stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/API_CLI_REFERENCE.md
View File

@@ -14,7 +14,7 @@ Detailed references live under `docs/api/` and `docs/modules/cli/`.
| API conventions (headers, pagination, errors) | `docs/api/overview.md` |
| API versioning policy | `docs/api/versioning.md` |
| Gateway tenancy header policy | `docs/api/gateway/tenant-auth.md` |
| Gateway header hardening rules | `docs/modules/gateway/identity-header-policy.md` |
| Gateway header hardening rules | `docs-archived/modules/gateway/identity-header-policy.md` |
| Console workspaces (findings/VEX views) | `docs/api/console/workspaces.md` |
| Console search and downloads | `docs/api/console/search-downloads.md` |
| Exceptions API entry point | `docs/api/exceptions.md` |

16
docs/ARCHITECTURE_OVERVIEW.md
View File

@@ -47,10 +47,10 @@ Stella Ops Suite organizes capabilities into **themes** (functional areas):
| **SCANENG** | Scanning and SBOM | Scanner, SBOM Service, Reachability |
| **EVIDENCE** | Evidence and attestation | Evidence Locker, Attestor, Export Center |
| **RUNTIME** | Runtime signals | Signals, Graph, Zastava |
| **JOBCTRL** | Job orchestration | Scheduler, Orchestrator, TaskRunner |
| **JOBCTRL** | Job orchestration | JobEngine (includes Scheduler, TaskRunner, PacksRegistry) |
| **OBSERVE** | Observability | Notifier, Telemetry |
| **REPLAY** | Deterministic replay | Replay Engine |
| **DEVEXP** | Developer experience | CLI, Web UI, SDK |
| **DEVEXP** | Developer experience | CLI, Web UI, Tools (includes SDK) |
#### Planned Themes (Release Orchestration)
@@ -74,7 +74,7 @@ Stella Ops Suite organizes capabilities into **themes** (functional areas):
| **Edge / Identity** | `StellaOps.Authority` | Issues short-lived tokens (DPoP + mTLS), exposes OIDC flows, rotates JWKS |
| **Release Control** | `StellaOps.ReleaseManager`, `StellaOps.PromotionManager`, `StellaOps.WorkflowEngine` | Release bundles, promotion workflows, gate evaluation (planned) |
| **Integration Hub** | `StellaOps.IntegrationManager`, `StellaOps.ConnectorRuntime` | SCM/CI/Registry/Vault connectors (planned) |
| **Scan & Attest** | `StellaOps.Scanner`, `StellaOps.Signer`, `StellaOps.Attestor` | Accept SBOMs/images, produce DSSE bundles, transparency logging |
| **Scan & Attest** | `StellaOps.Scanner`, `StellaOps.Attestor` (includes Signer) | Accept SBOMs/images, produce DSSE bundles, transparency logging |
| **Evidence Graph** | `StellaOps.Concelier`, `StellaOps.Excititor`, `StellaOps.Policy.Engine` | Advisories/VEX, linksets, lattice policy |
| **Deployment** | `StellaOps.DeployOrchestrator`, `StellaOps.Agent.*` | Deployment execution to Docker/Compose/ECS/Nomad (planned) |
| **Experience** | `StellaOps.Web`, `StellaOps.Cli`, `StellaOps.Notify`, `StellaOps.ExportCenter` | Operator UX, automation, notifications |
@@ -82,18 +82,18 @@ Stella Ops Suite organizes capabilities into **themes** (functional areas):
### Ownership Clarifications
- **Ingress/routing**: Gateway is the single HTTP ingress and Router is the
internal service transport.
- **Ingress/routing**: Router owns both the HTTP ingress gateway (`StellaOps.Gateway.WebService`) and the
internal binary protocol transport. The standalone `src/Gateway/` was deleted (Sprint 200).
- **Promotion policy gates**: Policy Engine owns PASS/FAIL decision semantics;
Concelier remains ingestion/linkset only.
- **Environment topology and promotion lanes**: owned by Release Orchestrator
ENVMGR/PROMOT tracks (not Cartographer).
See:
- `docs/modules/gateway/architecture.md`
- `docs/modules/router/architecture.md`
- `docs/modules/router/README.md`
- `docs/modules/policy/promotion-gate-ownership-contract.md`
- `docs/modules/release-orchestrator/promotion-runtime-gap-closure-plan.md`
- `docs/modules/release-jobengine/promotion-runtime-gap-closure-plan.md`
## Infrastructure (What Is Required)
@@ -176,7 +176,7 @@ Plugin types:
## References
- `docs/ARCHITECTURE_REFERENCE.md` — Full reference map
- `docs/modules/release-orchestrator/architecture.md` — Release orchestrator design (planned)
- `docs/modules/release-jobengine/architecture.md` — Release orchestrator design (planned)
- `docs/OFFLINE_KIT.md` — Air-gap operations
- `docs/API_CLI_REFERENCE.md` — API and CLI contracts
- `docs/modules/platform/architecture-overview.md` — Platform service design

4
docs/ARCHITECTURE_REFERENCE.md
View File

@@ -83,7 +83,7 @@ Use module dossiers as the source of truth for:
Tenancy and identity context are part of the platform contract:
- Gateway tenant auth and ABAC contract: `docs/api/gateway/tenant-auth.md`
- Gateway identity header policy (spoofing prevention + migration rules): `docs/modules/gateway/identity-header-policy.md`
- Gateway identity header policy (spoofing prevention + migration rules): `docs-archived/modules/gateway/identity-header-policy.md`
- Authority service dossier: `docs/modules/authority/architecture.md`
- Claims and headers index: `docs/claims-index.md`
@@ -110,7 +110,7 @@ StellaOps uses Hybrid Logical Clocks for audit-safe job queue ordering:
| Component | Description | Documentation |
|-----------|-------------|---------------|
| HLC Library | Core HLC timestamp and clock implementation | `src/__Libraries/StellaOps.HybridLogicalClock/` |
| Scheduler Queue Chain | HLC-based enqueue with cryptographic linking | `docs/modules/scheduler/architecture.md` |
| JobEngine Queue Chain | HLC-based enqueue with cryptographic linking | `docs/modules/jobengine/architecture.md` (Scheduler subsystem) |
| Air-Gap Sync | Offline job merge using HLC total ordering | `docs/operations/airgap-operations-runbook.md` |
| Migration Guide | Enabling HLC ordering in existing deployments | `docs/modules/scheduler/hlc-migration-guide.md` |
| Troubleshooting | HLC-specific issue resolution | `docs/operations/runbooks/hlc-troubleshooting.md` |

52
docs/INDEX.md
View File

@@ -1,7 +1,7 @@
# StellaOps Documentation Index
> **Master index of all StellaOps documentation.**
> Last updated: 2026-01-07 (Pass 8 deep content audit)
> Last updated: 2026-03-04 (Sprint 218 consolidation sweep)
This index provides a complete map of documentation organized by audience and topic. The documentation follows a two-level hierarchy:
- **Canonical guides** (`docs/*.md`) - High-level entry points
@@ -87,59 +87,47 @@ Module dossiers contain architecture, operations, and API documentation per comp
### Core Platform
| Module | Directory | Description |
|--------|-----------|-------------|
| Authority | [authority/](modules/authority/) | OAuth/OIDC, DPoP authentication |
| Gateway | [gateway/](modules/gateway/) | API gateway, routing |
| Router | [router/](modules/router/) | Transport-agnostic messaging |
| Authority | [authority/](modules/authority/) | OAuth/OIDC, DPoP authentication. Includes IssuerDirectory (Sprint 216). |
| Router | [router/](modules/router/) | Transport-agnostic messaging and HTTP ingress gateway |
| Platform | [platform/](modules/platform/) | Console backend aggregation |
### Data Ingestion
| Module | Directory | Description |
|--------|-----------|-------------|
| Concelier | [concelier/](modules/concelier/) | Advisory ingestion |
| Excititor | [excititor/](modules/excititor/) | VEX document ingestion |
| Concelier | [concelier/](modules/concelier/) | Advisory ingestion. Includes Feedser and Excititor (Sprint 203). |
| VexLens | [vex-lens/](modules/vex-lens/) | VEX consensus computation |
| VexHub | [vex-hub/](modules/vex-hub/) | VEX distribution hub |
| IssuerDirectory | [issuer-directory/](modules/issuer-directory/) | Issuer trust registry |
| Feedser | [feedser/](modules/feedser/) | Backport detection evidence |
### Scanning & Analysis
| Module | Directory | Description |
|--------|-----------|-------------|
| Scanner | [scanner/](modules/scanner/) | Container scanning, SBOM generation |
| BinaryIndex | [binary-index/](modules/binary-index/) | Binary fingerprinting |
| AdvisoryAI | [advisory-ai/](modules/advisory-ai/) | AI-assisted analysis |
| Symbols | [symbols/](modules/symbols/) | Symbol resolution |
| Scanner | [scanner/](modules/scanner/) | Container scanning, SBOM generation. Includes Cartographer (Sprint 201). |
| BinaryIndex | [binary-index/](modules/binary-index/) | Binary fingerprinting. Includes Symbols (Sprint 202). |
| AdvisoryAI | [advisory-ai/](modules/advisory-ai/) | AI-assisted analysis. Includes OpsMemory (Sprint 213). |
| ReachGraph | [reach-graph/](modules/reach-graph/) | Reachability graphs |
### Artifacts & Evidence
| Module | Directory | Description |
|--------|-----------|-------------|
| Attestor | [attestor/](modules/attestor/) | DSSE/in-toto attestations |
| Signer | [signer/](modules/signer/) | Cryptographic signing |
| Attestor | [attestor/](modules/attestor/) | DSSE/in-toto attestations. Includes Signer and Provenance (Sprint 204). |
| SbomService | [sbom-service/](modules/sbom-service/) | SBOM storage, lineage |
| EvidenceLocker | [evidence-locker/](modules/evidence-locker/) | Sealed evidence storage |
| ExportCenter | [export-center/](modules/export-center/) | Batch export |
| Provenance | [provenance/](modules/provenance/) | SLSA attestation |
### Policy & Risk
| Module | Directory | Description |
|--------|-----------|-------------|
| Policy | [policy/](modules/policy/) | K4 lattice policy engine |
| RiskEngine | [risk-engine/](modules/risk-engine/) | Risk scoring |
| VulnExplorer | [vuln-explorer/](modules/vuln-explorer/) | Vulnerability triage |
| Unknowns | [unknowns/](modules/unknowns/) | Unknown component tracking |
| FindingsLedger | [findings-ledger/](modules/findings-ledger/) | Findings tracking |
| Unknowns | [unknowns/](modules/unknowns/) | Unknown component tracking (boundary preserved, Sprint 206) |
| Findings | [findings-ledger/](modules/findings-ledger/) | Findings tracking. Includes RiskEngine and VulnExplorer (Sprint 207). |
### Operations
| Module | Directory | Description |
|--------|-----------|-------------|
| Scheduler | [scheduler/](modules/scheduler/) | Job scheduling |
| Orchestrator | [orchestrator/](modules/orchestrator/) | Workflow orchestration |
| TaskRunner | [taskrunner/](modules/taskrunner/) | Task pack execution |
| Notify | [notify/](modules/notify/) | Notifications |
| Notifier | [notifier/](modules/notifier/) | Notifications Studio |
| PacksRegistry | [packs-registry/](modules/packs-registry/) | Task packs registry |
| TimelineIndexer | [timeline-indexer/](modules/timeline-indexer/) | Event indexing |
| JobEngine | [jobengine/](modules/jobengine/) | Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). |
| Notify | [notify/](modules/notify/) | Notifications (boundary preserved with Notifier, Sprint 209) |
| Notifier | [notifier/](modules/notifier/) | Notifications Studio (boundary preserved with Notify, Sprint 209) |
| Timeline | [timeline/](modules/timeline/) | Event indexing and timeline query. Includes TimelineIndexer (Sprint 210). |
| Replay | [replay/](modules/replay/) | Deterministic replay |
### Integration
@@ -165,8 +153,11 @@ Module dossiers contain architecture, operations, and API documentation per comp
| Snapshot | [snapshot/](modules/snapshot/) | Point-in-time captures |
| Triage | [triage/](../docs-archived/modules/triage/) | Vulnerability triage workflows (archived — see vuln-explorer, ui) |
| Provcache | [prov-cache/](../docs-archived/modules/prov-cache/) | Provenance cache (archived — see provenance) |
| Benchmark | [benchmark/](../docs-archived/modules/benchmark/) | Competitive benchmarking (archived — see bench) |
| Bench | [bench/](modules/bench/) | Performance benchmarks |
| Benchmark | [benchmark/](../docs-archived/modules/benchmark/) | Competitive benchmarking (archived — see tools) |
| Bench | [bench/](../docs-archived/modules/bench/) | Performance benchmarks (archived — absorbed into tools) |
| Verifier | [verifier/](../docs-archived/modules/verifier/) | Standalone bundle verifier (archived — absorbed into tools) |
| SDK | [sdk/](../docs-archived/modules/sdk/) | SDK generation (archived — absorbed into tools) |
| DevPortal | [devportal/](../docs-archived/modules/devportal/) | Developer portal (archived — absorbed into tools) |
---
@@ -256,7 +247,7 @@ Module dossiers contain architecture, operations, and API documentation per comp
### Risk Scoring
| Area | Path | Description |
|------|------|-------------|
| Risk Samples | [modules/risk-engine/samples/](modules/risk-engine/samples/) | Risk scoring examples |
| Risk Samples | [modules/findings-ledger/](modules/findings-ledger/) | Risk scoring (now part of Findings, Sprint 207) |
### Operations & Deployment
| Area | Path | Description |
@@ -295,13 +286,14 @@ Module dossiers contain architecture, operations, and API documentation per comp
| Date | Change |
|------|--------|
| 2026-03-04 | **Sprint 218 sweep**: Aligned module index with consolidation wave outcomes. Removed Gateway (deleted Sprint 200), absorbed modules (Feedser/Excititor into Concelier, Signer/Provenance into Attestor, RiskEngine/VulnExplorer into Findings, Scheduler/TaskRunner/PacksRegistry into JobEngine, TimelineIndexer into Timeline, IssuerDirectory into Authority, Symbols into BinaryIndex, Cartographer into Scanner, OpsMemory into AdvisoryAI, Extensions into Integrations, Bench/Verifier/Sdk/DevPortal into Tools). Reflected boundary-preserved decisions (Policy/Unknowns, Notify/Notifier, ExportCenter/AirGap). Updated Orchestrator references to JobEngine. |
| 2026-01-07 | **Pass 10**: Deep module-by-module audit. **Concelier consolidation**: Merged `federation-setup.md` into `federation-operations.md` (eliminated duplicate federation setup/operations content, added bundle format, cursor format, multi-site topologies, DSSE signature format, monitoring metrics, security considerations sections). Deleted `federation-setup.md`. **Verified module patterns**: advisory-ai (architecture→architecture-detail hierarchy correct), authority (AUTHORITY.md=operational config, architecture.md=component spec - different purposes), concelier guides (aggregation.md=LNM implementation, aggregation-only-contract.md=formal AOC spec), notify (architecture+architecture-detail=hierarchical), policy (determinization-api.md=API ref, determinization-architecture.md=design doc), telemetry (guides/observability.md=AOC-specific, operations/observability.md=collector/storage). Scanner has 104 files well-organized by design/, operations/, guides/, fixtures/ subdirectories. |
| 2026-01-07 | **Pass 9**: Deep consolidation analysis of major themes. **Crypto cluster consolidation**: Merged `docs/security/crypto-simulation-services.md` into `docs/security/crypto-profile-configuration.md` (eliminated duplication, preserved all unique content including algorithm coverage list, curl examples, `run-sim-smoke.ps1` reference). Deleted redundant file. **Verified well-organized structures**: API/Contracts (distinct purposes - contracts for formal specs, api for reference), technical/architecture (proper index + detailed views), operations runbooks (complementary runbook + troubleshooting patterns), module cross-cutting (architecture + architecture-overview correctly separate index vs content). **Kept compatibility shims**: `07_HIGH_LEVEL_ARCHITECTURE.md` retained as alias (100+ references across AGENTS.md files). **RootPack RU files**: Confirmed `rootpack_ru_validation.md`, `rootpack_ru_package.md`, `rootpack_ru_crypto_fork.md` serve distinct purposes (validation runbook, packaging guide, fork notes) - no consolidation needed. |
| 2026-01-07 | **Pass 8**: Deep content audit across all major themes. Launched 5 parallel analysis agents covering docs/technical/, docs/security/, docs/operations/, docs/api/+docs/contracts/, and docs/modules/. **Critical fixes**: Fixed 29 files with incorrect `deploy/` paths (changed to `devops/`); fixed 6 files with `scripts/crypto/` paths (changed to `ops/crypto/`). **Placeholder cleanup**: Deleted `docs/security/auth-scopes.md` and `docs/security/redaction-and-privacy.md` (stub files with no content). **Missing READMEs**: Created 9 module README files for: devportal, facet, feedser, packs-registry, provenance, reach-graph, replay, risk-engine, timeline-indexer. **Identified issues for future passes**: API endpoint inconsistencies between docs/api/ and docs/contracts/ (different path formats); duplicate crypto documentation (13 overlapping files); scope definitions in 3 locations (should canonicalize to authority-scopes.md); missing mirror-bundle.schema.json. |
| 2026-01-07 | **Pass 7**: Final theme consolidation. Thorough analysis confirmed 5 directory pairs should remain separate (distinct purposes/audiences). Executed 4 consolidations: docs/cicd/ (9 files) → docs/technical/cicd/; docs/modules/ci/ (4 files) merged into docs/technical/cicd/ (CI recipes); docs/modules/devops/ (15 files) → docs/operations/devops/ (not a code module); docs/onboarding/ (10 files) → docs/dev/onboarding/ (developer onboarding subsection). Removed duplicate schemas from docs/schemas/ (already in sbom-service/schemas/ and policy/schemas/). Top-level directories reduced from 18 to 15. Module directories reduced from 58 to 55 (removed ci/, devops/, removed duplicates). Fixed 15+ broken references. Verified docs/modules/ alignment with src/ - found Integrations and SmRemote modules lack documentation (stub candidates). |
| 2026-01-07 | **Pass 6**: Theme-based consolidation and cleanup. Directory consolidations: docs/governance/ (1 file) to operations/governance/; docs/adr/ (4 files) to technical/adr/; docs/contributing/ (3 files) to dev/contributing/; docs/schemas/ (3 files) to modules/sbom-service/schemas/ and modules/policy/schemas/; docs/scripts/sbom-vex/ (9 files) to modules/attestor/samples/sbom-vex/; docs/modules/snapshot/ (3 files) to technical/concepts/snapshot/ (cross-cutting concept); docs/modules/triage/ (3 files) to modules/vuln-explorer/concepts/triage/ (triage implemented in VulnExplorer); docs/modules/testing/ (1 file) to technical/testing/ (cross-cutting testing docs). Removed duplicate template directory: docs/dev/templates/excitor-connector/ (typo, kept excititor-connector/). Verified prov-cache/ and facet/ document real implementations (src/__Libraries/StellaOps.Provcache, src/__Libraries/StellaOps.Facet). Top-level directories reduced from 22 to 18. Fixed 5 broken references to docs/adr/. |
| 2026-01-06 | **Pass 5**: Reduced top-level directories from 41 to 22, and top-level markdown files from 48 to 25. Directory consolidations: docs/accessibility/ to modules/ui/guides/accessibility/; docs/advisories/ to modules/concelier/guides/; docs/events/ to modules/signals/events/; docs/handoff/ to operations/handoff/; docs/roadmap/ to product/roadmap/; docs/schemas/ to modules/attestor/schemas/; docs/sdks/ to dev/sdks/; docs/specs/ to modules/symbols/specs/; docs/task-packs/ to modules/packs-registry/guides/; docs/ux/ to modules/ui/guides/ux/; docs/rfcs/ to adr/; docs/architecture/ to technical/architecture/; docs/data/ to modules/replay/schemas/; docs/testing/ (26 files) to technical/testing/; docs/diagrams/ to technical/diagrams/; docs/migration/ to technical/migration/; docs/process/ to operations/process/; docs/samples/ distributed to respective module samples/. Top-level file moves: 07_HIGH_LEVEL_ARCHITECTURE.md to technical/architecture/; claims-index.md to product/; cli-vs-ui-parity.md to modules/cli/; LEGAL_*.md to legal/; PERFORMANCE_WORKBOOK.md, DATA_SCHEMAS.md, SYSTEM_REQUIREMENTS_SPEC.md, reproducibility.md to technical/; scanner-core-contracts.md to modules/scanner/; TEST_SUITE_OVERVIEW.md to technical/testing/; VULNERABILITY_EXPLORER_GUIDE.md to modules/vuln-explorer/; PROOF_MOATS_FINAL_SIGNOFF.md, moat.md, VISION.md to product/; QUOTA_*.md to modules/policy/guides/; POLICY_TEMPLATES.md to modules/policy/; AUTHORITY.md to modules/authority/; FAQ_MATRIX.md to onboarding/; RELEASE_ENGINEERING_PLAYBOOK.md to releases/. Fixed ui/guides file to guides-overview.md. Archived QUICKSTART_HYBRID_DEBUG.md. Removed duplicate accessibility.md. |
| 2026-01-06 | **Pass 4**: Consolidated docs/airgap/ (38 files) into modules/airgap/guides/, runbooks/, gaps/, schemas/, samples/; consolidated docs/aoc/ into modules/aoc/guides/; consolidated docs/policy/ (20 files + fixtures/schemas) into modules/policy/guides/, fixtures/, schemas/; consolidated docs/replay/ into modules/replay/guides/; consolidated docs/uncertainty/ into modules/unknowns/guides/; consolidated docs/forensics/ into modules/evidence-locker/, provenance/, timeline-indexer/ guides/; consolidated docs/ingestion/ into modules/concelier/guides/; consolidated docs/interop/ into modules/attestor/guides/; consolidated docs/observability/ (14 files + dashboards) into modules/telemetry/guides/ and dashboards/; consolidated docs/runtime/ into modules/scanner/guides/; consolidated docs/slo/ into modules/orchestrator/guides/; created modules/devportal/guides/; moved docs/evaluate/ to product/; moved docs/metrics/ to modules/telemetry/guides/ |
| 2026-01-06 | **Pass 4**: Consolidated docs/airgap/ (38 files) into modules/airgap/guides/, runbooks/, gaps/, schemas/, samples/; consolidated docs/aoc/ into modules/aoc/guides/; consolidated docs/policy/ (20 files + fixtures/schemas) into modules/policy/guides/, fixtures/, schemas/; consolidated docs/replay/ into modules/replay/guides/; consolidated docs/uncertainty/ into modules/unknowns/guides/; consolidated docs/forensics/ into modules/evidence-locker/, provenance/, timeline-indexer/ guides/; consolidated docs/ingestion/ into modules/concelier/guides/; consolidated docs/interop/ into modules/attestor/guides/; consolidated docs/observability/ (14 files + dashboards) into modules/telemetry/guides/ and dashboards/; consolidated docs/runtime/ into modules/scanner/guides/; consolidated docs/slo/ into modules/jobengine/guides/; created modules/devportal/guides/; moved docs/evaluate/ to product/; moved docs/metrics/ to modules/telemetry/guides/ |
| 2026-01-06 | **Pass 3**: Consolidated docs/router/ into modules/router/ (archived 25 sprints to docs-archived/implplan/router/, moved transports/ and guides/); consolidated docs/reachability/ (23 files) into modules/reach-graph/guides/ and schemas/; consolidated docs/risk/ into modules/risk-engine/guides/ and samples/; consolidated docs/attestor/ and docs/provenance/ into respective modules; consolidated docs/vuln/ into modules/vuln-explorer/guides/; consolidated docs/sbom/ and docs/evidence-locker/ into respective modules; consolidated docs/marketing/ and docs/market/ into docs/product/ (strategy, competitive analysis); archived docs/artifacts/ to docs-archived/ |
| 2026-01-06 | **Pass 2**: Consolidated CLI docs into modules/cli/guides/ (removed docs/cli/); consolidated runbooks into operations/runbooks/ (removed docs/runbooks/); merged examples/ into samples/; consolidated signals/ into modules/signals/guides/; merged training/ into onboarding/ with concepts/ and faq/ subdirs; distributed guides/ into relevant module locations (risk-engine, signer, vex-lens, ui, authority); merged ci/ into cicd/; merged ops/ into operations/; moved faq/policy-faq.md to policy/faq.md |
| 2026-01-06 | Consolidated UI/Console docs into modules/ui/; consolidated deploy/deployment/install into operations/deployment/; consolidated docs/vex/ into modules/vex-lens/guides/; consolidated docs/release/ into docs/releases/; consolidated security docs (removed technical/security/) |

4
docs/OFFLINE_KIT.md
View File

@@ -22,7 +22,7 @@ completely isolated network:
| **Secret Detection Rules** | DSSE-signed rule bundles under `rules/secrets/<version>/` with manifest, JSONL rules, and signature envelope for air-gapped secret leak detection. |
| **Telemetry collector bundle** | `telemetry/telemetry-offline-bundle.tar.gz` plus `.sha256`, containing OTLP collector config, Helm/Compose overlays, and operator instructions. |
| **CLI + Task Packs** | `cli/` binaries from `release/cli`, Task Runner bootstrap (`bootstrap/task-runner/task-runner.yaml.sample`), and task-pack docs under `docs/modules/packs-registry/guides/**` + `docs/modules/taskrunner/**`. |
| **Orchestrator/Export/Notifier kits** | Orchestrator service, worker SDK, Postgres snapshot, dashboards (`orchestrator/**`), Export Center bundles (`export-center/**`), Notifier offline packs (`notifier/**`). |
| **Orchestrator/Export/Notifier kits** | Orchestrator service, worker SDK, Postgres snapshot, dashboards (`jobengine/**`), Export Center bundles (`export-center/**`), Notifier offline packs (`notifier/**`). |
| **Container air-gap bundles** | Any tar/tgz under `containers/` or `images/` (mirrored registries) plus `docs/modules/airgap/guides/mirror-bundles.md`. |
| **Surface.Secrets** | Encrypted secrets bundles and manifests (`surface-secrets/**`) for sealed-mode bootstrap. |
@@ -173,7 +173,7 @@ It verifies the release artefacts, runs the Python analyzer smoke suite, mirrors
What it picks up automatically (if present under `--release-dir`):
- `cli/**` → CLI binaries and installers.
- `containers/**` or `images/**` → air-gap container bundles.
- `orchestrator/{service,worker-sdk,postgres,dashboards}/**`.
- `jobengine/{service,worker-sdk,postgres,dashboards}/**`.
- `export-center/**`, `notifier/**`, `surface-secrets/**`.
- Docs: `docs/modules/packs-registry/guides/**`, `docs/modules/taskrunner/**`, `docs/modules/airgap/guides/mirror-bundles.md`.

