--priority