2
docs/README.md
View File

@@ -93,7 +93,7 @@ This documentation set is intentionally consolidated and does not maintain compa
| Architecture: module matrix | `technical/architecture/module-matrix.md` |
| Architecture: data flows | `technical/architecture/data-flows.md` |
| Architecture: schema mapping | `technical/architecture/schema-mapping.md` |
| Release Orchestration dossier | `modules/release-orchestrator/architecture.md` |
| Release Orchestration dossier | `modules/release-jobengine/architecture.md` |
| Telemetry federation architecture | `modules/telemetry/federation-architecture.md` |
| Telemetry federation runbook | `runbooks/federated-telemetry-operations.md` |
| Telemetry federation contracts | `contracts/federated-consent-v1.md`, `contracts/federated-telemetry-v1.md` |

2
docs/ROADMAP.md
View File

@@ -100,7 +100,7 @@ Priority: Expanding target support and delivery strategies.
- `docs/product/roadmap/README.md` — Detailed roadmap documentation
- `docs/product/roadmap/maturity-model.md` — Capability maturity definitions
- `docs/modules/release-orchestrator/architecture.md` — Release orchestrator architecture
- `docs/modules/release-jobengine/architecture.md` — Release orchestrator architecture
## Related Documents

38
docs/api/gateway/orchestrator.md → docs/api/gateway/jobengine.md
View File

@@ -2,7 +2,7 @@
Scope: expose Orchestrator read + operator control surfaces through the Web gateway (tenant-scoped, deterministic pagination, cache headers) to unblock Console control-plane views.
This is an interim contract until the gateway is aligned to the Orchestrator OpenAPI (`/openapi/orchestrator.json` in the Orchestrator service).
This is an interim contract until the gateway is aligned to the Orchestrator OpenAPI (`/openapi/jobengine.json` in the Orchestrator service).
## Security / headers
- `Authorization: Bearer <token>` (or `DPoP` where configured)
@@ -15,26 +15,26 @@ This is an interim contract until the gateway is aligned to the Orchestrator Ope
- `X-Stella-Operator-Ticket: <ticket-id>` (optional but recommended)
## Endpoints
- `GET /orchestrator/sources` — list registered job sources (tenant-scoped).
- `GET /jobengine/sources` — list registered job sources (tenant-scoped).
- Query params: `sourceType`, `enabled`, `limit`, `continuationToken`
- `GET /orchestrator/sources/{sourceId}` — source detail.
- `GET /orchestrator/quotas` — list quotas (scope: `orch:quota`).
- `GET /jobengine/sources/{sourceId}` — source detail.
- `GET /jobengine/quotas` — list quotas (scope: `orch:quota`).
- Query params: `jobType`, `paused`, `limit`, `continuationToken`
- `GET /orchestrator/quotas/{quotaId}` — quota detail (scope: `orch:quota`).
- `POST /orchestrator/quotas` — create quota (scope: `orch:quota`).
- `PUT /orchestrator/quotas/{quotaId}` — update quota (scope: `orch:quota`).
- `DELETE /orchestrator/quotas/{quotaId}` — delete quota (scope: `orch:quota`).
- `POST /orchestrator/quotas/{quotaId}/pause` — pause quota (scope: `orch:quota`).
- `POST /orchestrator/quotas/{quotaId}/resume` — resume quota (scope: `orch:quota`).
- `GET /orchestrator/quotas/summary` — quota/backpressure metrics summary (scope: `orch:quota`).
- `GET /orchestrator/jobs/summary` — job summary counts (scope: `orch:read`).
- `GET /orchestrator/deadletter/stats` — deadletter stats and top error clustering (scope: `orch:operate`).
- `GET /orchestrator/deadletter/summary` — grouped deadletter summary (scope: `orch:operate`).
- `POST /orchestrator/deadletter/{entryId}/replay` — replay a deadletter entry (scope: `orch:backfill`).
- `POST /orchestrator/deadletter/replay/batch` — replay a set of entry IDs (scope: `orch:backfill`).
- `POST /orchestrator/deadletter/replay/pending` — replay pending entries by filter (scope: `orch:backfill`).
- `POST /orchestrator/pack-runs/{packRunId}/cancel` — cancel a pack run (scope: `orch:operate`).
- `POST /orchestrator/pack-runs/{packRunId}/retry` — retry a pack run (scope: `orch:backfill`).
- `GET /jobengine/quotas/{quotaId}` — quota detail (scope: `orch:quota`).
- `POST /jobengine/quotas` — create quota (scope: `orch:quota`).
- `PUT /jobengine/quotas/{quotaId}` — update quota (scope: `orch:quota`).
- `DELETE /jobengine/quotas/{quotaId}` — delete quota (scope: `orch:quota`).
- `POST /jobengine/quotas/{quotaId}/pause` — pause quota (scope: `orch:quota`).
- `POST /jobengine/quotas/{quotaId}/resume` — resume quota (scope: `orch:quota`).
- `GET /jobengine/quotas/summary` — quota/backpressure metrics summary (scope: `orch:quota`).
- `GET /jobengine/jobs/summary` — job summary counts (scope: `orch:read`).
- `GET /jobengine/deadletter/stats` — deadletter stats and top error clustering (scope: `orch:operate`).
- `GET /jobengine/deadletter/summary` — grouped deadletter summary (scope: `orch:operate`).
- `POST /jobengine/deadletter/{entryId}/replay` — replay a deadletter entry (scope: `orch:backfill`).
- `POST /jobengine/deadletter/replay/batch` — replay a set of entry IDs (scope: `orch:backfill`).
- `POST /jobengine/deadletter/replay/pending` — replay pending entries by filter (scope: `orch:backfill`).
- `POST /jobengine/pack-runs/{packRunId}/cancel` — cancel a pack run (scope: `orch:operate`).
- `POST /jobengine/pack-runs/{packRunId}/retry` — retry a pack run (scope: `orch:backfill`).
## Caching & pagination
- `limit` max: `200`.

0
docs/api/gateway/samples/orchestrator-deadletter-replay.json → docs/api/gateway/samples/jobengine-deadletter-replay.json
View File

0
docs/api/gateway/samples/orchestrator-deadletter-stats.json → docs/api/gateway/samples/jobengine-deadletter-stats.json
View File

0
docs/api/gateway/samples/orchestrator-deadletter-summary.json → docs/api/gateway/samples/jobengine-deadletter-summary.json
View File

0
docs/api/gateway/samples/orchestrator-packrun-cancel.json → docs/api/gateway/samples/jobengine-packrun-cancel.json
View File

0
docs/api/gateway/samples/orchestrator-packrun-retry.json → docs/api/gateway/samples/jobengine-packrun-retry.json
View File

0
docs/api/gateway/samples/orchestrator-quota-summary.json → docs/api/gateway/samples/jobengine-quota-summary.json
View File

0
docs/api/gateway/samples/orchestrator-quotas.json → docs/api/gateway/samples/jobengine-quotas.json
View File

0
docs/api/gateway/samples/orchestrator-sources.json → docs/api/gateway/samples/jobengine-sources.json
View File

4
docs/api/orchestrator-first-signal.md → docs/api/jobengine-first-signal.md
View File

@@ -4,7 +4,7 @@ Provides a fast “first meaningful signal” for a run (TTFS), with caching and
## Endpoint
`GET /api/v1/orchestrator/runs/{runId}/first-signal`
`GET /api/v1/jobengine/runs/{runId}/first-signal`
### Required headers
- `X-Tenant-Id`: tenant identifier (string)
@@ -58,7 +58,7 @@ Missing/invalid tenant header or invalid parameters.
## Streaming (SSE)
The run stream emits `first_signal` events when the signal changes:
`GET /api/v1/orchestrator/stream/runs/{runId}`
`GET /api/v1/jobengine/stream/runs/{runId}`
Event type:
- `first_signal`

344
docs/api/score-replay-api.md
View File

@@ -1,282 +1,126 @@
# Score Replay API Reference
# Score API Reference (Platform)
**Sprint:** SPRINT_3401_0002_0001
**Task:** SCORE-REPLAY-014 - Update scanner API docs with replay endpoint
**Module:** Platform WebService
**Base route:** `/api/v1/score`
> Scope note: this page documents the Platform score API.
> Scanner score replay endpoints are implemented separately at:
> - primary: `/api/v1/scans/{scanId}/score/replay|bundle|verify|history`
> - compatibility aliases: `/api/v1/score/{scanId}/replay|bundle|verify|history`
> See `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScoreReplayEndpoints.cs` and `docs/modules/scanner/architecture.md`.
## Overview
The Score Replay API enables deterministic re-scoring of scans using historical manifests. This is essential for auditing, compliance verification, and investigating how scores change with updated advisory feeds.
The score API exposes deterministic score computation, replay verification, and explanation payloads.
All responses are tenant-scoped and wrapped in the standard Platform envelope.
## Base URL
## Authentication and tenant context
- Bearer token authentication is required.
- Required policies:
`platform.score.read`, `platform.score.evaluate`
- Tenant context is resolved from authenticated context/middleware and must be present.
## Response envelope
Single-item responses return:
```json
{
"tenantId": "tenant-a",
"actorId": "user-1",
"dataAsOf": "2026-02-26T12:00:00Z",
"cached": true,
"cacheTtlSeconds": 300,
"item": { }
}
```
/api/v1/score
```
## Authentication
All endpoints require Bearer token authentication:
```http
Authorization: Bearer <token>
```
Required scope: `scanner:replay:read` for GET, `scanner:replay:write` for POST
## Endpoints
### Replay Score
### `POST /api/v1/score/evaluate`
```http
POST /api/v1/score/replay
```
Computes unified score from provided signal inputs.
Re-scores a scan using the original manifest with an optionally different feed snapshot.
Response highlights:
- `unknowns`: deterministic list of missing signal dimensions when snapshot data is available.
- `proof_ref`: deterministic proof locator (`proof://score/<normalized-digest>`).
#### Request Body
### `GET /api/v1/score/history?cve_id=<id>&purl=<optional>&limit=<optional>`
Returns historical score records for the requested CVE and optional PURL.
### `GET /api/v1/score/{scoreId}`
Returns persisted score by score identifier.
### `GET /api/v1/score/{scoreId}/replay`
Returns replay payload for deterministic verification.
### `POST /api/v1/score/verify`
Verifies replay payload and returns deterministic verification status fields.
Verification details:
- `verified` is computed from deterministic comparison checks (`score_matches`, `digest_matches`) and available signature/Rekor checks.
- `differences` includes field-level mismatch reasons (for example `final_score`, `ews_digest`, `signed_replay_log_dsse`).
- malformed replay envelopes return a deterministic `differences` entry rather than synthetic success.
### `GET /api/v1/score/explain/{digest}`
Returns canonical score explanation contract for a persisted replay digest.
Success payload (`item`) schema:
```json
{
"scanId": "scan-12345678-abcd",
"feedSnapshotHash": "sha256:abc123...",
"policyVersion": "1.0.0",
"dryRun": false
}
```
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `scanId` | string | Yes | Original scan ID to replay |
| `feedSnapshotHash` | string | No | Feed snapshot to use (defaults to current) |
| `policyVersion` | string | No | Policy version (defaults to original) |
| `dryRun` | boolean | No | If true, calculates but doesn't persist |
#### Response
```json
{
"replayId": "replay-87654321-dcba",
"originalScanId": "scan-12345678-abcd",
"status": "completed",
"feedSnapshotHash": "sha256:abc123...",
"policyVersion": "1.0.0",
"originalManifestHash": "sha256:def456...",
"replayedManifestHash": "sha256:ghi789...",
"scoreDelta": {
"originalScore": 7.5,
"replayedScore": 6.8,
"delta": -0.7
},
"findingsDelta": {
"added": 2,
"removed": 5,
"rescored": 12,
"unchanged": 45
},
"proofBundleRef": "proofs/replays/replay-87654321/bundle.zip",
"duration": {
"ms": 1250
},
"createdAt": "2025-01-15T10:30:00Z"
}
```
#### Example
```bash
# Replay with latest feed
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"scanId": "scan-12345678-abcd"}' \
"https://scanner.example.com/api/v1/score/replay"
# Replay with specific feed snapshot
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scanId": "scan-12345678-abcd",
"feedSnapshotHash": "sha256:abc123..."
}' \
"https://scanner.example.com/api/v1/score/replay"
# Dry run (preview only)
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scanId": "scan-12345678-abcd",
"dryRun": true
}' \
"https://scanner.example.com/api/v1/score/replay"
```
### Get Replay History
```http
GET /api/v1/score/replays
```
Returns history of score replays.
#### Query Parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `scanId` | string | - | Filter by original scan |
| `page` | int | 1 | Page number |
| `pageSize` | int | 50 | Items per page |
#### Response
```json
{
"items": [
"contractVersion": "score.explain.v1",
"digest": "sha256:...",
"scoreId": "score_...",
"finalScore": 62,
"bucket": "Investigate",
"computedAt": "2026-02-26T12:00:00Z",
"deterministicInputHash": "sha256:...",
"replayLink": "/api/v1/score/score_x/replay",
"factors": [
{
"replayId": "replay-87654321-dcba",
"originalScanId": "scan-12345678-abcd",
"triggerType": "manual",
"scoreDelta": -0.7,
"findingsAdded": 2,
"findingsRemoved": 5,
"createdAt": "2025-01-15T10:30:00Z"
"name": "reachability",
"weight": 0.25,
"value": 1.0,
"contribution": 0.25
}
],
"pagination": {
"page": 1,
"pageSize": 50,
"totalItems": 12,
"totalPages": 1
}
"sources": [
{
"sourceType": "score_history",
"sourceRef": "score-history:score_x",
"sourceDigest": "sha256:..."
}
]
}
```
### Get Replay Details
## Deterministic error schema (`/explain/{digest}`)
```http
GET /api/v1/score/replays/{replayId}
```
Returns detailed information about a specific replay.
### Get Scan Manifest
```http
GET /api/v1/scans/{scanId}/manifest
```
Returns the scan manifest containing all input hashes.
#### Response
Error payload:
```json
{
"manifestId": "manifest-12345678",
"scanId": "scan-12345678-abcd",
"manifestHash": "sha256:def456...",
"sbomHash": "sha256:aaa111...",
"rulesHash": "sha256:bbb222...",
"feedHash": "sha256:ccc333...",
"policyHash": "sha256:ddd444...",
"scannerVersion": "1.0.0",
"createdAt": "2025-01-15T10:00:00Z"
"code": "not_found | invalid_input | backend_unavailable",
"message": "deterministic human-readable message",
"digest": "sha256:..."
}
```
### Get Proof Bundle
Status mapping:
```http
GET /api/v1/scans/{scanId}/proof-bundle
```
- `400` -> `invalid_input`
- `404` -> `not_found`
- `503` -> `backend_unavailable`
Downloads the proof bundle (ZIP archive) for a scan.
## Client integration notes
#### Response
Returns `application/zip` with the proof bundle containing:
- `manifest.json` - Signed scan manifest
- `ledger.json` - Proof ledger nodes
- `sbom.json` - Input SBOM (hash-verified)
- `findings.json` - Scored findings
- `signature.dsse` - DSSE envelope
## Scheduled Replay
Scans can be automatically replayed when feed snapshots change.
### Configuration
```yaml
# config/scanner.yaml
score_replay:
enabled: true
schedule: "0 4 * * *" # Daily at 4 AM UTC
max_age_days: 30 # Only replay scans from last 30 days
notify_on_delta: true # Send notification if scores change
delta_threshold: 0.5 # Only notify if delta > threshold
```
### Trigger Types
| Type | Description |
|------|-------------|
| `manual` | User-initiated via API |
| `feed_update` | Triggered by new feed snapshot |
| `policy_change` | Triggered by policy version change |
| `scheduled` | Triggered by scheduled job |
## Determinism Guarantees
Score replay guarantees deterministic results when:
1. **Same manifest hash** - All inputs are identical
2. **Same scanner version** - Scoring algorithm unchanged
3. **Same policy version** - Policy rules unchanged
### Manifest Contents
The manifest captures:
- SBOM content hash
- Rules snapshot hash
- Advisory feed snapshot hash
- Policy configuration hash
- Scanner version
### Verification
```bash
# Verify replay determinism
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/scans/{scanId}/manifest" \
| jq '.manifestHash'
# Compare with replay
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/score/replays/{replayId}" \
| jq '.replayedManifestHash'
```
## Error Responses
| Status | Code | Description |
|--------|------|-------------|
| 400 | `INVALID_SCAN_ID` | Scan ID not found |
| 400 | `INVALID_FEED_SNAPSHOT` | Feed snapshot not found |
| 400 | `MANIFEST_NOT_FOUND` | Scan manifest missing |
| 401 | `UNAUTHORIZED` | Invalid token |
| 403 | `FORBIDDEN` | Insufficient permissions |
| 409 | `REPLAY_IN_PROGRESS` | Replay already running for scan |
| 429 | `RATE_LIMITED` | Too many requests |
## Rate Limits
- POST replay: 10 requests/minute
- GET replays: 100 requests/minute
- GET manifest: 100 requests/minute
## Related Documentation
- [Proof Bundle Format](./proof-bundle-format.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Determinism Requirements](../product/advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- CLI and Web clients must treat `score.explain.v1` as the current canonical contract.
- Clients must not synthesize explanation factors when `404` or `503` is returned.
- `digest` values are normalized to lowercase with explicit algorithm prefix (`sha256:`).

8
docs/benchmarks/signals/bench-determinism.md
View File

@@ -42,7 +42,7 @@ for sbom, vex in zip(SBOMS, VEXES):
- CVSS delta σ vs reference; VEX stability (σ_after ≤ σ_before).
## Deliverables
- Harness at `src/Bench/StellaOps.Bench/Determinism` (offline-friendly mock scanner included).
- Harness at `src/Tools/StellaOps.Bench/Determinism` (offline-friendly mock scanner included).
- `results/*.csv` with per-run hashes plus `summary.json` determinism rate.
- `results/inputs.sha256` listing SBOM, VEX, and config hashes (deterministic ordering).
- `bench/reachability/dataset.sha256` listing reachability corpus inputs (graphs, runtime traces) when running combined bench.
@@ -57,7 +57,7 @@ for sbom, vex in zip(SBOMS, VEXES):
## How to run (local)
```sh
cd src/Bench/StellaOps.Bench/Determinism
cd src/Tools/StellaOps.Bench/Determinism
# Run determinism bench (uses built-in mock scanner by default; defaults to 10 runs)
python run_bench.py --sboms inputs/sboms/*.json --vex inputs/vex/*.json \
@@ -78,8 +78,8 @@ Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results
## Offline/air-gap workflow
1. Place feeds bundle (see `src/Bench/StellaOps.Bench/Determinism/inputs/feeds/README.md`), SBOMs, VEX, and optional reachability corpus under `offline/inputs/` with matching `inputs.sha256` and (if reachability) `dataset.sha256`. A sample `inputs/inputs.sha256` is provided for the bundled demo SBOM/VEX/config.
2. Run `./offline_run.sh --inputs offline/inputs --output offline/results` (script lives under `src/Bench/StellaOps.Bench/Determinism`) to execute benches without network (defaults: runs=10, threshold=0.95; manifest verification on). Use `--no-verify` to skip hash checks if manifests are absent.
1. Place feeds bundle (see `src/Tools/StellaOps.Bench/Determinism/inputs/feeds/README.md`), SBOMs, VEX, and optional reachability corpus under `offline/inputs/` with matching `inputs.sha256` and (if reachability) `dataset.sha256`. A sample `inputs/inputs.sha256` is provided for the bundled demo SBOM/VEX/config.
2. Run `./offline_run.sh --inputs offline/inputs --output offline/results` (script lives under `src/Tools/StellaOps.Bench/Determinism`) to execute benches without network (defaults: runs=10, threshold=0.95; manifest verification on). Use `--no-verify` to skip hash checks if manifests are absent.
3. Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`).
## Notes

2
docs/code-of-conduct/CODE_OF_CONDUCT.md
View File

@@ -623,7 +623,7 @@ The following top-level directories under `src/` are the approved domain roots a
| `src/Graph/` | Knowledge graph indexing | — |
| `src/Integrations/` | SCM/CI/registry/secrets plugin host | Extensions |
| `src/Notify/` | Notification domain | Notifier |
| `src/Orchestrator/` | Orchestration domain: scheduling, task execution, packs registry | Scheduler, TaskRunner, PacksRegistry |
| `src/JobEngine/` | Orchestration domain: scheduling, task execution, packs registry | Scheduler, TaskRunner, PacksRegistry |
| `src/Platform/` | Console backend and cross-service aggregation | — |
| `src/Policy/` | Policy domain: policy engine, unknowns handling | Unknowns |
| `src/ReachGraph/` | Reachability graph analysis | — |

2
docs/contracts/api-governance-baseline.md
View File

@@ -27,7 +27,7 @@ The aggregate spec is generated by `compose.mjs` from per-service specs:
| Authority | `authority/openapi.yaml` | `authority.*` |
| Export Center | `export-center/openapi.yaml` | `export.*` |
| Graph | `graph/openapi.yaml` | `graph.*` |
| Orchestrator | `orchestrator/openapi.yaml` | `orchestrator.*` |
| Orchestrator | `jobengine/openapi.yaml` | `orchestrator.*` |
| Policy | `policy/openapi.yaml` | `policy.*` |
| Scheduler | `scheduler/openapi.yaml` | `scheduler.*` |

2
docs/db/CONVERSION_PLAN.md
View File

@@ -110,7 +110,7 @@ The codebase already contains production-ready patterns:
| Module | Location | Reusable Components |
|--------|----------|---------------------|
| Orchestrator | `src/Orchestrator/.../Infrastructure/Postgres/` | DataSource, tenant context, repository pattern |
| Orchestrator | `src/JobEngine/.../Infrastructure/Postgres/` | DataSource, tenant context, repository pattern |
| Findings | `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/` | Ledger events, Merkle anchors, projections |
**Reference Implementation:** `OrchestratorDataSource.cs`

8
docs/db/MIGRATION_INVENTORY.md
View File

@@ -15,7 +15,7 @@ Scope: `src/**/Migrations/**/*.sql` and `src/**/migrations/**/*.sql`, excluding
| Excititor | Npgsql repositories (no Dapper usage observed in module) | `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Migrations` | 3 | Shared `MigrationRunner` resources | `CLI+PlatformAdminApi+SeedOnly`; startup migration host not wired |
| Scanner | Dapper/Npgsql | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations`, `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations` | 36 | Shared `StartupMigrationHost` + `MigrationRunner` (service plug-in source-set aggregation) | `ScannerStartupHost + CLI + PlatformAdminApi` |
| AirGap | Npgsql repositories (no Dapper usage observed in module) | `src/AirGap/__Libraries/StellaOps.AirGap.Persistence/Migrations` | 1 | Shared `StartupMigrationHost` + `MigrationRunner` | `AirGapStartupHost + CLI + PlatformAdminApi` |
| TimelineIndexer | Npgsql repositories (no Dapper usage observed in module) | `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Db/Migrations` | 1 | Shared `MigrationRunner` via module wrapper | `TimelineIndexerMigrationHostedService + CLI + PlatformAdminApi` |
| TimelineIndexer | Npgsql repositories (no Dapper usage observed in module) | `src/Timeline/__Libraries/StellaOps.TimelineIndexer.Infrastructure/Db/Migrations` | 1 | Shared `MigrationRunner` via module wrapper | `TimelineIndexerMigrationHostedService + CLI + PlatformAdminApi` |
| EvidenceLocker | Dapper/Npgsql | `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Db/Migrations`, `src/EvidenceLocker/StellaOps.EvidenceLocker/Migrations` | 5 | Custom SQL runner with custom history table | `EvidenceLockerMigrationHostedService` (`evidence_schema_version`) |
| ExportCenter | Npgsql repositories (no Dapper usage observed in module) | `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Db/Migrations` | 1 | Custom SQL runner with custom history table | `ExportCenterMigrationHostedService` (`export_schema_version`) |
| BinaryIndex | EF Core v10 + compiled models (mixed: FunctionCorpusRepository and PostgresGoldenSetStore remain Dapper/Npgsql) | `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Migrations`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Migrations` | 6 | Custom SQL runner with custom history table; Platform migration registry plugin wired (BinaryIndexMigrationModulePlugin) | Runner class exists + CLI + PlatformAdminApi |
@@ -24,7 +24,7 @@ Scope: `src/**/Migrations/**/*.sql` and `src/**/migrations/**/*.sql`, excluding
| Graph | Npgsql repositories (no Dapper usage observed in module) | `src/Graph/__Libraries/StellaOps.Graph.Indexer.Persistence/Migrations`, `src/Graph/__Libraries/StellaOps.Graph.Core/migrations` | 2 | Embedded SQL files only | No runtime invocation found in non-test code |
| IssuerDirectory | Npgsql repositories (no Dapper usage observed in module) | `src/IssuerDirectory/__Libraries/StellaOps.IssuerDirectory.Persistence/Migrations` | 1 | Embedded SQL files only | No runtime invocation found in non-test code |
| Findings Ledger | Npgsql repositories (no Dapper usage observed in module) | `src/Findings/StellaOps.Findings.Ledger/migrations` | 12 | Embedded SQL files only | No runtime invocation found in non-test code |
| Orchestrator | Npgsql repositories (no Dapper usage observed in module) | `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/migrations` | 8 | Embedded SQL files only | No runtime invocation found in non-test code |
| Orchestrator | Npgsql repositories (no Dapper usage observed in module) | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/migrations` | 8 | Embedded SQL files only | No runtime invocation found in non-test code |
| Attestor | Npgsql repositories (no Dapper usage observed in module) | `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Migrations`, `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/Migrations`, `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Migrations` | 7 | Embedded SQL files only | No runtime invocation found in non-test code |
| Signer | Npgsql repositories (no Dapper usage observed in module) | `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/Migrations` | 1 | Embedded SQL files only | No runtime invocation found in non-test code |
| Signals | Npgsql repositories (no Dapper usage observed in module) | `src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations` | 2 | Embedded SQL files only | No runtime invocation found in non-test code |
@@ -75,13 +75,13 @@ Scope: `src/**/Migrations/**/*.sql` and `src/**/migrations/**/*.sql`, excluding
- Platform API: `src/Platform/StellaOps.Platform.WebService/Endpoints/MigrationAdminEndpoints.cs`
- Platform migration registry: `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModuleRegistry.cs`
- `TimelineIndexerMigrationHostedService + CLI + PlatformAdminApi`:
- Startup host: `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/DependencyInjection/TimelineIndexerMigrationHostedService.cs`
- Startup host: `src/Timeline/__Libraries/StellaOps.TimelineIndexer.Infrastructure/DependencyInjection/TimelineIndexerMigrationHostedService.cs`
- Plug-in discovery: `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModulePluginDiscovery.cs`
- Platform API: `src/Platform/StellaOps.Platform.WebService/Endpoints/MigrationAdminEndpoints.cs`
- Platform migration registry: `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModuleRegistry.cs`
- `ScannerStartupHost`: `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/ServiceCollectionExtensions.cs`
- `AirGapStartupHost`: `src/AirGap/__Libraries/StellaOps.AirGap.Persistence/Postgres/AirGapStartupMigrationHost.cs`
- `TimelineIndexerMigrationHostedService`: `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/DependencyInjection/TimelineIndexerMigrationHostedService.cs`
- `TimelineIndexerMigrationHostedService`: `src/Timeline/__Libraries/StellaOps.TimelineIndexer.Infrastructure/DependencyInjection/TimelineIndexerMigrationHostedService.cs`
- `EvidenceLockerMigrationHostedService`: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/DependencyInjection/EvidenceLockerMigrationHostedService.cs`
- `ExportCenterMigrationHostedService`: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Db/ExportCenterDbServiceExtensions.cs`

2
docs/db/tasks/PHASE_0_FOUNDATIONS.md
View File

@@ -407,7 +407,7 @@ Phase 0 must complete before any module conversion (Phases 1-6) can begin. The f
## Notes
- Use Orchestrator module as reference for all patterns
- Use JobEngine module as reference for all patterns
- Prioritize getting CI pipeline working early
- Document all configuration decisions

12
docs/dev/DEV_ENVIRONMENT_SETUP.md
View File

@@ -210,7 +210,7 @@ See [`docs/dev/SOLUTION_BUILD_GUIDE.md`](SOLUTION_BUILD_GUIDE.md) for the author
| Authority | `src/Authority/StellaOps.Authority.sln` |
| Bench | `src/Bench/StellaOps.Bench.sln` |
| BinaryIndex | `src/BinaryIndex/StellaOps.BinaryIndex.sln` |
| Cartographer | `src/Cartographer/StellaOps.Cartographer.sln` |
| Cartographer (absorbed into Scanner) | `src/Scanner/StellaOps.Scanner.sln` |
| Cli | `src/Cli/StellaOps.Cli.sln` |
| Concelier | `src/Concelier/StellaOps.Concelier.sln` |
| EvidenceLocker | `src/EvidenceLocker/StellaOps.EvidenceLocker.sln` |
@@ -218,18 +218,18 @@ See [`docs/dev/SOLUTION_BUILD_GUIDE.md`](SOLUTION_BUILD_GUIDE.md) for the author
| ExportCenter | `src/ExportCenter/StellaOps.ExportCenter.sln` |
| Feedser | `src/Feedser/StellaOps.Feedser.sln` |
| Findings | `src/Findings/StellaOps.Findings.sln` |
| Gateway | `src/Gateway/StellaOps.Gateway.sln` |
| Router (Gateway) | `src/Router/StellaOps.Router.sln` |
| Graph | `src/Graph/StellaOps.Graph.sln` |
| IssuerDirectory | `src/IssuerDirectory/StellaOps.IssuerDirectory.sln` |
| Notifier | `src/Notifier/StellaOps.Notifier.sln` |
| Notify | `src/Notify/StellaOps.Notify.sln` |
| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator.sln` |
| Orchestrator | `src/JobEngine/StellaOps.JobEngine.sln` |
| PacksRegistry | `src/PacksRegistry/StellaOps.PacksRegistry.sln` |
| Policy | `src/Policy/StellaOps.Policy.sln` |
| ReachGraph | `src/ReachGraph/StellaOps.ReachGraph.sln` |
| Registry | `src/Registry/StellaOps.Registry.sln` |
| Replay | `src/Replay/StellaOps.Replay.sln` |
| RiskEngine | `src/RiskEngine/StellaOps.RiskEngine.sln` |
| RiskEngine | `src/Findings/StellaOps.Findings.sln` (consolidated into Findings) |
| Router | `src/Router/StellaOps.Router.sln` |
| SbomService | `src/SbomService/StellaOps.SbomService.sln` |
| Scanner | `src/Scanner/StellaOps.Scanner.sln` |
@@ -239,11 +239,11 @@ See [`docs/dev/SOLUTION_BUILD_GUIDE.md`](SOLUTION_BUILD_GUIDE.md) for the author
| SmRemote | `src/SmRemote/StellaOps.SmRemote.sln` |
| TaskRunner | `src/TaskRunner/StellaOps.TaskRunner.sln` |
| Telemetry | `src/Telemetry/StellaOps.Telemetry.sln` |
| TimelineIndexer | `src/TimelineIndexer/StellaOps.TimelineIndexer.sln` |
| Timeline (incl. TimelineIndexer) | `src/Timeline/` (no standalone sln; use root `StellaOps.sln`) |
| Tools | `src/Tools/StellaOps.Tools.sln` |
| VexHub | `src/VexHub/StellaOps.VexHub.sln` |
| VexLens | `src/VexLens/StellaOps.VexLens.sln` |
| VulnExplorer | `src/VulnExplorer/StellaOps.VulnExplorer.sln` |
| VulnExplorer | `src/Findings/StellaOps.Findings.sln` (consolidated into Findings) |
| Zastava | `src/Zastava/StellaOps.Zastava.sln` |
---

14
docs/dev/SOLUTION_BUILD_GUIDE.md
View File

@@ -20,9 +20,9 @@ The root solution file at src/StellaOps.sln is a legacy placeholder and is not u
- src/Aoc/StellaOps.Aoc.sln
- src/Attestor/StellaOps.Attestor.sln
- src/Authority/StellaOps.Authority.sln
- src/Bench/StellaOps.Bench.sln
- src/Tools/StellaOps.Tools.sln (includes Bench, Verifier, Sdk, DevPortal)
- src/BinaryIndex/StellaOps.BinaryIndex.sln
- src/Cartographer/StellaOps.Cartographer.sln
- (Cartographer absorbed into Scanner; use `src/Scanner/StellaOps.Scanner.sln` for Cartographer builds/tests)
- src/Cli/StellaOps.Cli.sln
- src/Concelier/StellaOps.Concelier.sln
- src/EvidenceLocker/StellaOps.EvidenceLocker.sln
@@ -30,18 +30,18 @@ The root solution file at src/StellaOps.sln is a legacy placeholder and is not u
- src/ExportCenter/StellaOps.ExportCenter.sln
- src/Feedser/StellaOps.Feedser.sln
- src/Findings/StellaOps.Findings.sln
- src/Gateway/StellaOps.Gateway.sln
- src/Router/StellaOps.Router.sln
- src/Graph/StellaOps.Graph.sln
- src/IssuerDirectory/StellaOps.IssuerDirectory.sln
- src/Notifier/StellaOps.Notifier.sln
- src/Notify/StellaOps.Notify.sln
- src/Orchestrator/StellaOps.Orchestrator.sln
- src/JobEngine/StellaOps.JobEngine.sln
- src/PacksRegistry/StellaOps.PacksRegistry.sln
- src/Policy/StellaOps.Policy.sln
- src/ReachGraph/StellaOps.ReachGraph.sln
- src/Registry/StellaOps.Registry.sln
- src/Replay/StellaOps.Replay.sln
- src/RiskEngine/StellaOps.RiskEngine.sln
- src/Findings/StellaOps.Findings.sln (includes RiskEngine -- consolidated Sprint 207)
- src/Router/StellaOps.Router.sln
- src/SbomService/StellaOps.SbomService.sln
- src/Scanner/StellaOps.Scanner.sln
@@ -51,11 +51,11 @@ The root solution file at src/StellaOps.sln is a legacy placeholder and is not u
- src/SmRemote/StellaOps.SmRemote.sln
- src/TaskRunner/StellaOps.TaskRunner.sln
- src/Telemetry/StellaOps.Telemetry.sln
- src/TimelineIndexer/StellaOps.TimelineIndexer.sln
- src/Timeline/ (TimelineIndexer consolidated into Timeline; use root sln)
- src/Tools/StellaOps.Tools.sln
- src/VexHub/StellaOps.VexHub.sln
- src/VexLens/StellaOps.VexLens.sln
- src/VulnExplorer/StellaOps.VulnExplorer.sln
- (VulnExplorer consolidated into src/Findings/StellaOps.Findings.sln -- Sprint 207)
- src/Zastava/StellaOps.Zastava.sln
## Notes

12
docs/doctor/doctor-capabilities.md
View File

@@ -144,9 +144,9 @@ stella doctor --severity fail,warn
|-----------|-----------|-------------|
| Health Status Enum | `src/Plugin/StellaOps.Plugin.Abstractions/Health/HealthStatus.cs` | Unknown, Healthy, Degraded, Unhealthy |
| Health Check Result | `src/Plugin/StellaOps.Plugin.Abstractions/Health/HealthCheckResult.cs` | Rich result with factory methods |
| Gateway Health | `src/Gateway/StellaOps.Gateway.WebService/Middleware/HealthCheckMiddleware.cs` | `/health/live`, `/health/ready`, `/health/startup` |
| Gateway Health | `src/Router/StellaOps.Gateway.WebService/Middleware/HealthCheckMiddleware.cs` | `/health/live`, `/health/ready`, `/health/startup` |
| Scanner Health | `src/Scanner/StellaOps.Scanner.WebService/Endpoints/HealthEndpoints.cs` | `/healthz`, `/readyz` |
| Orchestrator Health | `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/HealthEndpoints.cs` | `/health/details` |
| Orchestrator Health | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/HealthEndpoints.cs` | `/health/details` |
| Platform Health | `src/Platform/__Libraries/StellaOps.Platform.Health/PlatformHealthService.cs` | Cross-service aggregation |
| Health Contract | `devops/docker/health-endpoints.md` | Formal endpoint specification |
@@ -403,16 +403,16 @@ CREATE TABLE {schema}.schema_migrations (
### 2.8 Service Connectivity - Current State
**Location:** `src/Gateway/`, `src/Router/`
**Location:** `src/Router/`
#### What Exists Today
| Component | File Path | Description |
|-----------|-----------|-------------|
| Gateway Routing | `src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs` | HTTP to microservice routing |
| Gateway Routing | `src/Router/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs` | HTTP to microservice routing |
| Connection Manager | `src/Router/__Libraries/StellaOps.Router.Gateway/Services/ConnectionManager.cs` | HELLO handshake, heartbeats |
| Routing State | `src/Router/__Libraries/StellaOps.Router.Common/Abstractions/IGlobalRoutingState.cs` | Live service connections |
| Claims Propagation | `src/Gateway/StellaOps.Gateway.WebService/Middleware/ClaimsPropagationMiddleware.cs` | OAuth claims forwarding |
| Claims Propagation | `src/Router/StellaOps.Gateway.WebService/Middleware/ClaimsPropagationMiddleware.cs` | OAuth claims forwarding |
#### Service Registration Flow
@@ -3249,7 +3249,7 @@ Doctor:
Validates inter-service connectivity via Gateway and Router.
**References:**
- `src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs`
- `src/Router/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs`
- `src/Router/__Libraries/StellaOps.Router.Gateway/Services/ConnectionManager.cs`
**Checks Provided:**

6
docs/features/checked/advisoryai/advisoryai-orchestrator.md → docs/features/checked/advisoryai/advisoryai-jobengine.md
View File

@@ -35,6 +35,6 @@ The AdvisoryAI module provides a chat orchestrator with session management, run
## Verification
- Verified on 2026-02-11 via `run-001`.
- Tier 0: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier0-source-check.json`
- Tier 1: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier1-build-check.json`
- Tier 2: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier2-api-check.json`
- Tier 0: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier0-source-check.json`
- Tier 1: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier1-build-check.json`
- Tier 2: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier2-api-check.json`

35
docs/features/checked/jobengine/dag-planner-with-critical-path-metadata.md Normal file
View File

@@ -0,0 +1,35 @@
# DAG Planner with Critical-Path Metadata
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
DAG-based job planner that computes critical-path metadata for orchestrator execution plans, enabling dependency-aware scheduling and parallel execution of independent job chains.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `DagPlanner` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/DagPlanner.cs`) - computes execution DAGs from job dependency graphs, identifies critical path, and enables parallel scheduling of independent chains
- `DagEdge` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/DagEdge.cs`) - edge model representing dependencies between jobs in the execution DAG
- `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on DAG planner output, respecting dependency ordering
- `JobStateMachine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobStateMachine.cs`) - state machine governing job lifecycle transitions within the DAG execution
- `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with status, dependencies, and scheduling metadata
- `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - enum defining job lifecycle states
- `JobHistory` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobHistory.cs`) - historical record of job state transitions
- `DagEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/DagEndpoints.cs`) - REST API for querying DAG execution plans
- `DagContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/DagContracts.cs`) - API contracts for DAG responses
- **Interfaces**: `IDagEdgeRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IDagEdgeRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create a DAG with 5 jobs (A->B->C, A->D->E) and verify `DagPlanner` identifies A as the root and C/E as leaves
- [ ] Verify critical path computation: the longest dependency chain (A->B->C or A->D->E) is marked as the critical path
- [ ] Schedule the DAG via `JobScheduler` and verify B and D execute in parallel after A completes
- [ ] Add a new dependency (D->C) creating a diamond DAG and verify the critical path updates
- [ ] Query the DAG via `DagEndpoints` and verify the response includes all edges, critical path markers, and parallel groups
- [ ] Create a cyclic DAG (A->B->A) and verify `DagPlanner` rejects it with a cycle detection error
- [ ] Verify DAG metadata: each job node in the `DagContracts` response includes estimated duration and dependency count
- [ ] Schedule a DAG with one failed job and verify `JobStateMachine` marks downstream dependencies as blocked

35
docs/features/checked/jobengine/event-fan-out.md Normal file
View File

@@ -0,0 +1,35 @@
# Event Fan-Out (SSE/Streaming)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Job and pack-run streaming coordinators with stream payload models for real-time SSE event delivery.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/`
- **Key Classes**:
- `JobStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/JobStreamCoordinator.cs`) - coordinates SSE streaming for job lifecycle events to connected clients
- `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates streaming for pack-run execution events
- `RunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/RunStreamCoordinator.cs`) - coordinates streaming for individual run events
- `SseWriter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/SseWriter.cs`) - writes Server-Sent Events to HTTP response streams
- `StreamOptions` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamOptions.cs`) - configuration for stream connections (heartbeat interval, buffer size, timeout)
- `StreamPayloads` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamPayloads.cs`) - typed payload models for stream events (job progress, pack-run status, log lines)
- `StreamEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE stream subscription
- `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope wrapping domain events for streaming
- `OrchestratorEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete event publisher routing events to stream coordinators
- **Interfaces**: `IEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Subscribe to the job stream via `StreamEndpoints` and trigger a job; verify SSE events are received for each state transition
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify progress events include step index, status, and log lines
- [ ] Verify heartbeat: subscribe to a stream and wait without events; confirm heartbeat events arrive at the `StreamOptions` configured interval
- [ ] Subscribe with two clients to the same job stream and verify both receive identical events (fan-out via `JobStreamCoordinator`)
- [ ] Disconnect a client mid-stream and verify the stream coordinator cleans up the connection without affecting other subscribers
- [ ] Trigger a rapid sequence of events and verify `SseWriter` delivers them in order without drops
- [ ] Verify stream payloads: each event contains a typed payload matching the `StreamPayloads` model
- [ ] Test stream timeout: idle for longer than `StreamOptions.Timeout` and verify the connection closes gracefully

33
docs/features/checked/jobengine/export-job-service.md Normal file
View File

@@ -0,0 +1,33 @@
# Export Job Service
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Export job management with service and domain model for orchestrated export operations.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Services/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/`
- **Key Classes**:
- `ExportJobService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Services/ExportJobService.cs`) - manages export job lifecycle: creation, scheduling, execution tracking, and completion
- `ExportJob` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJob.cs`) - export job entity with status, target, format, and schedule
- `ExportJobPolicy` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJobPolicy.cs`) - policy controlling export permissions and constraints
- `ExportJobTypes` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJobTypes.cs`) - enumeration of supported export types (evidence pack, audit report, snapshot)
- `ExportSchedule` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportSchedule.cs`) - scheduling configuration for recurring exports
- `LedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/LedgerExporter.cs`) - exports audit ledger data for compliance and audit
- `ExportJobEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ExportJobEndpoints.cs`) - REST API for creating, querying, and managing export jobs
- **Interfaces**: `ILedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/ILedgerExporter.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create an export job via `ExportJobEndpoints` with type=evidence_pack and verify it is persisted with status=Pending
- [ ] Execute the export job via `ExportJobService` and verify status transitions: Pending -> Running -> Completed
- [ ] Verify export policy enforcement: create an export job with a restricted type and verify `ExportJobPolicy` rejects it
- [ ] Schedule a recurring export via `ExportSchedule` and verify the next execution is computed correctly
- [ ] Export audit ledger data via `LedgerExporter` and verify the output contains all entries within the specified time range
- [ ] Create an export job with retention policy and verify completed exports are cleaned up after expiry
- [ ] Query export jobs via `ExportJobEndpoints` with status filter and verify pagination works correctly
- [ ] Test export failure: simulate an export error and verify the job transitions to Failed with error details

37
docs/features/checked/jobengine/job-lifecycle-state-machine.md Normal file
View File

@@ -0,0 +1,37 @@
# Job Lifecycle State Machine
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Job scheduling with Postgres-backed job repository, event envelope domain model, and air-gap compatible scheduling tests.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`
- **Key Classes**:
- `JobStateMachine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobStateMachine.cs`) - finite state machine governing job lifecycle transitions (Pending -> Scheduled -> Running -> Completed/Failed/Cancelled)
- `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on state machine rules and DAG dependencies
- `RetryPolicy` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/RetryPolicy.cs`) - configurable retry policy for failed jobs (max retries, backoff strategy)
- `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with current status, attempts, and metadata
- `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - enum defining all valid job states
- `JobHistory` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobHistory.cs`) - historical record of all state transitions with timestamps
- `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope emitted on state transitions
- `TimelineEvent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
- `TimelineEventEmitter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on state transitions
- `JobEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/JobEndpoints.cs`) - REST API for job management
- `JobContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/JobContracts.cs`) - API contracts for job operations
- **Interfaces**: `IJobRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobRepository.cs`), `IJobHistoryRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobHistoryRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create a job via `JobEndpoints` and verify initial state is Pending
- [ ] Schedule the job via `JobScheduler` and verify state transition: Pending -> Scheduled, with `TimelineEvent` emitted
- [ ] Start the job and verify `JobStateMachine` transition: Scheduled -> Running
- [ ] Complete the job and verify transition: Running -> Completed with completion timestamp in `JobHistory`
- [ ] Fail the job and verify transition: Running -> Failed with retry attempt incremented
- [ ] Verify `RetryPolicy`: fail a job with max_retries=3 and verify it re-enters Scheduled up to 3 times before terminal failure
- [ ] Attempt an invalid transition (e.g., Completed -> Running) and verify `JobStateMachine` rejects it
- [ ] Verify air-gap scheduling: schedule a job in sealed mode and verify it does not attempt network egress

35
docs/features/checked/jobengine/jobengine-admin-quota-controls.md Normal file
View File

@@ -0,0 +1,35 @@
# Orchestrator Admin Quota Controls (orch:quota, orch:backfill)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
New `orch:quota` and `orch:backfill` scopes with mandatory reason/ticket fields. Token requests must include `quota_reason`/`backfill_reason` and optionally `quota_ticket`/`backfill_ticket`. Authority persists these as claims and audit properties for traceability of capacity-affecting operations.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota entity with limits, current usage, and allocation metadata
- `BackfillRequest` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/BackfillRequest.cs`) - backfill request model with reason, ticket, and scope
- `BackfillManager` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/BackfillManager.cs`) - manages backfill operations with duplicate suppression and event time window tracking
- `DuplicateSuppressor` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/DuplicateSuppressor.cs`) - prevents duplicate backfill requests within a time window
- `EventTimeWindow` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/EventTimeWindow.cs`) - time window for backfill event deduplication
- `QuotaEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota management (view, adjust, allocate)
- `QuotaContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
- `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry capturing quota/backfill actions with reason and ticket
- `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - resolves tenant context for quota scoping
- **Interfaces**: `IQuotaRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IQuotaRepository.cs`), `IBackfillRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IBackfillRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Request a quota adjustment via `QuotaEndpoints` with `quota_reason` and `quota_ticket`; verify the adjustment is applied and audited in `AuditEntry`
- [ ] Attempt a quota adjustment without `quota_reason` and verify it is rejected with a 400 error
- [ ] Request a backfill via `BackfillManager` with `backfill_reason` and verify the backfill is initiated
- [ ] Submit a duplicate backfill request within the `EventTimeWindow` and verify `DuplicateSuppressor` rejects it
- [ ] Verify audit trail: check the `AuditEntry` for the quota adjustment and confirm reason and ticket are captured
- [ ] Query current quota usage via `QuotaEndpoints` and verify limits and current usage are returned
- [ ] Adjust quota beyond the maximum limit and verify the operation is rejected by policy
- [ ] Verify tenant scoping via `TenantResolver`: adjust quota for tenant A and verify tenant B's quota is unchanged

39
docs/features/checked/jobengine/jobengine-audit-ledger.md Normal file
View File

@@ -0,0 +1,39 @@
# Orchestrator Audit Ledger
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Append-only audit ledger tracking all orchestrator job lifecycle state changes, rate-limit decisions, and dead-letter events with tenant-scoped isolation.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry model with action type, actor, tenant, timestamp, and metadata
- `RunLedger` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/RunLedger.cs`) - run-level ledger tracking execution history
- `SignedManifest` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/SignedManifest.cs`) - signed manifest for tamper-evident ledger export
- `LedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/LedgerExporter.cs`) - exports ledger data for compliance and audit
- `AuditEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying audit ledger entries
- `LedgerEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/LedgerEndpoints.cs`) - REST API for ledger export and querying
- `AuditLedgerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts for audit responses
- `DeadLetterEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/DeadLetterEntry.cs`) - dead-letter entry in the audit trail
- `DeadLetterNotifier` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/DeadLetterNotifier.cs`) - notifies on dead-letter events
- `ErrorClassification` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/ErrorClassification.cs`) - classifies errors for dead-letter categorization
- `ReplayManager` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/ReplayManager.cs`) - manages replay of dead-letter entries
- `DeadLetterEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/DeadLetterEndpoints.cs`) - REST API for dead-letter management
- `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - ensures tenant-scoped audit isolation
- **Interfaces**: `ILedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/ILedgerExporter.cs`), `IAuditRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IAuditRepository.cs`), `IDeadLetterRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/IDeadLetterRepository.cs`), `ILedgerRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/ILedgerRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Trigger a job state transition and verify an `AuditEntry` is created in the ledger with action type, actor, and timestamp
- [ ] Query the audit ledger via `AuditEndpoints` with a time range filter and verify only matching entries are returned
- [ ] Verify tenant isolation via `TenantResolver`: create audit entries for two tenants and verify each tenant only sees their own entries
- [ ] Trigger a dead-letter event and verify it appears in both the `DeadLetterEntry` store and the audit ledger
- [ ] Export the audit ledger via `LedgerExporter` and verify the export contains all entries within the specified range
- [ ] Replay a dead-letter entry via `ReplayManager` and verify the replay action is also audited
- [ ] Verify `ErrorClassification` categorizes different error types correctly (transient, permanent, unknown)
- [ ] Query dead-letter entries via `DeadLetterEndpoints` and verify pagination and filtering work

40
docs/features/checked/jobengine/jobengine-event-envelopes-with-sse-websocket-streaming.md Normal file
View File

@@ -0,0 +1,40 @@
# Orchestrator Event Envelopes with SSE/WebSocket Streaming
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Typed event envelope system with SSE and WebSocket streaming for real-time orchestrator job progress, enabling live UI updates and CLI monitoring of pack-run execution.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/`
- **Key Classes**:
- `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope with event type, payload, timestamp, and correlation ID
- `EventEnvelope` (legacy) (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/EventEnvelope.cs`) - legacy event envelope model
- `TimelineEvent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
- `TimelineEventEmitter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on domain actions
- `OrchestratorEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete publisher routing events to stream coordinators
- `EventEnvelopeHasher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/EventEnvelopeHasher.cs`) - hashes event envelopes for integrity verification
- `CanonicalJsonHasher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/CanonicalJsonHasher.cs`) - canonical JSON hashing for deterministic event hashes
- `SseWriter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/SseWriter.cs`) - Server-Sent Events writer
- `JobStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/JobStreamCoordinator.cs`) - job event stream coordinator
- `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - pack-run stream coordinator
- `RunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/RunStreamCoordinator.cs`) - run-level stream coordinator
- `StreamEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE subscriptions
- `StreamOptions` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamOptions.cs`) - stream configuration
- `StreamPayloads` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamPayloads.cs`) - typed event payloads
- **Interfaces**: `IEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create an `EventEnvelope` with type=job_completed and payload; verify it is hashed via `EventEnvelopeHasher` and the hash is deterministic
- [ ] Publish an event via `OrchestratorEventPublisher` and verify it reaches the `JobStreamCoordinator`
- [ ] Subscribe to SSE via `StreamEndpoints` and verify events arrive as formatted SSE messages (data: + newline)
- [ ] Verify canonical hashing: create two identical events and verify `CanonicalJsonHasher` produces identical hashes
- [ ] Subscribe to pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify real-time progress events include step index and status
- [ ] Verify `StreamOptions`: configure heartbeat interval and verify heartbeats arrive at the configured cadence
- [ ] Publish 100 events rapidly and verify `SseWriter` delivers all of them in order
- [ ] Verify event envelope correlation: publish events with the same correlation ID and verify they can be filtered by correlation

44
docs/features/checked/jobengine/jobengine-golden-signals-observability.md Normal file
View File

@@ -0,0 +1,44 @@
# Orchestrator Golden Signals Observability
## Module
Orchestrator
## Status
VERIFIED
## Description
Built-in golden signal metrics (latency, traffic, errors, saturation) for orchestrator job execution, with timeline event emission and job capsule provenance tracking.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`
- **Key Classes**:
- `OrchestratorGoldenSignals` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - golden signal metrics: latency (p50/p95/p99), traffic (requests/sec), errors (error rate), saturation (queue depth, CPU, memory)
- `OrchestratorMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorMetrics.cs`) - OpenTelemetry metrics registration for orchestrator operations
- `IncidentModeHooks` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Observability/IncidentModeHooks.cs`) - hooks triggered when golden signals breach thresholds, activating incident mode
- `JobAttestationService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobAttestationService.cs`) - generates attestations for job execution with provenance data
- `JobAttestation` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobAttestation.cs`) - attestation model for a completed job
- `JobCapsule` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobCapsule.cs`) - capsule containing job execution evidence (inputs, outputs, metrics)
- `JobCapsuleGenerator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobCapsuleGenerator.cs`) - generates job capsules from execution data
- `JobRedactionGuard` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobRedactionGuard.cs`) - redacts sensitive data from job capsules before attestation
- `SnapshotHook` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/SnapshotHook.cs`) - hook capturing execution state snapshots at key points
- `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics for auto-scaling decisions
- `KpiEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/KpiEndpoints.cs`) - REST endpoints for KPI/metrics queries
- `HealthEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/HealthEndpoints.cs`) - health check endpoints
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Execute a job and verify `OrchestratorGoldenSignals` records latency, traffic, and error metrics
- [ ] Verify golden signal latency: execute 10 jobs with varying durations and verify p50/p95/p99 percentiles are computed correctly
- [ ] Trigger an error threshold breach and verify `IncidentModeHooks` activates incident mode
- [ ] Generate a `JobCapsule` via `JobCapsuleGenerator` and verify it contains job inputs, outputs, and execution metrics
- [ ] Verify redaction: include sensitive data in job inputs and verify `JobRedactionGuard` removes it from the capsule
- [ ] Generate a `JobAttestation` via `JobAttestationService` and verify it contains the capsule hash and provenance data
- [ ] Query KPI metrics via `KpiEndpoints` and verify golden signal data is returned
- [ ] Verify `HealthEndpoints` report healthy when golden signals are within thresholds
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-golden-signals-observability/run-002/tier2-integration-check.json`

39
docs/features/checked/jobengine/jobengine-operator-scope-with-audit-metadata.md Normal file
View File

@@ -0,0 +1,39 @@
# Orchestrator Operator Scope with Audit Metadata
## Module
Orchestrator
## Status
VERIFIED
## Description
New `orch:operate` scope and `Orch.Operator` role requiring explicit `operator_reason` and `operator_ticket` parameters on token requests. Authority enforces these fields and captures them as audit properties, giving SecOps traceability for every orchestrator control action.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry capturing operator actions with reason and ticket metadata
- `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - resolves tenant and operator context from token claims
- `AuditEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying operator audit trail
- `AuditLedgerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts including operator metadata
- `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota model with operator attribution
- `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job model with operator tracking
- `DeprecationHeaders` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/DeprecationHeaders.cs`) - deprecation header support for versioned operator APIs
- **Interfaces**: `IAuditRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IAuditRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Request a token with `orch:operate` scope, `operator_reason="maintenance"`, and `operator_ticket="TICKET-123"`; verify the token is issued
- [ ] Perform an operator action (e.g., cancel a job) with the scoped token; verify an `AuditEntry` captures the operator_reason and operator_ticket
- [ ] Attempt an operator action without `operator_reason` and verify it is rejected with a 400 error
- [ ] Query the audit trail via `AuditEndpoints` and filter by operator_ticket; verify matching entries are returned
- [ ] Verify operator scope enforcement: use a token without `orch:operate` scope and verify operator actions are forbidden (403)
- [ ] Perform multiple operator actions and verify each generates a separate `AuditEntry` with correct metadata
- [ ] Verify tenant scoping via `TenantResolver`: operator actions for tenant A are not visible in tenant B's audit trail
- [ ] Verify audit entry immutability: attempt to modify an existing `AuditEntry` and verify it is rejected
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-operator-scope-with-audit-metadata/run-002/tier2-integration-check.json`

46
docs/features/checked/jobengine/jobengine-worker-sdks.md Normal file
View File

@@ -0,0 +1,46 @@
# Orchestrator Worker SDKs (Go and Python)
## Module
Orchestrator
## Status
VERIFIED
## Description
Multi-language Worker SDKs enabling external workers to participate in orchestrator job execution via Go and Python clients, with examples and structured API packages.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/`, `src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `client.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/client.go`) - Go SDK client for worker communication
- `config.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/config.go`) - Go SDK configuration
- `artifact.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/artifact.go`) - artifact handling in Go SDK
- `backfill.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/backfill.go`) - backfill support in Go SDK
- `retry.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/retry.go`) - retry logic in Go SDK
- `errors.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/errors.go`) - error types in Go SDK
- `transport.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/internal/transport/transport.go`) - HTTP transport layer for Go SDK
- `main.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/examples/smoke/main.go`) - smoke test example worker
- `client.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/client.py`) - Python SDK client
- `config.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/config.py`) - Python SDK configuration
- `backfill.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/backfill.py`) - Python backfill support
- `WorkerEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/WorkerEndpoints.cs`) - REST API for worker registration and job assignment
- `WorkerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/WorkerContracts.cs`) - API contracts for worker communication
- `Worker` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Worker/Worker.cs`) - .NET worker implementation
- **Interfaces**: None (SDK clients are standalone)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Register a Go worker via `WorkerEndpoints` and verify it receives a job assignment
- [ ] Execute a job with the Go worker SDK `client.go` and verify results are reported back via the API
- [ ] Register a Python worker via `client.py` and verify it receives a job assignment
- [ ] Verify Go SDK retry: configure `retry.go` policy and simulate a transient failure; verify the SDK retries and succeeds
- [ ] Verify artifact handling: upload an artifact via `artifact.go` and verify it is persisted
- [ ] Verify backfill: trigger a backfill via `backfill.py` and verify it processes historical events
- [ ] Verify Go SDK error types: trigger different error conditions and verify `errors.go` returns appropriate error types
- [ ] Run the Go smoke test example `main.go` and verify it completes successfully against the orchestrator API
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk (Go SDK, Python SDK, .NET endpoints).
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-worker-sdks/run-002/tier2-integration-check.json`

36
docs/features/checked/jobengine/network-intent-validator.md Normal file
View File

@@ -0,0 +1,36 @@
# Network Intent Validator (Air-Gap Orchestrator Controls)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/`
- **Key Classes**:
- `NetworkIntentValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/NetworkIntentValidator.cs`) - validates job network intent against air-gap policy, blocking egress requests in sealed mode
- `StalenessValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/StalenessValidator.cs`) - validates data freshness in air-gapped environments, ensuring cached data is within acceptable staleness bounds
- `NetworkIntent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/NetworkIntent.cs`) - declares the network intent of a job (egress, ingress, local-only)
- `SealingStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/SealingStatus.cs`) - enum for air-gap sealing state (Sealed, Unsealed, Transitioning)
- `StalenessConfig` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessConfig.cs`) - configuration for acceptable data staleness in air-gap mode
- `StalenessValidationResult` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessValidationResult.cs`) - result of staleness validation
- `BundleProvenance` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/BundleProvenance.cs`) - provenance tracking for air-gap bundles
- `MirrorBundle` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorBundle.cs`) - bundle model for offline mirror operations
- `MirrorJobTypes` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorJobTypes.cs`) - types of mirror jobs (sync, verify, prune)
- `MirrorOperationRecorder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorOperationRecorder.cs`) - records mirror operations for audit trail
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Set `SealingStatus` to Sealed and submit a job with egress intent; verify `NetworkIntentValidator` rejects it
- [ ] Set `SealingStatus` to Unsealed and submit a job with egress intent; verify it is allowed
- [ ] Validate staleness: set `StalenessConfig` max staleness to 24 hours and verify data older than 24 hours is rejected by `StalenessValidator`
- [ ] Create a mirror job with type=sync and verify `MirrorOperationRecorder` records the operation
- [ ] Verify bundle provenance: create a `MirrorBundle` and verify `BundleProvenance` captures origin, sync timestamp, and hash
- [ ] Transition sealing status from Unsealed to Sealed and verify in-flight egress jobs are blocked
- [ ] Submit a local-only `NetworkIntent` job in sealed mode and verify it is allowed
- [ ] Verify staleness config: set different staleness thresholds per data type in `StalenessConfig` and verify per-type enforcement

43
docs/features/checked/jobengine/pack-run-bridge.md Normal file
View File

@@ -0,0 +1,43 @@
# Pack-Run Bridge (TaskRunner Integration)
## Module
Orchestrator
## Status
VERIFIED
## Description
Pack-run integration with Postgres repository, API endpoints, stream coordinator for log/artifact streaming, and domain model.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
- **Key Classes**:
- `Pack` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Pack.cs`) - pack entity containing a set of jobs to execute as a unit
- `PackRun` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/PackRun.cs`) - pack-run entity tracking execution of a pack instance
- `PackRunLog` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/PackRunLog.cs`) - log entries for pack-run execution
- `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates real-time streaming of pack-run logs and artifacts
- `PackRunEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/PackRunEndpoints.cs`) - REST API for creating, querying, and managing pack runs
- `PackRegistryEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/PackRegistryEndpoints.cs`) - REST API for pack registration and versioning
- `PackRunContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/PackRunContracts.cs`) - API contracts for pack-run operations
- `PackRegistryContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/PackRegistryContracts.cs`) - API contracts for pack registry
- `Run` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Run.cs`) - individual run within a pack execution
- `RunEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/RunEndpoints.cs`) - REST API for run management
- `RunContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/RunContracts.cs`) - API contracts for run operations
- **Interfaces**: `IPackRunRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IPackRunRepository.cs`), `IPackRegistryRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IPackRegistryRepository.cs`), `IRunRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IRunRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Register a pack via `PackRegistryEndpoints` with 3 jobs and verify it is persisted with version 1
- [ ] Create a pack run via `PackRunEndpoints` and verify it starts executing the pack's jobs
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and verify real-time log entries arrive as jobs execute
- [ ] Verify pack-run completion: all 3 jobs complete and the `PackRun` transitions to Completed
- [ ] Verify pack versioning: update a pack and verify `PackRegistryEndpoints` creates version 2 while preserving version 1
- [ ] Query `PackRunLog` entries via the API and verify all log entries are returned in chronological order
- [ ] Fail one job in a pack run and verify the pack run reports partial failure
- [ ] Create multiple pack runs concurrently and verify they execute independently
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/pack-run-bridge/run-002/tier2-integration-check.json`

43
docs/features/checked/jobengine/quota-governance-and-circuit-breakers.md Normal file
View File

@@ -0,0 +1,43 @@
# Quota Governance and Circuit Breakers
## Module
Orchestrator
## Status
VERIFIED
## Description
Quota governance services with cross-tenant allocation policies and circuit breaker automation for downstream service failure protection, integrated with rate limiting and load shedding.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/`
- **Key Classes**:
- `QuotaGovernanceService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Services/QuotaGovernanceService.cs`) - cross-tenant quota allocation with 5 strategies (unlimited, proportional, priority, reserved, max-limit)
- `CircuitBreakerService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Services/CircuitBreakerService.cs`) - circuit breaker with Closed/Open/HalfOpen state transitions
- `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota entity with limits and allocation
- `QuotaEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota queries and adjustments
- `QuotaContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
- `Throttle` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Throttle.cs`) - throttle configuration for rate limiting
- `AdaptiveRateLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/AdaptiveRateLimiter.cs`) - adaptive rate limiting based on system load
- `ConcurrencyLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job execution
- `BackpressureHandler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/BackpressureHandler.cs`) - backpressure signaling
- `LoadShedder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/LoadShedder.cs`) - load shedding under saturation
- `PostgresQuotaRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Postgres/PostgresQuotaRepository.cs`) - Postgres-backed quota storage
- `PostgresThrottleRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Postgres/PostgresThrottleRepository.cs`) - Postgres-backed throttle storage
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Configure a quota policy with proportional allocation and verify QuotaGovernanceService distributes capacity across tenants
- [ ] Request quota above max limit and verify the request is capped
- [ ] Pause a tenant and verify quota requests are denied
- [ ] Trigger circuit breaker by exceeding failure threshold and verify downstream requests are blocked
- [ ] Verify circuit breaker recovery: wait for timeout, verify HalfOpen state, send success to close
- [ ] Force-open and force-close the circuit breaker and verify state changes
- [ ] Test concurrent access to circuit breaker and verify thread safety
- [ ] Verify all 5 allocation strategies produce correct quota distributions
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/quota-governance-and-circuit-breakers/run-002/tier2-integration-check.json`

42
docs/features/checked/jobengine/skip-locked-queue-pattern.md Normal file
View File

@@ -0,0 +1,42 @@
# SKIP LOCKED Queue Pattern
## Module
Orchestrator
## Status
VERIFIED
## Description
SKIP LOCKED queue pattern is used in Scheduler and Orchestrator job repositories for reliable work distribution.
## Implementation Details
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`
- **Key Classes**:
- `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - job scheduler using PostgreSQL `SELECT ... FOR UPDATE SKIP LOCKED` for concurrent job dequeuing without contention
- `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with status field used for queue filtering
- `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - job states used in queue queries (Pending jobs are available for dequeuing)
- `Watermark` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Watermark.cs`) - watermark tracking for ordered processing
- `AdaptiveRateLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/AdaptiveRateLimiter.cs`) - rate limiter that adjusts based on queue depth and processing speed
- `ConcurrencyLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job processing
- `TokenBucket` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/TokenBucket.cs`) - token bucket rate limiter for smooth job distribution
- `BackpressureHandler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/BackpressureHandler.cs`) - applies backpressure when queue depth exceeds thresholds
- `LoadShedder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/LoadShedder.cs`) - sheds load when system is saturated
- `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics for monitoring queue depth and throughput
- **Interfaces**: `IJobRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobRepository.cs`), `IWatermarkRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IWatermarkRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Enqueue 10 jobs and dequeue from 3 concurrent workers using SKIP LOCKED via `JobScheduler`; verify each job is assigned to exactly one worker
- [ ] Verify no contention: dequeue rapidly from 5 workers and verify no blocking or deadlocks occur
- [ ] Verify job visibility: a job locked by worker A is not visible to worker B during dequeue
- [ ] Complete a locked job and verify it is no longer in the queue
- [ ] Verify `AdaptiveRateLimiter`: increase queue depth and verify the rate limiter increases throughput
- [ ] Verify `BackpressureHandler`: fill the queue beyond the threshold and verify backpressure is signaled to producers
- [ ] Verify `LoadShedder`: saturate the system and verify new jobs are rejected with a 503 response
- [ ] Test `TokenBucket`: configure a rate of 10 jobs/second and verify the bucket enforces the limit
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/skip-locked-queue-pattern/run-002/tier2-integration-check.json`

16
docs/features/checked/orchestrator/slo-burn-rate-computation-and-alert-budget-tracking.md → docs/features/checked/jobengine/slo-burn-rate-computation-and-alert-budget-tracking.md
View File

@@ -10,14 +10,14 @@ VERIFIED
SLO burn-rate computation for orchestrator operations with configurable alert budgets, enabling proactive capacity and reliability management.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/SloManagement/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`
- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/SloManagement/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`
- **Key Classes**:
- `BurnRateEngine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/SloManagement/BurnRateEngine.cs`) - computes SLO burn rate from error budget consumption over rolling windows (1h, 6h, 24h, 30d)
- `Slo` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Slo.cs`) - SLO entity with target (e.g., 99.9%), error budget, and current burn rate
- `SloEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/SloEndpoints.cs`) - REST API for SLO queries and burn rate dashboards
- `IncidentModeHooks` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Observability/IncidentModeHooks.cs`) - activates incident mode when burn rate exceeds alert thresholds
- `OrchestratorGoldenSignals` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - provides underlying error/latency data for SLO computation
- `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics feeding SLO saturation signals
- `BurnRateEngine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/SloManagement/BurnRateEngine.cs`) - computes SLO burn rate from error budget consumption over rolling windows (1h, 6h, 24h, 30d)
- `Slo` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Slo.cs`) - SLO entity with target (e.g., 99.9%), error budget, and current burn rate
- `SloEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/SloEndpoints.cs`) - REST API for SLO queries and burn rate dashboards
- `IncidentModeHooks` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Observability/IncidentModeHooks.cs`) - activates incident mode when burn rate exceeds alert thresholds
- `OrchestratorGoldenSignals` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - provides underlying error/latency data for SLO computation
- `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics feeding SLO saturation signals
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
@@ -35,4 +35,4 @@ SLO burn-rate computation for orchestrator operations with configurable alert bu
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/slo-burn-rate-computation-and-alert-budget-tracking/run-002/tier2-integration-check.json`
- Tier 2d: `docs/qa/feature-checks/runs/jobengine/slo-burn-rate-computation-and-alert-budget-tracking/run-002/tier2-integration-check.json`

12
docs/features/checked/libraries/advisory-lens.md
View File

@@ -4,17 +4,17 @@
__Libraries
## Status
VERIFIED
ARCHIVED (2026-03-04) — Zero production consumers. Source preserved at `src/__Libraries/_archived/StellaOps.AdvisoryLens/`.
## Description
Contextual copilot library that learns from organizational data to surface explainable suggestions. Core library provides semantic case matching engine (`StellaOps.AdvisoryLens`).
## Implementation Details
- **AdvisoryLensService**: `src/__Libraries/StellaOps.AdvisoryLens/Services/AdvisoryLensService.cs` -- main service implementing `IAdvisoryLensService`
- **CaseMatcher**: `src/__Libraries/StellaOps.AdvisoryLens/Matching/CaseMatcher.cs` -- semantic case matching engine
- **Models**: `src/__Libraries/StellaOps.AdvisoryLens/Models/` -- `AdvisoryCase.cs`, `CasePattern.cs`, `LensContext.cs`, `LensHint.cs`, `LensResult.cs`, `LensSuggestion.cs`
- **DI Registration**: `src/__Libraries/StellaOps.AdvisoryLens/DependencyInjection/ServiceCollectionExtensions.cs`
- **Tests**: `src/__Libraries/__Tests/StellaOps.AdvisoryLens.Tests/` (19 tests passing)
- **AdvisoryLensService**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Services/AdvisoryLensService.cs` -- main service implementing `IAdvisoryLensService`
- **CaseMatcher**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Matching/CaseMatcher.cs` -- semantic case matching engine
- **Models**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Models/` -- `AdvisoryCase.cs`, `CasePattern.cs`, `LensContext.cs`, `LensHint.cs`, `LensResult.cs`, `LensSuggestion.cs`
- **DI Registration**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/DependencyInjection/ServiceCollectionExtensions.cs`
- **Tests**: `src/__Libraries/_archived/StellaOps.AdvisoryLens.Tests/` (19 tests passing)
- **Source**: Feature matrix scan
## E2E Test Plan

10
docs/features/checked/libraries/unified-deterministic-resolver.md
View File

@@ -4,16 +4,16 @@
__Libraries
## Status
VERIFIED
ARCHIVED (2026-03-04) — Zero production consumers. Source preserved at `src/__Libraries/_archived/StellaOps.Resolver/`.
## Description
Full deterministic resolver with 4-phase resolution (validate, order, evaluate, digest), immutable evidence graph with content-addressed GraphDigest, Tarjan's SCC cycle detection, implicit data detection, and integration with trust lattice engine. Guarantees pure evaluation with no IO in the compute phase.
## Implementation Details
- **DeterministicResolver**: `src/__Libraries/StellaOps.Resolver/DeterministicResolver.cs` -- `ResolveAsync(graph, evaluator, context)` orchestrates 4-phase resolution: Phase 1 `Validate(graph)` runs cycle detection and implicit data detection; Phase 2 `OrderNodes(graph)` produces deterministic topological ordering; Phase 3 `EvaluatePure(orderedNodes, evaluator, context)` evaluates each node with predecessor verdicts (no IO); Phase 4 computes final resolution digest from all node verdicts; uses `PureEvaluationContext` to enforce runtime purity
- **EvidenceGraph**: `src/__Libraries/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with sorted `Nodes` (IReadOnlyList<EvidenceNode>) and `Edges` (IReadOnlyList<EvidenceEdge>); `GraphDigest` (content-addressed via `CanonicalJsonSerializer.SerializeWithDigest`); `AddNode(node)` and `AddEdge(edge)` return new immutable instances; nodes and edges sorted for deterministic digest
- **GraphValidation**: `src/__Libraries/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining `TarjanCycleDetector` (Tarjan's SCC algorithm with `IsCycleCut` edge exclusion) and `DefaultImplicitDataDetector` (detects dangling edges, duplicate IDs); `TarjanCycleDetector` uses index/lowlink tracking, stack-based DFS, reports strongly connected components with >1 node as cycles
- **RuntimePurity**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `PureEvaluationContext` with `CreateStrict()` (all prohibited accessors) and `Create(injectedNow, envVars)` (deterministic providers); `ProhibitedTimeProvider`, `ProhibitedNetworkAccessor`, `ProhibitedFileSystemAccessor`, `ProhibitedEnvironmentAccessor` all throw `AmbientAccessViolationException`; `InjectedTimeProvider` and `InjectedEnvironmentAccessor` for deterministic evaluation
- **DeterministicResolver**: `src/__Libraries/_archived/StellaOps.Resolver/DeterministicResolver.cs` -- `ResolveAsync(graph, evaluator, context)` orchestrates 4-phase resolution: Phase 1 `Validate(graph)` runs cycle detection and implicit data detection; Phase 2 `OrderNodes(graph)` produces deterministic topological ordering; Phase 3 `EvaluatePure(orderedNodes, evaluator, context)` evaluates each node with predecessor verdicts (no IO); Phase 4 computes final resolution digest from all node verdicts; uses `PureEvaluationContext` to enforce runtime purity
- **EvidenceGraph**: `src/__Libraries/_archived/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with sorted `Nodes` (IReadOnlyList<EvidenceNode>) and `Edges` (IReadOnlyList<EvidenceEdge>); `GraphDigest` (content-addressed via `CanonicalJsonSerializer.SerializeWithDigest`); `AddNode(node)` and `AddEdge(edge)` return new immutable instances; nodes and edges sorted for deterministic digest
- **GraphValidation**: `src/__Libraries/_archived/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining `TarjanCycleDetector` (Tarjan's SCC algorithm with `IsCycleCut` edge exclusion) and `DefaultImplicitDataDetector` (detects dangling edges, duplicate IDs); `TarjanCycleDetector` uses index/lowlink tracking, stack-based DFS, reports strongly connected components with >1 node as cycles
- **RuntimePurity**: `src/__Libraries/_archived/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `PureEvaluationContext` with `CreateStrict()` (all prohibited accessors) and `Create(injectedNow, envVars)` (deterministic providers); `ProhibitedTimeProvider`, `ProhibitedNetworkAccessor`, `ProhibitedFileSystemAccessor`, `ProhibitedEnvironmentAccessor` all throw `AmbientAccessViolationException`; `InjectedTimeProvider` and `InjectedEnvironmentAccessor` for deterministic evaluation
- **Source**: Feature matrix scan
## E2E Test Plan

35
docs/features/checked/orchestrator/dag-planner-with-critical-path-metadata.md
View File

@@ -1,35 +0,0 @@
# DAG Planner with Critical-Path Metadata
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
DAG-based job planner that computes critical-path metadata for orchestrator execution plans, enabling dependency-aware scheduling and parallel execution of independent job chains.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `DagPlanner` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/DagPlanner.cs`) - computes execution DAGs from job dependency graphs, identifies critical path, and enables parallel scheduling of independent chains
- `DagEdge` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/DagEdge.cs`) - edge model representing dependencies between jobs in the execution DAG
- `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on DAG planner output, respecting dependency ordering
- `JobStateMachine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobStateMachine.cs`) - state machine governing job lifecycle transitions within the DAG execution
- `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with status, dependencies, and scheduling metadata
- `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - enum defining job lifecycle states
- `JobHistory` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobHistory.cs`) - historical record of job state transitions
- `DagEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/DagEndpoints.cs`) - REST API for querying DAG execution plans
- `DagContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/DagContracts.cs`) - API contracts for DAG responses
- **Interfaces**: `IDagEdgeRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IDagEdgeRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create a DAG with 5 jobs (A->B->C, A->D->E) and verify `DagPlanner` identifies A as the root and C/E as leaves
- [ ] Verify critical path computation: the longest dependency chain (A->B->C or A->D->E) is marked as the critical path
- [ ] Schedule the DAG via `JobScheduler` and verify B and D execute in parallel after A completes
- [ ] Add a new dependency (D->C) creating a diamond DAG and verify the critical path updates
- [ ] Query the DAG via `DagEndpoints` and verify the response includes all edges, critical path markers, and parallel groups
- [ ] Create a cyclic DAG (A->B->A) and verify `DagPlanner` rejects it with a cycle detection error
- [ ] Verify DAG metadata: each job node in the `DagContracts` response includes estimated duration and dependency count
- [ ] Schedule a DAG with one failed job and verify `JobStateMachine` marks downstream dependencies as blocked

35
docs/features/checked/orchestrator/event-fan-out.md
View File

@@ -1,35 +0,0 @@
# Event Fan-Out (SSE/Streaming)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Job and pack-run streaming coordinators with stream payload models for real-time SSE event delivery.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/`
- **Key Classes**:
- `JobStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/JobStreamCoordinator.cs`) - coordinates SSE streaming for job lifecycle events to connected clients
- `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates streaming for pack-run execution events
- `RunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/RunStreamCoordinator.cs`) - coordinates streaming for individual run events
- `SseWriter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/SseWriter.cs`) - writes Server-Sent Events to HTTP response streams
- `StreamOptions` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamOptions.cs`) - configuration for stream connections (heartbeat interval, buffer size, timeout)
- `StreamPayloads` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamPayloads.cs`) - typed payload models for stream events (job progress, pack-run status, log lines)
- `StreamEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE stream subscription
- `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope wrapping domain events for streaming
- `OrchestratorEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete event publisher routing events to stream coordinators
- **Interfaces**: `IEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Subscribe to the job stream via `StreamEndpoints` and trigger a job; verify SSE events are received for each state transition
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify progress events include step index, status, and log lines
- [ ] Verify heartbeat: subscribe to a stream and wait without events; confirm heartbeat events arrive at the `StreamOptions` configured interval
- [ ] Subscribe with two clients to the same job stream and verify both receive identical events (fan-out via `JobStreamCoordinator`)
- [ ] Disconnect a client mid-stream and verify the stream coordinator cleans up the connection without affecting other subscribers
- [ ] Trigger a rapid sequence of events and verify `SseWriter` delivers them in order without drops
- [ ] Verify stream payloads: each event contains a typed payload matching the `StreamPayloads` model
- [ ] Test stream timeout: idle for longer than `StreamOptions.Timeout` and verify the connection closes gracefully

33
docs/features/checked/orchestrator/export-job-service.md
View File

@@ -1,33 +0,0 @@
# Export Job Service
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Export job management with service and domain model for orchestrated export operations.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Services/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/`
- **Key Classes**:
- `ExportJobService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Services/ExportJobService.cs`) - manages export job lifecycle: creation, scheduling, execution tracking, and completion
- `ExportJob` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJob.cs`) - export job entity with status, target, format, and schedule
- `ExportJobPolicy` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJobPolicy.cs`) - policy controlling export permissions and constraints
- `ExportJobTypes` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJobTypes.cs`) - enumeration of supported export types (evidence pack, audit report, snapshot)
- `ExportSchedule` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportSchedule.cs`) - scheduling configuration for recurring exports
- `LedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/LedgerExporter.cs`) - exports audit ledger data for compliance and audit
- `ExportJobEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/ExportJobEndpoints.cs`) - REST API for creating, querying, and managing export jobs
- **Interfaces**: `ILedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/ILedgerExporter.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create an export job via `ExportJobEndpoints` with type=evidence_pack and verify it is persisted with status=Pending
- [ ] Execute the export job via `ExportJobService` and verify status transitions: Pending -> Running -> Completed
- [ ] Verify export policy enforcement: create an export job with a restricted type and verify `ExportJobPolicy` rejects it
- [ ] Schedule a recurring export via `ExportSchedule` and verify the next execution is computed correctly
- [ ] Export audit ledger data via `LedgerExporter` and verify the output contains all entries within the specified time range
- [ ] Create an export job with retention policy and verify completed exports are cleaned up after expiry
- [ ] Query export jobs via `ExportJobEndpoints` with status filter and verify pagination works correctly
- [ ] Test export failure: simulate an export error and verify the job transitions to Failed with error details

37
docs/features/checked/orchestrator/job-lifecycle-state-machine.md
View File

@@ -1,37 +0,0 @@
# Job Lifecycle State Machine
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Job scheduling with Postgres-backed job repository, event envelope domain model, and air-gap compatible scheduling tests.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`
- **Key Classes**:
- `JobStateMachine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobStateMachine.cs`) - finite state machine governing job lifecycle transitions (Pending -> Scheduled -> Running -> Completed/Failed/Cancelled)
- `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on state machine rules and DAG dependencies
- `RetryPolicy` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/RetryPolicy.cs`) - configurable retry policy for failed jobs (max retries, backoff strategy)
- `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with current status, attempts, and metadata
- `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - enum defining all valid job states
- `JobHistory` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobHistory.cs`) - historical record of all state transitions with timestamps
- `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope emitted on state transitions
- `TimelineEvent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
- `TimelineEventEmitter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on state transitions
- `JobEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/JobEndpoints.cs`) - REST API for job management
- `JobContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/JobContracts.cs`) - API contracts for job operations
- **Interfaces**: `IJobRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobRepository.cs`), `IJobHistoryRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobHistoryRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create a job via `JobEndpoints` and verify initial state is Pending
- [ ] Schedule the job via `JobScheduler` and verify state transition: Pending -> Scheduled, with `TimelineEvent` emitted
- [ ] Start the job and verify `JobStateMachine` transition: Scheduled -> Running
- [ ] Complete the job and verify transition: Running -> Completed with completion timestamp in `JobHistory`
- [ ] Fail the job and verify transition: Running -> Failed with retry attempt incremented
- [ ] Verify `RetryPolicy`: fail a job with max_retries=3 and verify it re-enters Scheduled up to 3 times before terminal failure
- [ ] Attempt an invalid transition (e.g., Completed -> Running) and verify `JobStateMachine` rejects it
- [ ] Verify air-gap scheduling: schedule a job in sealed mode and verify it does not attempt network egress

36
docs/features/checked/orchestrator/network-intent-validator.md
View File

@@ -1,36 +0,0 @@
# Network Intent Validator (Air-Gap Orchestrator Controls)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/`
- **Key Classes**:
- `NetworkIntentValidator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/NetworkIntentValidator.cs`) - validates job network intent against air-gap policy, blocking egress requests in sealed mode
- `StalenessValidator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/StalenessValidator.cs`) - validates data freshness in air-gapped environments, ensuring cached data is within acceptable staleness bounds
- `NetworkIntent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/NetworkIntent.cs`) - declares the network intent of a job (egress, ingress, local-only)
- `SealingStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/SealingStatus.cs`) - enum for air-gap sealing state (Sealed, Unsealed, Transitioning)
- `StalenessConfig` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/StalenessConfig.cs`) - configuration for acceptable data staleness in air-gap mode
- `StalenessValidationResult` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/StalenessValidationResult.cs`) - result of staleness validation
- `BundleProvenance` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/BundleProvenance.cs`) - provenance tracking for air-gap bundles
- `MirrorBundle` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorBundle.cs`) - bundle model for offline mirror operations
- `MirrorJobTypes` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorJobTypes.cs`) - types of mirror jobs (sync, verify, prune)
- `MirrorOperationRecorder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorOperationRecorder.cs`) - records mirror operations for audit trail
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Set `SealingStatus` to Sealed and submit a job with egress intent; verify `NetworkIntentValidator` rejects it
- [ ] Set `SealingStatus` to Unsealed and submit a job with egress intent; verify it is allowed
- [ ] Validate staleness: set `StalenessConfig` max staleness to 24 hours and verify data older than 24 hours is rejected by `StalenessValidator`
- [ ] Create a mirror job with type=sync and verify `MirrorOperationRecorder` records the operation
- [ ] Verify bundle provenance: create a `MirrorBundle` and verify `BundleProvenance` captures origin, sync timestamp, and hash
- [ ] Transition sealing status from Unsealed to Sealed and verify in-flight egress jobs are blocked
- [ ] Submit a local-only `NetworkIntent` job in sealed mode and verify it is allowed
- [ ] Verify staleness config: set different staleness thresholds per data type in `StalenessConfig` and verify per-type enforcement

35
docs/features/checked/orchestrator/orchestrator-admin-quota-controls.md
View File

@@ -1,35 +0,0 @@
# Orchestrator Admin Quota Controls (orch:quota, orch:backfill)
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
New `orch:quota` and `orch:backfill` scopes with mandatory reason/ticket fields. Token requests must include `quota_reason`/`backfill_reason` and optionally `quota_ticket`/`backfill_ticket`. Authority persists these as claims and audit properties for traceability of capacity-affecting operations.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota entity with limits, current usage, and allocation metadata
- `BackfillRequest` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/BackfillRequest.cs`) - backfill request model with reason, ticket, and scope
- `BackfillManager` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/BackfillManager.cs`) - manages backfill operations with duplicate suppression and event time window tracking
- `DuplicateSuppressor` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/DuplicateSuppressor.cs`) - prevents duplicate backfill requests within a time window
- `EventTimeWindow` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/EventTimeWindow.cs`) - time window for backfill event deduplication
- `QuotaEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota management (view, adjust, allocate)
- `QuotaContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
- `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry capturing quota/backfill actions with reason and ticket
- `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - resolves tenant context for quota scoping
- **Interfaces**: `IQuotaRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IQuotaRepository.cs`), `IBackfillRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IBackfillRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Request a quota adjustment via `QuotaEndpoints` with `quota_reason` and `quota_ticket`; verify the adjustment is applied and audited in `AuditEntry`
- [ ] Attempt a quota adjustment without `quota_reason` and verify it is rejected with a 400 error
- [ ] Request a backfill via `BackfillManager` with `backfill_reason` and verify the backfill is initiated
- [ ] Submit a duplicate backfill request within the `EventTimeWindow` and verify `DuplicateSuppressor` rejects it
- [ ] Verify audit trail: check the `AuditEntry` for the quota adjustment and confirm reason and ticket are captured
- [ ] Query current quota usage via `QuotaEndpoints` and verify limits and current usage are returned
- [ ] Adjust quota beyond the maximum limit and verify the operation is rejected by policy
- [ ] Verify tenant scoping via `TenantResolver`: adjust quota for tenant A and verify tenant B's quota is unchanged

39
docs/features/checked/orchestrator/orchestrator-audit-ledger.md
View File

@@ -1,39 +0,0 @@
# Orchestrator Audit Ledger
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Append-only audit ledger tracking all orchestrator job lifecycle state changes, rate-limit decisions, and dead-letter events with tenant-scoped isolation.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry model with action type, actor, tenant, timestamp, and metadata
- `RunLedger` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/RunLedger.cs`) - run-level ledger tracking execution history
- `SignedManifest` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/SignedManifest.cs`) - signed manifest for tamper-evident ledger export
- `LedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/LedgerExporter.cs`) - exports ledger data for compliance and audit
- `AuditEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying audit ledger entries
- `LedgerEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/LedgerEndpoints.cs`) - REST API for ledger export and querying
- `AuditLedgerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts for audit responses
- `DeadLetterEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/DeadLetterEntry.cs`) - dead-letter entry in the audit trail
- `DeadLetterNotifier` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/DeadLetterNotifier.cs`) - notifies on dead-letter events
- `ErrorClassification` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/ErrorClassification.cs`) - classifies errors for dead-letter categorization
- `ReplayManager` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/ReplayManager.cs`) - manages replay of dead-letter entries
- `DeadLetterEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/DeadLetterEndpoints.cs`) - REST API for dead-letter management
- `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - ensures tenant-scoped audit isolation
- **Interfaces**: `ILedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/ILedgerExporter.cs`), `IAuditRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IAuditRepository.cs`), `IDeadLetterRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/IDeadLetterRepository.cs`), `ILedgerRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/ILedgerRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Trigger a job state transition and verify an `AuditEntry` is created in the ledger with action type, actor, and timestamp
- [ ] Query the audit ledger via `AuditEndpoints` with a time range filter and verify only matching entries are returned
- [ ] Verify tenant isolation via `TenantResolver`: create audit entries for two tenants and verify each tenant only sees their own entries
- [ ] Trigger a dead-letter event and verify it appears in both the `DeadLetterEntry` store and the audit ledger
- [ ] Export the audit ledger via `LedgerExporter` and verify the export contains all entries within the specified range
- [ ] Replay a dead-letter entry via `ReplayManager` and verify the replay action is also audited
- [ ] Verify `ErrorClassification` categorizes different error types correctly (transient, permanent, unknown)
- [ ] Query dead-letter entries via `DeadLetterEndpoints` and verify pagination and filtering work

40
docs/features/checked/orchestrator/orchestrator-event-envelopes-with-sse-websocket-streaming.md
View File

@@ -1,40 +0,0 @@
# Orchestrator Event Envelopes with SSE/WebSocket Streaming
## Module
Orchestrator
## Status
IMPLEMENTED
## Description
Typed event envelope system with SSE and WebSocket streaming for real-time orchestrator job progress, enabling live UI updates and CLI monitoring of pack-run execution.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/`
- **Key Classes**:
- `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope with event type, payload, timestamp, and correlation ID
- `EventEnvelope` (legacy) (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/EventEnvelope.cs`) - legacy event envelope model
- `TimelineEvent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
- `TimelineEventEmitter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on domain actions
- `OrchestratorEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete publisher routing events to stream coordinators
- `EventEnvelopeHasher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/EventEnvelopeHasher.cs`) - hashes event envelopes for integrity verification
- `CanonicalJsonHasher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/CanonicalJsonHasher.cs`) - canonical JSON hashing for deterministic event hashes
- `SseWriter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/SseWriter.cs`) - Server-Sent Events writer
- `JobStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/JobStreamCoordinator.cs`) - job event stream coordinator
- `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - pack-run stream coordinator
- `RunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/RunStreamCoordinator.cs`) - run-level stream coordinator
- `StreamEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE subscriptions
- `StreamOptions` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamOptions.cs`) - stream configuration
- `StreamPayloads` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamPayloads.cs`) - typed event payloads
- **Interfaces**: `IEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Create an `EventEnvelope` with type=job_completed and payload; verify it is hashed via `EventEnvelopeHasher` and the hash is deterministic
- [ ] Publish an event via `OrchestratorEventPublisher` and verify it reaches the `JobStreamCoordinator`
- [ ] Subscribe to SSE via `StreamEndpoints` and verify events arrive as formatted SSE messages (data: + newline)
- [ ] Verify canonical hashing: create two identical events and verify `CanonicalJsonHasher` produces identical hashes
- [ ] Subscribe to pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify real-time progress events include step index and status
- [ ] Verify `StreamOptions`: configure heartbeat interval and verify heartbeats arrive at the configured cadence
- [ ] Publish 100 events rapidly and verify `SseWriter` delivers all of them in order
- [ ] Verify event envelope correlation: publish events with the same correlation ID and verify they can be filtered by correlation

44
docs/features/checked/orchestrator/orchestrator-golden-signals-observability.md
View File

@@ -1,44 +0,0 @@
# Orchestrator Golden Signals Observability
## Module
Orchestrator
## Status
VERIFIED
## Description
Built-in golden signal metrics (latency, traffic, errors, saturation) for orchestrator job execution, with timeline event emission and job capsule provenance tracking.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`
- **Key Classes**:
- `OrchestratorGoldenSignals` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - golden signal metrics: latency (p50/p95/p99), traffic (requests/sec), errors (error rate), saturation (queue depth, CPU, memory)
- `OrchestratorMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorMetrics.cs`) - OpenTelemetry metrics registration for orchestrator operations
- `IncidentModeHooks` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Observability/IncidentModeHooks.cs`) - hooks triggered when golden signals breach thresholds, activating incident mode
- `JobAttestationService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobAttestationService.cs`) - generates attestations for job execution with provenance data
- `JobAttestation` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobAttestation.cs`) - attestation model for a completed job
- `JobCapsule` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobCapsule.cs`) - capsule containing job execution evidence (inputs, outputs, metrics)
- `JobCapsuleGenerator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobCapsuleGenerator.cs`) - generates job capsules from execution data
- `JobRedactionGuard` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobRedactionGuard.cs`) - redacts sensitive data from job capsules before attestation
- `SnapshotHook` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/SnapshotHook.cs`) - hook capturing execution state snapshots at key points
- `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics for auto-scaling decisions
- `KpiEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/KpiEndpoints.cs`) - REST endpoints for KPI/metrics queries
- `HealthEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/HealthEndpoints.cs`) - health check endpoints
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Execute a job and verify `OrchestratorGoldenSignals` records latency, traffic, and error metrics
- [ ] Verify golden signal latency: execute 10 jobs with varying durations and verify p50/p95/p99 percentiles are computed correctly
- [ ] Trigger an error threshold breach and verify `IncidentModeHooks` activates incident mode
- [ ] Generate a `JobCapsule` via `JobCapsuleGenerator` and verify it contains job inputs, outputs, and execution metrics
- [ ] Verify redaction: include sensitive data in job inputs and verify `JobRedactionGuard` removes it from the capsule
- [ ] Generate a `JobAttestation` via `JobAttestationService` and verify it contains the capsule hash and provenance data
- [ ] Query KPI metrics via `KpiEndpoints` and verify golden signal data is returned
- [ ] Verify `HealthEndpoints` report healthy when golden signals are within thresholds
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-golden-signals-observability/run-002/tier2-integration-check.json`

39
docs/features/checked/orchestrator/orchestrator-operator-scope-with-audit-metadata.md
View File

@@ -1,39 +0,0 @@
# Orchestrator Operator Scope with Audit Metadata
## Module
Orchestrator
## Status
VERIFIED
## Description
New `orch:operate` scope and `Orch.Operator` role requiring explicit `operator_reason` and `operator_ticket` parameters on token requests. Authority enforces these fields and captures them as audit properties, giving SecOps traceability for every orchestrator control action.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry capturing operator actions with reason and ticket metadata
- `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - resolves tenant and operator context from token claims
- `AuditEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying operator audit trail
- `AuditLedgerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts including operator metadata
- `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota model with operator attribution
- `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job model with operator tracking
- `DeprecationHeaders` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/DeprecationHeaders.cs`) - deprecation header support for versioned operator APIs
- **Interfaces**: `IAuditRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IAuditRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Request a token with `orch:operate` scope, `operator_reason="maintenance"`, and `operator_ticket="TICKET-123"`; verify the token is issued
- [ ] Perform an operator action (e.g., cancel a job) with the scoped token; verify an `AuditEntry` captures the operator_reason and operator_ticket
- [ ] Attempt an operator action without `operator_reason` and verify it is rejected with a 400 error
- [ ] Query the audit trail via `AuditEndpoints` and filter by operator_ticket; verify matching entries are returned
- [ ] Verify operator scope enforcement: use a token without `orch:operate` scope and verify operator actions are forbidden (403)
- [ ] Perform multiple operator actions and verify each generates a separate `AuditEntry` with correct metadata
- [ ] Verify tenant scoping via `TenantResolver`: operator actions for tenant A are not visible in tenant B's audit trail
- [ ] Verify audit entry immutability: attempt to modify an existing `AuditEntry` and verify it is rejected
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-operator-scope-with-audit-metadata/run-002/tier2-integration-check.json`

46
docs/features/checked/orchestrator/orchestrator-worker-sdks.md
View File

@@ -1,46 +0,0 @@
# Orchestrator Worker SDKs (Go and Python)
## Module
Orchestrator
## Status
VERIFIED
## Description
Multi-language Worker SDKs enabling external workers to participate in orchestrator job execution via Go and Python clients, with examples and structured API packages.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `client.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/client.go`) - Go SDK client for worker communication
- `config.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/config.go`) - Go SDK configuration
- `artifact.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/artifact.go`) - artifact handling in Go SDK
- `backfill.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/backfill.go`) - backfill support in Go SDK
- `retry.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/retry.go`) - retry logic in Go SDK
- `errors.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/errors.go`) - error types in Go SDK
- `transport.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/internal/transport/transport.go`) - HTTP transport layer for Go SDK
- `main.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/examples/smoke/main.go`) - smoke test example worker
- `client.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/client.py`) - Python SDK client
- `config.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/config.py`) - Python SDK configuration
- `backfill.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/backfill.py`) - Python backfill support
- `WorkerEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/WorkerEndpoints.cs`) - REST API for worker registration and job assignment
- `WorkerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/WorkerContracts.cs`) - API contracts for worker communication
- `Worker` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs`) - .NET worker implementation
- **Interfaces**: None (SDK clients are standalone)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Register a Go worker via `WorkerEndpoints` and verify it receives a job assignment
- [ ] Execute a job with the Go worker SDK `client.go` and verify results are reported back via the API
- [ ] Register a Python worker via `client.py` and verify it receives a job assignment
- [ ] Verify Go SDK retry: configure `retry.go` policy and simulate a transient failure; verify the SDK retries and succeeds
- [ ] Verify artifact handling: upload an artifact via `artifact.go` and verify it is persisted
- [ ] Verify backfill: trigger a backfill via `backfill.py` and verify it processes historical events
- [ ] Verify Go SDK error types: trigger different error conditions and verify `errors.go` returns appropriate error types
- [ ] Run the Go smoke test example `main.go` and verify it completes successfully against the orchestrator API
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk (Go SDK, Python SDK, .NET endpoints).
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-worker-sdks/run-002/tier2-integration-check.json`

43
docs/features/checked/orchestrator/pack-run-bridge.md
View File

@@ -1,43 +0,0 @@
# Pack-Run Bridge (TaskRunner Integration)
## Module
Orchestrator
## Status
VERIFIED
## Description
Pack-run integration with Postgres repository, API endpoints, stream coordinator for log/artifact streaming, and domain model.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
- `Pack` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Pack.cs`) - pack entity containing a set of jobs to execute as a unit
- `PackRun` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/PackRun.cs`) - pack-run entity tracking execution of a pack instance
- `PackRunLog` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/PackRunLog.cs`) - log entries for pack-run execution
- `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates real-time streaming of pack-run logs and artifacts
- `PackRunEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRunEndpoints.cs`) - REST API for creating, querying, and managing pack runs
- `PackRegistryEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRegistryEndpoints.cs`) - REST API for pack registration and versioning
- `PackRunContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRunContracts.cs`) - API contracts for pack-run operations
- `PackRegistryContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRegistryContracts.cs`) - API contracts for pack registry
- `Run` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Run.cs`) - individual run within a pack execution
- `RunEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/RunEndpoints.cs`) - REST API for run management
- `RunContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/RunContracts.cs`) - API contracts for run operations
- **Interfaces**: `IPackRunRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IPackRunRepository.cs`), `IPackRegistryRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IPackRegistryRepository.cs`), `IRunRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IRunRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Register a pack via `PackRegistryEndpoints` with 3 jobs and verify it is persisted with version 1
- [ ] Create a pack run via `PackRunEndpoints` and verify it starts executing the pack's jobs
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and verify real-time log entries arrive as jobs execute
- [ ] Verify pack-run completion: all 3 jobs complete and the `PackRun` transitions to Completed
- [ ] Verify pack versioning: update a pack and verify `PackRegistryEndpoints` creates version 2 while preserving version 1
- [ ] Query `PackRunLog` entries via the API and verify all log entries are returned in chronological order
- [ ] Fail one job in a pack run and verify the pack run reports partial failure
- [ ] Create multiple pack runs concurrently and verify they execute independently
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/pack-run-bridge/run-002/tier2-integration-check.json`

43
docs/features/checked/orchestrator/quota-governance-and-circuit-breakers.md
View File

@@ -1,43 +0,0 @@
# Quota Governance and Circuit Breakers
## Module
Orchestrator
## Status
VERIFIED
## Description
Quota governance services with cross-tenant allocation policies and circuit breaker automation for downstream service failure protection, integrated with rate limiting and load shedding.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/`
- **Key Classes**:
- `QuotaGovernanceService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Services/QuotaGovernanceService.cs`) - cross-tenant quota allocation with 5 strategies (unlimited, proportional, priority, reserved, max-limit)
- `CircuitBreakerService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Services/CircuitBreakerService.cs`) - circuit breaker with Closed/Open/HalfOpen state transitions
- `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota entity with limits and allocation
- `QuotaEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota queries and adjustments
- `QuotaContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
- `Throttle` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Throttle.cs`) - throttle configuration for rate limiting
- `AdaptiveRateLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/AdaptiveRateLimiter.cs`) - adaptive rate limiting based on system load
- `ConcurrencyLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job execution
- `BackpressureHandler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/BackpressureHandler.cs`) - backpressure signaling
- `LoadShedder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/LoadShedder.cs`) - load shedding under saturation
- `PostgresQuotaRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Postgres/PostgresQuotaRepository.cs`) - Postgres-backed quota storage
- `PostgresThrottleRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Postgres/PostgresThrottleRepository.cs`) - Postgres-backed throttle storage
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Configure a quota policy with proportional allocation and verify QuotaGovernanceService distributes capacity across tenants
- [ ] Request quota above max limit and verify the request is capped
- [ ] Pause a tenant and verify quota requests are denied
- [ ] Trigger circuit breaker by exceeding failure threshold and verify downstream requests are blocked
- [ ] Verify circuit breaker recovery: wait for timeout, verify HalfOpen state, send success to close
- [ ] Force-open and force-close the circuit breaker and verify state changes
- [ ] Test concurrent access to circuit breaker and verify thread safety
- [ ] Verify all 5 allocation strategies produce correct quota distributions
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/quota-governance-and-circuit-breakers/run-002/tier2-integration-check.json`

42
docs/features/checked/orchestrator/skip-locked-queue-pattern.md
View File

@@ -1,42 +0,0 @@
# SKIP LOCKED Queue Pattern
## Module
Orchestrator
## Status
VERIFIED
## Description
SKIP LOCKED queue pattern is used in Scheduler and Orchestrator job repositories for reliable work distribution.
## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`
- **Key Classes**:
- `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - job scheduler using PostgreSQL `SELECT ... FOR UPDATE SKIP LOCKED` for concurrent job dequeuing without contention
- `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with status field used for queue filtering
- `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - job states used in queue queries (Pending jobs are available for dequeuing)
- `Watermark` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Watermark.cs`) - watermark tracking for ordered processing
- `AdaptiveRateLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/AdaptiveRateLimiter.cs`) - rate limiter that adjusts based on queue depth and processing speed
- `ConcurrencyLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job processing
- `TokenBucket` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/TokenBucket.cs`) - token bucket rate limiter for smooth job distribution
- `BackpressureHandler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/BackpressureHandler.cs`) - applies backpressure when queue depth exceeds thresholds
- `LoadShedder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/LoadShedder.cs`) - sheds load when system is saturated
- `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics for monitoring queue depth and throughput
- **Interfaces**: `IJobRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobRepository.cs`), `IWatermarkRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IWatermarkRepository.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Enqueue 10 jobs and dequeue from 3 concurrent workers using SKIP LOCKED via `JobScheduler`; verify each job is assigned to exactly one worker
- [ ] Verify no contention: dequeue rapidly from 5 workers and verify no blocking or deadlocks occur
- [ ] Verify job visibility: a job locked by worker A is not visible to worker B during dequeue
- [ ] Complete a locked job and verify it is no longer in the queue
- [ ] Verify `AdaptiveRateLimiter`: increase queue depth and verify the rate limiter increases throughput
- [ ] Verify `BackpressureHandler`: fill the queue beyond the threshold and verify backpressure is signaled to producers
- [ ] Verify `LoadShedder`: saturate the system and verify new jobs are rejected with a 503 response
- [ ] Test `TokenBucket`: configure a rate of 10 jobs/second and verify the bucket enforces the limit
## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/skip-locked-queue-pattern/run-002/tier2-integration-check.json`

2
docs/features/checked/releaseorchestrator/centralized-release-control-plane-for-non-k8s.md
View File

@@ -7,7 +7,7 @@ ReleaseOrchestrator
VERIFIED
## Description
The pivot from vulnerability scanning platform to release control plane is reflected in the implemented ReleaseOrchestrator module with promotions, deployments, and environment management.
The pivot from vulnerability scanning platform to release control plane is reflected in the implemented ReleaseJobEngine module with promotions, deployments, and environment management.
## Implementation Details
- **Modules**: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Release/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Promotion/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Deployment/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/`

2
docs/features/checked/web/dead-letter-queue-management-ui.md
View File

@@ -21,7 +21,7 @@ Dead-letter queue browser with message inspection, replay workflows (single/batc
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to `/ops/orchestrator/dead-letter`
- [ ] Navigate to `/ops/jobengine/dead-letter`
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the list/table loads with paginated data

2
docs/features/checked/web/deployment-detail-with-workflow-dag-visualization.md
View File

@@ -48,4 +48,4 @@ Deployment detail page with workflow DAG visualization showing deployment step e
- Date (UTC): 2026-02-11T10:08:09Z
- Status: PASSED (strict Tier 2 UI replay)
- Tier 2 evidence: docs/qa/feature-checks/runs/web/deployment-detail-with-workflow-dag-visualization/run-004/tier2-ui-check.json
- Notes: Verified via /release-orchestrator/deployments/dep-001 workflow DAG node rendering and selection checks.
- Notes: Verified via /release-jobengine/deployments/dep-001 workflow DAG node rendering and selection checks.

20
docs/features/checked/web/pipeline-run-centric-view.md
View File

@@ -11,16 +11,16 @@ Pipeline runs list and detail routes provide a run-centric view across stage pro
## What's Implemented
- **Existing components**:
- `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts`)
- `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts`)
- `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/promotion-request/promotion-request.component.ts`)
- `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/active-deployments/active-deployments.component.ts`)
- `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pending-approvals/pending-approvals.component.ts`)
- `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
- `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/recent-releases/recent-releases.component.ts`)
- `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.component.ts`)
- `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-list/deployment-list.component.ts`)
- `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-monitor/deployment-monitor.component.ts`)
- `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-detail/approval-detail.component.ts`)
- `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-queue/approval-queue.component.ts`)
- `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/promotion-request/promotion-request.component.ts`)
- `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/active-deployments/active-deployments.component.ts`)
- `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pending-approvals/pending-approvals.component.ts`)
- `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
- `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/recent-releases/recent-releases.component.ts`)
- `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.ts`)
- `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-list/deployment-list.component.ts`)
- `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-monitor/deployment-monitor.component.ts`)
- **Existing routes**: `approvals.routes.ts`, `dashboard.routes.ts`, `deployments.routes.ts`, `environments.routes.ts`, `evidence.routes.ts`, `releases.routes.ts`, `workflows.routes.ts`
## E2E Test Plan

32
docs/features/checked/web/release-orchestrator-dashboard-ui.md
View File

@@ -10,24 +10,24 @@ VERIFIED
Full dashboard UI for Release Orchestrator showing pipeline overview, pending approvals, active deployments, and recent releases with real-time SignalR updates.
## Implementation Details
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/`
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-jobengine/`
- **Routes**: `approvals.routes.ts`, `dashboard.routes.ts`, `deployments.routes.ts`, `environments.routes.ts`, `evidence.routes.ts`, `releases.routes.ts`, `workflows.routes.ts`
- **Components**:
- `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts`)
- `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts`)
- `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/promotion-request/promotion-request.component.ts`)
- `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/active-deployments/active-deployments.component.ts`)
- `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pending-approvals/pending-approvals.component.ts`)
- `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
- `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/recent-releases/recent-releases.component.ts`)
- `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.component.ts`)
- `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-list/deployment-list.component.ts`)
- `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-monitor/deployment-monitor.component.ts`)
- `environment-settings` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/environment-settings/environment-settings.component.ts`)
- `freeze-window-editor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/freeze-window-editor/freeze-window-editor.component.ts`)
- `target-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/target-list/target-list.component.ts`)
- `environment-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/environment-detail/environment-detail.component.ts`)
- `environment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/environment-list/environment-list.component.ts`)
- `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-detail/approval-detail.component.ts`)
- `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-queue/approval-queue.component.ts`)
- `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/promotion-request/promotion-request.component.ts`)
- `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/active-deployments/active-deployments.component.ts`)
- `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pending-approvals/pending-approvals.component.ts`)
- `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
- `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/recent-releases/recent-releases.component.ts`)
- `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.ts`)
- `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-list/deployment-list.component.ts`)
- `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-monitor/deployment-monitor.component.ts`)
- `environment-settings` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/environment-settings/environment-settings.component.ts`)
- `freeze-window-editor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/freeze-window-editor/freeze-window-editor.component.ts`)
- `target-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/target-list/target-list.component.ts`)
- `environment-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/environment-detail/environment-detail.component.ts`)
- `environment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/environment-list/environment-list.component.ts`)
- ... and 7 more components
- **Source**: SPRINT_20260110_111_001_FE_dashboard_overview.md

2
docs/features/checked/web/slo-burn-rate-monitoring-ui.md
View File

@@ -22,7 +22,7 @@ SLO health dashboard with multi-window burn rate calculation (1h/6h/24h/72h Goog
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to `/ops/orchestrator/slo`
- [ ] Navigate to `/ops/jobengine/slo`
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the component renders correctly with sample data

2
docs/features/checked/web/tinyfailureevent-first-signal-event-pattern.md
View File

@@ -13,7 +13,7 @@ First signal event UI is implemented with a dedicated store, typed models, and c
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/runs/`
- **Components**:
- `first-signal-card` (`src/Web/StellaOps.Web/src/app/features/runs/components/first-signal-card/first-signal-card.component.ts`)
- Run detail integration (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/runs/pipeline-run-detail.component.ts`)
- Run detail integration (`src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/pipeline-run-detail.component.ts`)
- Console status integration (`src/Web/StellaOps.Web/src/app/features/console/console-status.component.html`)
- **Services**:
- `first-signal-prefetch` (`src/Web/StellaOps.Web/src/app/features/runs/services/first-signal-prefetch.service.ts`)

18
docs/features/checked/web/visual-workflow-editor.md
View File

@@ -10,25 +10,25 @@ VERIFIED
Visual DAG-based workflow editor for release workflows with a drag/drop step palette, editable step configuration panel, dependency wiring on canvas connectors, and a YAML-mode representation.
## Implementation Details
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/`
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/`
- **Routes**:
- `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflows.routes.ts`
- mounted from `src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.routes.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflows.routes.ts`
- mounted from `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.routes.ts`
- **Components**:
- `workflow-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow-list/workflow-list.component.ts`)
- `workflow-editor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow-editor/workflow-editor.component.ts`)
- `workflow-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow-list/workflow-list.component.ts`)
- `workflow-editor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow-editor/workflow-editor.component.ts`)
- **Store/API models**:
- `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow.store.ts`
- `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow.store.ts`
- `src/Web/StellaOps.Web/src/app/core/api/workflow.client.ts`
- `src/Web/StellaOps.Web/src/app/core/api/workflow.models.ts`
- **Behavior coverage**:
- `src/Web/StellaOps.Web/src/tests/release_orchestrator/visual-workflow-editor.behavior.spec.ts`
- `src/Web/StellaOps.Web/src/tests/release_jobengine/visual-workflow-editor.behavior.spec.ts`
- **Source**: `SPRINT_20260110_111_004_FE_workflow_editor`
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to `/release-orchestrator/workflows/:id`
- [ ] Navigate to `/release-jobengine/workflows/:id`
- [ ] Ensure workflow fixture data exists (mock or backend-provided)
- **Core verification**:
- [ ] Verify palette/canvas/config-panel surfaces load
@@ -43,6 +43,6 @@ Visual DAG-based workflow editor for release workflows with a drag/drop step pal
## Verification
- Run ID: `docs/qa/feature-checks/runs/web/visual-workflow-editor/run-001/`
- Date (UTC): 2026-02-11
- Tier 0: PASS (active route/component/store paths verified; stale dossier reference corrected from `workflow-visualization` to `release-orchestrator/workflows`).
- Tier 0: PASS (active route/component/store paths verified; stale dossier reference corrected from `workflow-visualization` to `release-jobengine/workflows`).
- Tier 1: PASS (`npm run test` focused + release-orchestrator regression include suite passed; `npm run build` passed with baseline workspace warnings only).
- Tier 2: PASS (workflow editor behavior harness verified palette/canvas/config rendering, YAML mode interaction, dependency validation semantics, and deterministic step-id generation).

110
docs/implplan/CONSOLIDATION_DECISION_LEDGER.md Normal file
View File

@@ -0,0 +1,110 @@
# Consolidation Decision Ledger
> **Last updated:** 2026-03-04
> **Owner:** Sprint 218 (DOCS: Consolidation Decision Finalization)
> **Wave:** Microservices Consolidation Wave 1 (Feb-Mar 2026)
This document records the final outcome of every consolidation sprint in the first consolidation wave. Each sprint was evaluated for source-level consolidation (moving source directories under a parent module) and schema-level consolidation (merging DbContexts). In all cases where consolidation proceeded, only source consolidation was executed; schema merges were rejected to preserve security boundaries and avoid blast-radius expansion.
---
## Outcome Legend
| Outcome | Meaning |
|---------|---------|
| **Proceed (done)** | Source consolidation completed. Code moved under parent module. |
| **Boundary-preserved** | Evaluated and deliberately kept as separate modules. No consolidation. |
| **Deferred** | Consolidation approved in principle but deferred to a future wave. |
| **Canceled** | Consolidation evaluated and rejected. Will not proceed. |
| **No-op** | Not applicable to the consolidation wave. |
| **Completed separately** | Work done outside the consolidation wave. |
---
## Complete Outcome Table
| Sprint | ID | Description | Outcome | Sprint File |
|--------|----|-------------|---------|-------------|
| Gateway deletion | 200 | Delete `src/Gateway/`; Router is canonical | **Proceed (done)** | [`SPRINT_20260225_200_Platform_gateway_deletion.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_200_Platform_gateway_deletion.md) |
| Scanner absorb Cartographer | 201 | Move Cartographer under Scanner | **Proceed (done)** | [`SPRINT_20260225_201_Scanner_absorb_cartographer.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_201_Scanner_absorb_cartographer.md) |
| BinaryIndex absorb Symbols | 202 | Move Symbols under BinaryIndex | **Proceed (done)** | [`SPRINT_20260225_202_BinaryIndex_absorb_symbols.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_202_BinaryIndex_absorb_symbols.md) |
| Concelier absorb Feedser/Excititor | 203 | Move Feedser and Excititor under Concelier | **Proceed (done)** | [`SPRINT_20260225_203_Concelier_absorb_feedser_excititor.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_203_Concelier_absorb_feedser_excititor.md) |
| Attestor absorb Signer/Provenance | 204 | Move Signer and Provenance under Attestor | **Proceed (done)** | [`SPRINT_20260225_204_Attestor_absorb_signer_provenance.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_204_Attestor_absorb_signer_provenance.md) |
| VEX consolidation (VexHub/VexLens) | 205 | Consolidate VexHub and VexLens | **Deferred** -- future wave | _(no sprint file; deferred before sprint creation)_ |
| Policy/Unknowns boundary | 206 | Evaluate Policy absorbing Unknowns | **Boundary-preserved** | [`SPRINT_20260225_206_Policy_absorb_unknowns.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_206_Policy_absorb_unknowns.md) |
| Findings absorb RiskEngine/VulnExplorer | 207 | Move RiskEngine and VulnExplorer under Findings | **Proceed (done)** | [`SPRINT_20260225_207_Findings_absorb_riskengine_vulnexplorer.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_207_Findings_absorb_riskengine_vulnexplorer.md) |
| Orchestrator absorb Scheduler/TaskRunner/PacksRegistry | 208 | Move Scheduler, TaskRunner, PacksRegistry under Orchestrator | **Proceed (done)** | [`SPRINT_20260225_208_Orchestrator_absorb_scheduler_taskrunner_packsregistry.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_208_Orchestrator_absorb_scheduler_taskrunner_packsregistry.md) |
| Notify/Notifier boundary | 209 | Evaluate Notify absorbing Notifier | **Boundary-preserved** | [`SPRINT_20260225_209_Notify_absorb_notifier.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_209_Notify_absorb_notifier.md) |
| Timeline absorb TimelineIndexer | 210 | Move TimelineIndexer under Timeline | **Proceed (done)** | [`SPRINT_20260225_210_Timeline_absorb_timelineindexer.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_210_Timeline_absorb_timelineindexer.md) |
| ExportCenter/AirGap boundary | 211 | Evaluate ExportCenter absorbing Mirror and AirGap | **Boundary-preserved** | [`SPRINT_20260225_211_ExportCenter_absorb_mirror_airgap.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_211_ExportCenter_absorb_mirror_airgap.md) |
| Tools absorb Bench/Verifier/Sdk/DevPortal | 212 | Move Bench, Verifier, Sdk, DevPortal under Tools | **Proceed (done)** | [`SPRINT_20260225_212_Tools_absorb_bench_verifier_sdk_devportal.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_212_Tools_absorb_bench_verifier_sdk_devportal.md) |
| AdvisoryAI absorb OpsMemory | 213 | Move OpsMemory under AdvisoryAI | **Proceed (done)** | [`SPRINT_20260225_213_AdvisoryAI_absorb_opsmemory.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_213_AdvisoryAI_absorb_opsmemory.md) |
| Integrations absorb Extensions | 214 | Move Extensions under Integrations | **Proceed (done)** | [`SPRINT_20260225_214_Integrations_absorb_extensions.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_214_Integrations_absorb_extensions.md) |
| SmRemote standalone | 215 | SmRemote standalone evaluation | **No-op** in consolidation wave | _(no sprint file; SmRemote remains standalone)_ |
| Authority absorb IssuerDirectory | 216 | Move IssuerDirectory under Authority | **Proceed (done)** | [`SPRINT_20260225_216_Authority_absorb_issuerdirectory.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_216_Authority_absorb_issuerdirectory.md) |
| Orphan library cleanup | 217 | Archive AdvisoryLens and Resolver | **Proceed (done)** | [`SPRINT_20260225_217_Platform_orphan_library_cleanup.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_217_Platform_orphan_library_cleanup.md) |
| Consolidation docs finalization | 218 | Final documentation sweep | **Proceed (done)** | [`SPRINT_20260225_218_DOCS_consolidation_final_update.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_218_DOCS_consolidation_final_update.md) |
| EF compiled model generation | 219 | EF compiled model pre-requisite | **Completed separately** | _(completed outside consolidation wave)_ |
| SbomService absorption | 220 | Evaluate SbomService merge | **Canceled** -- decision not to merge | _(canceled before sprint creation)_ |
| Orchestrator domain rename | 221 | Rename Orchestrator to JobEngine | **Proceed (done)** | [`SPRINT_20260225_221_Orchestrator_domain_rename.md`](../../docs-archived/implplan/2026-03-04-completed-sprints/SPRINT_20260225_221_Orchestrator_domain_rename.md) |
---
## Schema Merge Decisions (All Rejected)
Every consolidation sprint evaluated whether DbContexts should be merged in addition to source consolidation. In all cases, schema merges were **rejected**. The common rationale: merging DbContexts widens the blast radius of credential compromise and couples unrelated write patterns.
| Domain | Decision | Rationale |
|--------|----------|-----------|
| Orchestrator + Scheduler | No merge | `OrchestratorDbContext` (39 entities) and `SchedulerDbContext` (11 entities) have `Jobs`/`JobHistory` name collisions with incompatible semantics. |
| Authority + IssuerDirectory | No merge | `AuthorityDbContext` manages passwords, MFA, tokens. Merging would expose authentication internals to issuer metadata code paths. |
| Concelier + Excititor + Feedser | No merge | Three DbContexts (49 entities, 5 schemas) have distinct write lifecycles. Schema isolation is a feature. |
| Attestor + Signer | No merge | Security boundary between key material and attestation evidence is deliberate. |
| Policy + Unknowns | No merge | `UnknownsDbContext` retains independent schema ownership. Boundary preserved. |
| ExportCenter + AirGap | No merge | AirGap has 14+ external consumers vs ExportCenter's 2. Asymmetric coupling makes merge a poor tradeoff. |
| SbomService | Canceled | Decision not to merge SbomService into any other module. |
---
## Post-Consolidation Module Layout
After all consolidation sprints, the canonical module layout is:
| Module | Source Path | Notes |
|--------|------------|-------|
| Authority | `src/Authority/` | Now includes IssuerDirectory (Sprint 216) |
| Scanner | `src/Scanner/` | Now includes Cartographer (Sprint 201) |
| BinaryIndex | `src/BinaryIndex/` | Now includes Symbols (Sprint 202) |
| Concelier | `src/Concelier/` | Now includes Feedser and Excititor (Sprint 203) |
| Attestor | `src/Attestor/` | Now includes Signer and Provenance (Sprint 204) |
| Findings | `src/Findings/` | Now includes RiskEngine and VulnExplorer (Sprint 207) |
| JobEngine | `src/JobEngine/` | Now includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221) |
| Timeline | `src/Timeline/` | Now includes TimelineIndexer (Sprint 210) |
| Tools | `src/Tools/` | Now includes Bench, Verifier, Sdk, DevPortal (Sprint 212) |
| AdvisoryAI | `src/AdvisoryAI/` | Now includes OpsMemory (Sprint 213) |
| Integrations | `src/Integrations/` | Now includes Extensions (Sprint 214) |
### Preserved Boundaries (no consolidation)
| Module A | Module B | Sprint | Rationale |
|----------|----------|--------|-----------|
| Policy | Unknowns | 206 | Distinct domain ownership, separate DbContexts |
| Notify | Notifier | 209 | Library vs. host application boundary |
| ExportCenter | AirGap | 211 | Asymmetric coupling, blast radius |
### Deleted / Archived
| Item | Sprint | Action |
|------|--------|--------|
| `src/Gateway/` | 200 | Deleted (Router is canonical) |
| AdvisoryLens library | 217 | Archived |
| Resolver library | 217 | Archived |
### Deferred / Canceled
| Item | Sprint | Status |
|------|--------|--------|
| VexHub/VexLens consolidation | 205 | Deferred to future wave |
| SbomService absorption | 220 | Canceled |
| SmRemote | 215 | No-op (remains standalone) |

1238
docs/implplan/CONSOLIDATION_SERVICE_INVENTORY_20260305.raw.json Normal file
View File

File diff suppressed because it is too large Load Diff

100
docs/implplan/CONSOLIDATION_WEBSERVICE_FUNCTION_DB_MATRIX_20260305.md Normal file
View File

@@ -0,0 +1,100 @@
# Consolidation Investigation: WebService Function and Database Matrix (2026-03-05)
## Scope
- Source scan of all `*.WebService.csproj` under `src/`.
- This matrix captures webservice functional surface and the persistence backing currently wired in code.
- Inventory size: **31 webservices** across **23 domains/modules**.
## Domain Summary
| Domain | WebServices | Services | Persistence Modes |
| --- | ---: | --- | --- |
| AdvisoryAI | 2 | AdvisoryAI, OpsMemory | postgres |
| Attestor | 2 | Attestor, Signer | postgres |
| Authority | 1 | IssuerDirectory | postgres |
| BinaryIndex | 1 | BinaryIndex | postgres |
| Concelier | 2 | Concelier, Excititor | postgres |
| Doctor | 1 | Doctor | in-memory |
| EvidenceLocker | 1 | EvidenceLocker | postgres |
| ExportCenter | 1 | ExportCenter | postgres |
| Findings | 2 | Findings.Ledger, RiskEngine | in-memory, postgres |
| Integrations | 1 | Integrations | postgres |
| JobEngine | 4 | JobEngine, PacksRegistry, Scheduler, TaskRunner | file-backed, postgres |
| Notifier | 1 | Notifier | postgres |
| Notify | 1 | Notify | postgres |
| Platform | 1 | Platform | postgres |
| ReachGraph | 1 | ReachGraph | postgres |
| Remediation | 1 | Remediation | postgres |
| Replay | 1 | Replay | in-memory |
| Router | 1 | Gateway | no-persistence |
| Scanner | 1 | Scanner | postgres |
| Timeline | 2 | Timeline, TimelineIndexer | postgres |
| Unknowns | 1 | Unknowns | postgres |
| VexHub | 1 | VexHub | postgres |
| VexLens | 1 | VexLens | postgres |
## WebService Matrix
| Domain | WebService | Functions Served | DB Used | Evidence |
| --- | --- | --- | --- | --- |
| AdvisoryAI | AdvisoryAI | Endpoints: Attestation, Chat, EvidencePack, KnowledgeSearch (+5 more); routes: advisory-ai, chat, runs, search | AdvisoryAiDataSource, AdvisoryAiDbContext | src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Program.cs; src/AdvisoryAI/StellaOps.AdvisoryAI/Storage/EfCore/Context/AdvisoryAiDbContext.cs |
| AdvisoryAI | OpsMemory | Endpoints: OpsMemory; routes: opsmemory | PostgreSQL via NpgsqlDataSource + PostgresOpsMemoryStore (no EF DbContext) | src/AdvisoryAI/StellaOps.OpsMemory.WebService/Program.cs; src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/Storage/PostgresOpsMemoryStore.cs |
| Attestor | Attestor | Endpoints: Anchors, AttestorWebService, Bundles, Chain (+7 more); routes: attestor, watchlist | ProofChainDbContext | src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Program.cs; src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs |
| Attestor | Signer | Endpoints: Ceremony, KeyRotation, Signer; routes: anchors, ceremonies, signer | KeyManagementDbContext | src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Program.cs; src/Attestor/__Libraries/StellaOps.Signer.KeyManagement/EfCore/Context/KeyManagementDbContext.cs |
| Authority | IssuerDirectory | Endpoints: Issuer, IssuerKey, IssuerTrust; routes: issuer-directory | IssuerDirectoryDataSource, IssuerDirectoryDbContext | src/Authority/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.WebService/Program.cs; src/Authority/__Libraries/StellaOps.IssuerDirectory.Persistence/EfCore/Context/IssuerDirectoryDbContext.cs |
| BinaryIndex | BinaryIndex | Endpoints: BinaryIndexOps, GoldenSet, PatchCoverage, Resolution | BinaryIndexDbContext, BinaryIndexPersistenceDbContext, GoldenSetDbContext | src/BinaryIndex/StellaOps.BinaryIndex.WebService/Program.cs; src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/EfCore/Context/GoldenSetDbContext.cs |
| Concelier | Concelier | Endpoints: FeedMirrorManagement; routes: advisory-sources, canonical, concelier, federation (+3 more) | ConcelierDataSource, ConcelierDbContext | src/Concelier/StellaOps.Concelier.WebService/Program.cs; src/Concelier/__Libraries/StellaOps.Concelier.Persistence/EfCore/Context/ConcelierDbContext.cs |
| Concelier | Excititor | Endpoints: Attestation, Evidence, Ingest, Linkset (+6 more); routes: airgap, attestations, excititor, risk (+1 more) | ExcititorDataSource, ExcititorDbContext | src/Concelier/StellaOps.Excititor.WebService/Program.cs; src/Concelier/__Libraries/StellaOps.Excititor.Persistence/EfCore/Context/ExcititorDbContext.cs |
| Doctor | Doctor | Endpoints: Doctor, Timestamping; routes: doctor | No service DB; in-memory report storage | src/Doctor/StellaOps.Doctor.WebService/Program.cs |
| EvidenceLocker | EvidenceLocker | Evidence ingest/scoring, snapshots, bundle download/portable package, verify, legal hold, plus export/verdict/evidence-thread adapters | EvidenceLockerDbContext | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Program.cs; src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/EfCore/Context/EvidenceLockerDbContext.cs |
| ExportCenter | ExportCenter | Endpoints: Attestation, AuditBundle, ExceptionReport, ExportApi (+6 more); routes: audit-bundles, exports, incidents, lineage (+4 more) | ExportCenterDbContext | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs; src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/EfCore/Context/ExportCenterDbContext.cs |
| Findings | Findings.Ledger | Endpoints: Backport, EvidenceGraph, FindingSummary, ReachabilityMap (+4 more); routes: findings, scoring | FindingsLedgerDbContext | src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs; src/Findings/StellaOps.Findings.Ledger/EfCore/Context/FindingsLedgerDbContext.cs |
| Findings | RiskEngine | Endpoints: ExploitMaturity; routes: exploit-maturity | No service DB; InMemoryRiskScoreResultStore | src/Findings/StellaOps.RiskEngine.WebService/Program.cs; src/Findings/__Libraries/StellaOps.RiskEngine.Infrastructure/Stores/InMemoryRiskScoreResultStore.cs |
| Integrations | Integrations | Endpoints: Integration; routes: integrations | IntegrationDbContext | src/Integrations/StellaOps.Integrations.WebService/Program.cs; src/Integrations/__Libraries/StellaOps.Integrations.Persistence/IntegrationDbContext.cs |
| JobEngine | JobEngine | Endpoints: Approval, Audit, CircuitBreaker, Dag (+21 more); routes: approvals, environments, jobengine, metrics (+2 more) | JobEngineDbContext | src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Program.cs; src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/EfCore/Context/JobEngineDbContext.cs |
| JobEngine | PacksRegistry | Packs upload/list/content/provenance/manifest/signature, attestations, parity/lifecycle, mirrors sync, compliance summary, offline-seed export | No relational DB; filesystem repositories (packs/parity/lifecycle/audit/attestations/mirrors) | src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs; src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/FileSystem/FilePackRepository.cs |
| JobEngine | Scheduler | Endpoints: FailureSignature, Run, Schedule; routes: events, graphs, scheduler | SchedulerDataSource, SchedulerDbContext | src/JobEngine/StellaOps.Scheduler.WebService/Program.cs; src/JobEngine/StellaOps.Scheduler.__Libraries/StellaOps.Scheduler.Persistence/EfCore/Context/SchedulerDbContext.cs |
| JobEngine | TaskRunner | Run simulation/execution state/logs/artifacts/approvals/cancel, attestation APIs, incident-mode APIs, SLO breach webhook | No relational DB; filesystem stores for run state/logs/approvals/artifacts | src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs; src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilePackRunStateStore.cs |
| Notifier | Notifier | Endpoints: Escalation, Fallback, Incident, Localization (+10 more); routes: ack, escalation-policies, escalations, fallback (+13 more) | NotifyDataSource, NotifyDbContext | src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs; src/Notify/__Libraries/StellaOps.Notify.Persistence/EfCore/Context/NotifyDbContext.cs |
| Notify | Notify | Rules/channels/templates CRUD, deliveries history, digests, audit trail, lock APIs, internal normalize endpoints | NotifyDataSource, NotifyDbContext | src/Notify/StellaOps.Notify.WebService/Program.cs; src/Notify/__Libraries/StellaOps.Notify.Persistence/EfCore/Context/NotifyDbContext.cs |
| Platform | Platform | Endpoints: AdministrationTrustSigningMutation, Analytics, Context, EnvironmentSettings (+19 more); routes: admin, administration, analytics, authority (+26 more) | PlatformDbContext plus read-model access to Authority/Concelier/Excititor/Scheduler/Notify/Policy contexts | src/Platform/StellaOps.Platform.WebService/Program.cs; src/Authority/__Libraries/StellaOps.Authority.Persistence/EfCore/Context/AuthorityDbContext.cs |
| ReachGraph | ReachGraph | Endpoints: CveMapping, Reachability, ReachGraph | ReachGraphDataSource, ReachGraphDbContext | src/ReachGraph/StellaOps.ReachGraph.WebService/Program.cs; src/__Libraries/StellaOps.ReachGraph.Persistence/EfCore/Context/ReachGraphDbContext.cs |
| Remediation | Remediation | Endpoints: RemediationMatch, RemediationRegistry, RemediationSource; routes: remediation | RemediationDataSource, RemediationDbContext | src/Remediation/StellaOps.Remediation.WebService/Program.cs; src/Remediation/StellaOps.Remediation.Persistence/EfCore/Context/RemediationDbContext.cs |
| Replay | Replay | Endpoints: PointInTimeQuery, VerdictReplay; routes: pit, replay | No service DB; in-memory feed snapshot blob/index stores | src/Replay/StellaOps.Replay.WebService/Program.cs; src/Replay/StellaOps.Replay.WebService/FeedSnapshotSupport.cs |
| Router | Gateway | Gateway route dispatch pipeline, authz/header enforcement, transport routing, OpenAPI aggregation | No application DB; gateway routing/middleware service | src/Router/StellaOps.Gateway.WebService/Program.cs |
| Scanner | Scanner | Endpoints: Actionables, Approval, Baseline, BatchTriage (+43 more); routes: drift, epss, github, hot-lookup (+12 more) | ScannerDbContext + ScannerSourcesDataSource + TriageDbContext (+ AuthorityDbContext path) | src/Scanner/StellaOps.Scanner.WebService/Program.cs; src/Authority/__Libraries/StellaOps.Authority.Persistence/EfCore/Context/AuthorityDbContext.cs |
| Timeline | Timeline | Endpoints: Export, Health, Replay, Timeline (+1 more); routes: audit, timeline | EventingDataSource, EventingDbContext, TimelineCoreDataSource, TimelineCoreDbContext | src/Timeline/StellaOps.Timeline.WebService/Program.cs; src/__Libraries/StellaOps.Eventing/EfCore/Context/EventingDbContext.cs |
| Timeline | TimelineIndexer | Timeline indexer API group for index status/control under /api/v1 | TimelineIndexerDataSource, TimelineIndexerDbContext | src/Timeline/StellaOps.TimelineIndexer.WebService/Program.cs; src/Timeline/__Libraries/StellaOps.TimelineIndexer.Infrastructure/EfCore/Context/TimelineIndexerDbContext.cs |
| Unknowns | Unknowns | Endpoints: GreyQueue, Unknowns; routes: grey-queue, unknowns | UnknownsDataSource, UnknownsDbContext | src/Unknowns/StellaOps.Unknowns.WebService/Program.cs; src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence.EfCore/Context/UnknownsDbContext.cs |
| VexHub | VexHub | VEX ingest and distribution endpoints under /api/v1/vex | VexHubDataSource, VexHubDbContext | src/VexHub/StellaOps.VexHub.WebService/Program.cs; src/VexHub/__Libraries/StellaOps.VexHub.Persistence/EfCore/Context/VexHubDbContext.cs |
| VexLens | VexLens | VEX lens APIs for deltas/export/gating/issuer views | VexLensDataSource, VexLensDbContext | src/VexLens/StellaOps.VexLens.WebService/Program.cs; src/VexLens/StellaOps.VexLens.Persistence/EfCore/Context/VexLensDbContext.cs |
## Compose Storage Baseline (Policy Input)
- Main stack defines PostgreSQL as primary platform datastore (`devops/compose/docker-compose.stella-ops.yml` lines 71-127, `x-postgres-connection` at lines 28-30).
- Main stack defines RustFS (SeaweedFS S3 API) as object/blob storage (`devops/compose/docker-compose.stella-ops.yml` lines 162-180).
- Scanner already expresses the intended split: Postgres for metadata/state and RustFS for artifacts (`devops/compose/docker-compose.stella-ops.yml` lines 652-659 and 720-725).
- Testing stack explicitly expects Postgres drivers for PacksRegistry and TaskRunner (`devops/compose/docker-compose.testing.yml` lines 253-254 and 271-272).
## Policy Gaps (Postgres First, RustFS for Blobs)
| Service | Current Runtime Wiring | Compose Signal | Gap | Required Remediation |
| --- | --- | --- | --- | --- |
| PacksRegistry | File repositories (`src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs` lines 29-34) | Main compose provides `ConnectionStrings__Default` (line 1769); testing compose expects `PACKSREGISTRY__STORAGE__DRIVER=postgres` (line 253) | High | Add storage driver contract; move metadata (pack/parity/lifecycle/mirror/audit) to Postgres; keep pack/provenance/attestation payloads in RustFS/seed-fs blob path. |
| TaskRunner | File stores/readers (`src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs` lines 61,66,71,76) | Main compose provides `ConnectionStrings__Default` (line 1150); testing compose expects `TASKRUNNER__STORAGE__DRIVER=postgres` (line 271) | High | Add Postgres storage driver for run state/logs/approvals; move large artifacts to RustFS/seed-fs blob path; keep deterministic replay semantics. |
| RiskEngine | In-memory result store (`src/Findings/StellaOps.RiskEngine.WebService/Program.cs` line 21) | Main compose provides `ConnectionStrings__Default` (line 1048) | Medium-High | Implement Postgres-backed result store with deterministic ordering/query semantics; keep in-memory only for explicit test profile. |
| Replay | In-memory snapshot blob/index stores (`src/Replay/StellaOps.Replay.WebService/Program.cs` lines 61-62) | Main compose provides `ConnectionStrings__Default` (line 2037) | Medium-High | Persist replay snapshot index/state in Postgres; move snapshot blobs to RustFS/seed-fs object path. |
| OpsMemory | Postgres store exists but connection key is `ConnectionStrings:OpsMemory` with localhost fallback (`src/AdvisoryAI/StellaOps.OpsMemory.WebService/Program.cs` lines 19-20) | Main compose sets only `ConnectionStrings__Default` (line 1537) | Medium | Accept `ConnectionStrings:Default` as primary fallback or map explicit `ConnectionStrings:OpsMemory` in compose; remove localhost fallback in non-dev runtime. |
| Scanner | Postgres + RustFS split already configured (`src/Scanner` + compose lines 652-659/720-725) | Explicitly aligned in compose | None | Use as reference implementation for storage-driver conventions. |
## Sprint 312 remediation status (2026-03-05)
| Service | Implemented end state | Validation evidence |
| --- | --- | --- |
| PacksRegistry | `Storage:Driver=postgres` for metadata/state repositories; `Storage:ObjectStore:Driver=seed-fs` for pack/provenance/attestation payload bytes via `SeedFsPacksRegistryBlobStore`. | `dotnet test src/JobEngine/StellaOps.PacksRegistry.__Tests/StellaOps.PacksRegistry.Persistence.Tests/StellaOps.PacksRegistry.Persistence.Tests.csproj -v minimal` (Passed 7/7, including `PostgresBlobStorageRepositoryTests`). |
| TaskRunner | `Storage:Driver=postgres` for run state/log/approval; `Storage:ObjectStore:Driver=seed-fs` for artifact payload root path. | `dotnet test src/JobEngine/StellaOps.TaskRunner.__Tests/StellaOps.TaskRunner.Persistence.Tests/StellaOps.TaskRunner.Persistence.Tests.csproj -v minimal` (Passed 4/4). |
| RiskEngine | Postgres-backed result store (`PostgresRiskScoreResultStore`) registered as production default; in-memory explicit fallback retained. | Targeted class run: `StellaOps.RiskEngine.Tests.exe -class "StellaOps.RiskEngine.Tests.PostgresRiskScoreResultStoreTests"` (Passed 2/2). Full suite still has unrelated auth harness failures. |
| Replay | Postgres snapshot index store (`PostgresFeedSnapshotIndexStore`) + seed-fs blob store (`SeedFsFeedSnapshotBlobStore`). | Targeted class run: `StellaOps.Replay.Core.Tests.exe -class "...PostgresFeedSnapshotIndexStoreTests" -class "...SeedFsFeedSnapshotBlobStoreTests"` (Passed 3/3). |
| OpsMemory | Connection precedence aligned to `ConnectionStrings:OpsMemory -> ConnectionStrings:Default`, non-development fail-fast retained. | `dotnet build src/AdvisoryAI/StellaOps.OpsMemory.WebService/StellaOps.OpsMemory.WebService.csproj -v minimal` and `dotnet test src/AdvisoryAI/__Tests/StellaOps.OpsMemory.Tests/StellaOps.OpsMemory.Tests.csproj -v minimal` (previously captured in sprint evidence). |
| Compose parity | Main/testing compose now declare explicit storage-driver keys for affected services; main compose validation fixed for `taskrunner-worker` artifact mount conflict. | `docker compose -f devops/compose/docker-compose.stella-ops.yml config` (OK), `docker compose -f devops/compose/docker-compose.testing.yml config` (OK). |
## Notes
- `DB Used` reflects runtime wiring in the current code snapshot; no consolidation merge assumptions are applied.
- Services marked file-backed/in-memory/no-persistence are currently not using EF/PostgreSQL service databases.
- Compose indicates target policy direction: Postgres-first persistence with RustFS object storage for blobs/artifacts.
- Raw extraction artifact: `docs/implplan/CONSOLIDATION_SERVICE_INVENTORY_20260305.raw.json`.

97
docs/implplan/SPRINT_20260225_200_Platform_gateway_deletion.md
View File

@@ -1,97 +0,0 @@
# Sprint 200 - Platform: Gateway Module Deletion
## Topic & Scope
- Delete the deprecated `src/Gateway/` module — the canonical Gateway WebService already lives in `src/Router/StellaOps.Gateway.WebService/` with comments confirming "now in same module."
- Working directory: `src/Gateway/`, `src/Router/`, `docs/modules/gateway/`.
- Expected evidence: clean build of `StellaOps.Router.sln`, all Router tests pass, no dangling references.
## Dependencies & Concurrency
- No upstream sprint dependencies.
- Safe to run in parallel with all other consolidation sprints.
- This is the lowest-risk consolidation — Gateway is already dead code.
## Documentation Prerequisites
- Read `docs/modules/gateway/architecture.md` (confirms Router is canonical).
- Read `docs/modules/router/architecture.md` (confirms Gateway.WebService is hosted here).
## Delivery Tracker
### TASK-200-001 - Verify Gateway is fully superseded by Router
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Compare `src/Gateway/StellaOps.Gateway.WebService/Program.cs` with `src/Router/StellaOps.Gateway.WebService/Program.cs`.
- Confirm the Router version is a superset (has all routes, middleware, config the Gateway version has).
- Check `StellaOps.Gateway.sln` — confirm it only references projects inside `src/Gateway/`.
- Search all `.csproj` files in the repo for any `ProjectReference` pointing into `src/Gateway/`.
- Search `devops/compose/` and `.gitea/` for any references to the Gateway solution or its Docker image.
Completion criteria:
- [ ] Diff report confirming Router Gateway is superset
- [ ] Zero external references to `src/Gateway/` projects
- [ ] Zero CI/Docker references to Gateway-specific builds
### TASK-200-002 - Delete src/Gateway/ and update solution
Status: TODO
Dependency: TASK-200-001
Owners: Developer
Task description:
- Remove `src/Gateway/` directory entirely.
- Remove any Gateway-specific entries from `StellaOps.sln` (the root solution).
- If `StellaOps.Gateway.sln` in `src/Gateway/` is referenced anywhere, update references to use `StellaOps.Router.sln`.
- Run `dotnet build src/Router/StellaOps.Router.sln` — must succeed.
- Run `dotnet test src/Router/StellaOps.Router.sln` — all tests must pass.
Completion criteria:
- [ ] `src/Gateway/` deleted
- [ ] Root solution updated
- [ ] Router solution builds clean
- [ ] Router tests pass
### TASK-200-003 - Update documentation
Status: TODO
Dependency: TASK-200-002
Owners: Developer
Task description:
- Move `docs/modules/gateway/` to `docs-archived/modules/gateway/`.
- Update `docs/modules/router/architecture.md` — remove any "see also Gateway" references; add a note that Gateway was consolidated into Router on 2026-02-25.
- Update `docs/INDEX.md` — remove the Gateway row from the module table, or mark it as "(archived — see Router)".
- Search `docs/**/*.md` for references to `src/Gateway/` or `modules/gateway/` and update them.
- Update `CLAUDE.md` section 1.4 if it references Gateway.
Completion criteria:
- [ ] Gateway docs archived
- [ ] Router docs updated with consolidation note
- [ ] INDEX.md updated
- [ ] No broken references to Gateway in active docs
### TASK-200-004 - Validate CLI and Web routing references
Status: TODO
Dependency: TASK-200-002
Owners: Developer
Task description:
- Audit `src/Cli/` for Gateway-specific references (`Gateway`, `/gateway`, `StellaOps.Gateway.*`). Expected from current audit: no direct CLI references.
- Validate `src/Web/StellaOps.Web/proxy.conf.json` still routes `/gateway` through Router-owned gateway handling after deleting `src/Gateway/`.
- Validate gateway-based URL composition in `src/Web/StellaOps.Web/src/app/app.config.ts` and `src/Web/StellaOps.Web/src/app/core/config/app-config.service.ts` remains unchanged.
- If any `src/Gateway/` source paths appear in CLI/Web build metadata, update them to Router-owned paths.
Completion criteria:
- [ ] CLI audit confirms zero direct `src/Gateway/` references.
- [ ] Web proxy/app-config routing verified for gateway path forwarding.
- [ ] Any stale Gateway path references removed.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Risk: Gateway may have Translations/ folder content not in Router. Mitigation: TASK-200-001 diff will catch this.
- Decision: Gateway docs are archived, not deleted — preserves historical context.
## Next Checkpoints
- Gateway deletion can be completed in a single session.

138
docs/implplan/SPRINT_20260225_201_Scanner_absorb_cartographer.md
View File

@@ -1,138 +0,0 @@
# Sprint 201 - Scanner: Absorb Cartographer Module
## Topic & Scope
- Consolidate `src/Cartographer/` (1 csproj, zero external consumers) into `src/Scanner/` as `StellaOps.Scanner.Cartographer`.
- Cartographer materializes SBOM graphs for indexing — this is SBOM processing, which is Scanner's domain.
- Working directory: `src/Cartographer/`, `src/Scanner/`, `docs/modules/cartographer/`, `docs/modules/scanner/`.
- Expected evidence: clean build, all Scanner tests pass, Cartographer functionality preserved.
## Dependencies & Concurrency
- No upstream dependencies.
- Can run in parallel with other consolidation sprints except BinaryIndex+Symbols (Domain 2).
- Coordinate with Graph module if Cartographer's output contract changes.
## Documentation Prerequisites
- Read `src/Cartographer/AGENTS.md` — confirms required reading is `docs/modules/graph/architecture.md`.
- Read `docs/modules/cartographer/README.md`.
- Read `docs/modules/scanner/architecture.md` for project layout conventions.
## Delivery Tracker
### TASK-201-001 - Analyze Cartographer project structure and dependencies
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Read `src/Cartographer/StellaOps.Cartographer/StellaOps.Cartographer.csproj` — list all dependencies.
- Confirm Cartographer depends on: Configuration, DependencyInjection, Policy.Engine, Auth.Abstractions, Auth.ServerIntegration.
- Verify zero external consumers: grep all `.csproj` files for `Cartographer` references outside `src/Cartographer/`.
- Document the Cartographer API surface (endpoints, ports — confirmed port 10210).
- Check if Cartographer has its own database schema/migrations.
- Check `devops/compose/` for Cartographer service definitions.
Completion criteria:
- [ ] Full dependency list documented
- [ ] Zero external consumer confirmed
- [ ] API surface documented
- [ ] Docker compose references identified
### TASK-201-002 - Move Cartographer into Scanner module
Status: TODO
Dependency: TASK-201-001
Owners: Developer
Task description:
- Create `src/Scanner/StellaOps.Scanner.Cartographer/` directory.
- Move all source files from `src/Cartographer/StellaOps.Cartographer/` into the new location.
- Rename the `.csproj` to `StellaOps.Scanner.Cartographer.csproj`.
- Update the `<RootNamespace>` and `<AssemblyName>` in the csproj.
- Update all `ProjectReference` paths within the csproj to use new relative paths.
- Move test projects: `src/Cartographer/__Tests/``src/Scanner/__Tests/StellaOps.Scanner.Cartographer.Tests/`.
- Update test csproj references.
- Add `StellaOps.Scanner.Cartographer.csproj` to `StellaOps.Scanner.sln`.
- Remove `src/Cartographer/` directory.
- Remove Cartographer entries from root `StellaOps.sln`.
Completion criteria:
- [ ] Source moved and renamed
- [ ] Test projects moved
- [ ] Scanner solution includes Cartographer
- [ ] Old Cartographer directory removed
- [ ] Root solution updated
### TASK-201-003 - Update Docker compose and CI
Status: TODO
Dependency: TASK-201-002
Owners: Developer
Task description:
- Update `devops/compose/` files — change Cartographer service image/build context to Scanner.Cartographer.
- Update `.gitea/workflows/` if any workflow references `src/Cartographer/` paths.
- Verify the Cartographer service still starts on port 10210 (preserve the API contract).
Completion criteria:
- [ ] Docker compose updated
- [ ] CI workflows updated
- [ ] Service starts and responds on expected port
### TASK-201-004 - Build and test verification
Status: TODO
Dependency: TASK-201-002
Owners: Developer
Task description:
- Run `dotnet build src/Scanner/StellaOps.Scanner.sln` — must succeed.
- Run `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Cartographer.Tests/` — all tests pass.
- Run full Scanner test suite to verify no regressions.
- Run `dotnet build StellaOps.sln` from root — must succeed.
Completion criteria:
- [ ] Scanner solution builds clean
- [ ] Cartographer tests pass in new location
- [ ] Full Scanner test suite passes
- [ ] Root solution builds clean
### TASK-201-005 - Update documentation
Status: TODO
Dependency: TASK-201-004
Owners: Developer
Task description:
- Move `docs/modules/cartographer/` to `docs-archived/modules/cartographer/`.
- Add a "Cartographer (SBOM Graph Materialization)" section to `docs/modules/scanner/architecture.md`.
- Update `docs/INDEX.md` — remove Cartographer row or mark archived.
- Update `CLAUDE.md` section 1.4 if Cartographer is listed.
- Update any docs referencing `src/Cartographer/` paths to `src/Scanner/StellaOps.Scanner.Cartographer/`.
- Update `src/Scanner/AGENTS.md` to include Cartographer working directory.
Completion criteria:
- [ ] Cartographer docs archived
- [ ] Scanner architecture doc updated
- [ ] INDEX and CLAUDE.md updated
- [ ] All path references updated
### TASK-201-006 - Validate CLI and Web references for Cartographer
Status: TODO
Dependency: TASK-201-002
Owners: Developer
Task description:
- Search `src/Cli/` and `src/Web/` for `Cartographer` and `STELLAOPS_CARTOGRAPHER_URL` references.
- Expected from current audit: no direct CLI/Web source references; Cartographer wiring is currently in compose/platform environment configuration.
- If any direct CLI/Web reference exists, update it to Scanner-owned paths or remove stale module naming.
- Record the audit result in Execution Log (including explicit `none found` if no updates were required).
Completion criteria:
- [ ] CLI audit completed.
- [ ] Web audit completed.
- [ ] Any discovered references updated or explicitly recorded as none.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: Cartographer keeps its own WebService (port 10210) as a separate deployable within the Scanner module. It is not merged into Scanner.WebService.
- Risk: Namespace rename may break runtime assembly loading if any reflection-based patterns reference `StellaOps.Cartographer`. Mitigation: grep for string literals containing the old namespace.
## Next Checkpoints
- Cartographer consolidation can be completed in a single session.

151
docs/implplan/SPRINT_20260225_202_BinaryIndex_absorb_symbols.md
View File

@@ -1,151 +0,0 @@
# Sprint 202 - BinaryIndex: Absorb Symbols Module
## Topic & Scope
- Consolidate `src/Symbols/` (6 csproj: Core, Client, Infrastructure, Marketplace, Server, Bundle) into `src/BinaryIndex/` as `StellaOps.BinaryIndex.Symbols.*`.
- Symbols provides debug symbol storage and resolution — the primary consumer is BinaryIndex.DeltaSig. The other consumer is Cli.Plugins.Symbols (a thin plugin loader).
- Working directory: `src/Symbols/`, `src/BinaryIndex/`, `src/Cli/`, `docs/modules/symbols/`, `docs/modules/binary-index/`.
- Expected evidence: clean build of BinaryIndex solution, all tests pass, Symbols.Server still deploys independently.
## Dependencies & Concurrency
- No upstream dependencies.
- Can run in parallel with all other consolidation sprints except Scanner+Cartographer (Domain 2).
## Documentation Prerequisites
- Read `docs/modules/symbols/architecture.md` — note: this doc is stale (describes monolithic layout, actual code has 5 projects).
- Read `src/BinaryIndex/AGENTS.md`.
## Delivery Tracker
### TASK-202-001 - Map Symbols project structure and consumers
Status: TODO
Dependency: none
Owners: Developer
Task description:
- List all 6 Symbols csproj files and their inter-dependencies:
- Symbols.Core (leaf)
- Symbols.Client → Core
- Symbols.Infrastructure → Core
- Symbols.Marketplace (leaf)
- Symbols.Server → Core, Infrastructure, Marketplace + Authority libs
- Symbols.Bundle → Core
- Confirm external consumers:
- `BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig` → Symbols.Core
- `Cli/__Libraries/StellaOps.Cli.Plugins.Symbols` → Symbols.Core, Symbols.Client
- Check for any other consumers via grep.
- Document the Symbols.Server API surface and port.
- Check `devops/compose/` for Symbols service definition.
Completion criteria:
- [ ] Full dependency graph documented
- [ ] All consumers identified
- [ ] Server API surface and port documented
- [ ] Docker compose references identified
### TASK-202-002 - Move Symbols projects into BinaryIndex
Status: TODO
Dependency: TASK-202-001
Owners: Developer
Task description:
- Create directories under `src/BinaryIndex/`:
- `StellaOps.BinaryIndex.Symbols.Core/`
- `StellaOps.BinaryIndex.Symbols.Client/`
- `StellaOps.BinaryIndex.Symbols.Infrastructure/`
- `StellaOps.BinaryIndex.Symbols.Marketplace/`
- `StellaOps.BinaryIndex.Symbols.Server/`
- `StellaOps.BinaryIndex.Symbols.Bundle/`
- Move source files from `src/Symbols/` into new locations.
- Rename csproj files, update `<RootNamespace>` and `<AssemblyName>`.
- Update all internal `ProjectReference` paths.
- Move test projects from `src/Symbols/__Tests/` into `src/BinaryIndex/__Tests/`.
- Update test csproj references.
- Add all new csproj files to `StellaOps.BinaryIndex.sln`.
- Remove `src/Symbols/` directory.
- Remove Symbols entries from root `StellaOps.sln`.
Completion criteria:
- [ ] All 6 projects moved and renamed
- [ ] Test projects moved
- [ ] BinaryIndex solution includes all Symbols projects
- [ ] Old Symbols directory removed
- [ ] Root solution updated
### TASK-202-003 - Update external consumers
Status: TODO
Dependency: TASK-202-002
Owners: Developer
Task description:
- Update `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig.csproj`:
- Change `ProjectReference` from `../../../Symbols/...` to the new BinaryIndex-local path.
- Update `src/Cli/__Libraries/StellaOps.Cli.Plugins.Symbols/StellaOps.Cli.Plugins.Symbols.csproj`:
- Change `ProjectReference` paths from `..\..\..\Symbols\...` to new BinaryIndex.Symbols locations.
- Update `src/Cli/StellaOps.Cli.sln` Symbols project entries that currently point to `..\Symbols\...`.
- Search all `.csproj` and `.sln` files for remaining `Symbols` project paths and update.
- Audit `src/Web/StellaOps.Web` for direct Symbols backend route usage (`/symbols`). Expected from current audit: no dedicated Symbols API route migration required.
Completion criteria:
- [ ] BinaryIndex.DeltaSig references updated.
- [ ] Cli.Plugins.Symbols references updated.
- [ ] StellaOps.Cli.sln Symbols paths updated.
- [ ] Web Symbols route audit completed (none or updates documented).
- [ ] All external references updated.
### TASK-202-004 - Update Docker compose and CI
Status: TODO
Dependency: TASK-202-002
Owners: Developer
Task description:
- Update `devops/compose/` files for Symbols service → BinaryIndex.Symbols.Server.
- Update `.gitea/workflows/` if any reference `src/Symbols/`.
- Verify Symbols.Server still deploys on its original port.
Completion criteria:
- [ ] Docker compose updated
- [ ] CI workflows updated
- [ ] Server deploys on expected port
### TASK-202-005 - Build and test verification
Status: TODO
Dependency: TASK-202-003
Owners: Developer
Task description:
- `dotnet build src/BinaryIndex/StellaOps.BinaryIndex.sln` — must succeed.
- Run all BinaryIndex tests including new Symbols tests.
- `dotnet build StellaOps.sln` — root solution must succeed.
- Run Cli.Plugins.Symbols tests if they exist.
Completion criteria:
- [ ] BinaryIndex solution builds clean
- [ ] All tests pass
- [ ] Root solution builds clean
### TASK-202-006 - Update documentation
Status: TODO
Dependency: TASK-202-005
Owners: Developer
Task description:
- Move `docs/modules/symbols/` to `docs-archived/modules/symbols/`.
- Add a "Symbols (Debug Symbol Resolution)" section to `docs/modules/binary-index/architecture.md`.
- Rewrite the section to match the actual 5-project structure (the old symbols doc was stale).
- Update `docs/INDEX.md`.
- Update `CLAUDE.md` section 1.4.
- Update path references in all docs.
Completion criteria:
- [ ] Symbols docs archived
- [ ] BinaryIndex architecture updated with accurate Symbols section
- [ ] INDEX and CLAUDE.md updated
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: Symbols.Server remains a separately deployable WebService within BinaryIndex. The module consolidation is organizational, not a service merge.
- Risk: Namespace rename (`StellaOps.Symbols.*``StellaOps.BinaryIndex.Symbols.*`) may break serialized type names if any are persisted. Mitigation: check for `typeof(...)`, `nameof(...)`, or JSON `$type` discriminators referencing old namespaces.
## Next Checkpoints
- Estimate: 1-2 sessions due to the 6-project scope and namespace rename.

114
docs/implplan/SPRINT_20260225_203_Concelier_absorb_feedser_excititor.md
View File

@@ -1,114 +0,0 @@
# Sprint 203 - Advisory Domain: Concelier, Feedser, and Excititor
## Topic & Scope
- Shift from service-folder consolidation to domain-first consolidation for advisory ingestion and proof generation.
- Consolidate source layout under `src/Concelier/` while preserving independent deployables (`Concelier` and `Excititor`).
- Document advisory domain schema ownership. Schemas (`vuln`, `feedser`, `vex`, `proofchain`, `advisory_raw`) remain separate; no cross-schema DB merge. Each service keeps its existing DbContext.
- Working directory: `src/Concelier/`.
- Cross-module edits explicitly allowed for referenced consumers (`src/Attestor/`, `src/Scanner/`, `src/Cli/`, `src/Web/`, `devops/compose/`) as listed in tasks.
- Expected evidence: successful builds/tests, correct ProjectReference paths, and unchanged external API paths.
## Dependencies & Concurrency
- No upstream dependency.
- **Sprint 204 (Attestor) depends on this sprint** — Attestor references Feedser, which moves here. Sprint 204 must start after Sprint 203 source layout consolidation (TASK-203-002) is complete, or Attestor's ProjectReference paths will break.
- **Sprint 205 (VEX consolidation)** is deferred in the current wave. If reactivated later, it depends on Sprint 203 TASK-203-002 completion because VexHub references Excititor.
- **Sprint 220 (SbomService absorption)** was canceled (decision: do not merge SbomService in this wave). Keep note only for future reactivation of that sprint.
- Coordinate with Sprint 216 for IssuerDirectory client dependency inside Excititor.
## Documentation Prerequisites
- Read `docs/modules/concelier/architecture.md`.
- Read `docs/modules/excititor/architecture.md`.
- Read `docs/modules/feedser/architecture.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-203-001 - Document advisory domain schema ownership and service boundaries
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Document current DbContext ownership: ConcelierDbContext, ProofServiceDbContext, ExcititorDbContext.
- Document PostgreSQL schema ownership per service (`vuln`, `feedser`, `vex`, `proofchain`, `advisory_raw`) and confirm schemas remain separate.
- Document connection-string ownership and runtime config keys for the advisory domain.
- Record the domain boundary decision: schemas stay isolated, no cross-schema merge. Each service retains its own DbContext.
Completion criteria:
- [ ] Advisory domain schema ownership documented in sprint notes.
- [ ] Connection-string and runtime config keys documented.
- [ ] No-merge decision recorded with rationale.
### TASK-203-002 - Consolidate source layout into advisory domain module
Status: TODO
Dependency: TASK-203-001
Owners: Developer
Task description:
- Move `src/Feedser/` and `src/Excititor/` source trees into `src/Concelier/` domain layout.
- Preserve project names and runtime service identities.
- Update all `ProjectReference` paths (including Attestor, Scanner, and CLI consumers).
- Update solution files (`StellaOps.Concelier.sln` and root solution).
- Verify `<Compile Remove>` paths for compiled model assembly attributes in moved `.csproj` files are updated for ProofServiceDbContext compiled models.
Completion criteria:
- [ ] Feedser and Excititor source trees are under Concelier domain layout.
- [ ] All project references compile with new paths.
- [ ] Compiled model paths verified in moved `.csproj` files.
- [ ] Legacy top-level directories removed.
### TASK-203-003 - Update CLI/Web and infrastructure references
Status: TODO
Dependency: TASK-203-002
Owners: Developer
Task description:
- Validate/update CLI references from matrix evidence:
- `src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs` (`excititor/*`).
- `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` (Excititor verbs).
- `src/Cli/StellaOps.Cli.sln` and `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj` path updates.
- Validate/update Web references:
- `src/Web/StellaOps.Web/proxy.conf.json` (`/excititor`, `/concelier`).
- `src/Web/StellaOps.Web/src/app/app.config.ts` (`/api/v1/concelier`).
- Keep existing public endpoints backward compatible.
Completion criteria:
- [ ] CLI references updated and buildable.
- [ ] Web proxy/config references validated.
- [ ] Public endpoint compatibility confirmed.
### TASK-203-004 - Build, test, and documentation closeout
Status: TODO
Dependency: TASK-203-003
Owners: Developer
Task description:
- Build and test Concelier domain solution and root solution.
- Run targeted tests for Attestor and Scanner consumers affected by Feedser path changes.
- Update module docs to reflect advisory domain model (source consolidation, schema ownership unchanged).
- Archive superseded Feedser/Excititor standalone docs after replacement sections are in Concelier docs.
- Add ADR entry to `docs/modules/concelier/architecture.md` documenting the no-merge decision and deployment boundary freeze.
Completion criteria:
- [ ] Domain and root builds succeed.
- [ ] Targeted dependent tests pass.
- [ ] Documentation updated for domain-first model.
- [ ] ADR entry recorded in architecture dossier.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
| 2026-02-25 | Reworked to domain-first consolidation with phased advisory DB merge plan. | Planning |
| 2026-02-25 | DB merge REJECTED after deep analysis: 49 entities across 5 schemas (`vuln`, `feedser`, `vex`, `proofchain`, `advisory_raw`) is too complex for marginal benefit when all data is already in one PostgreSQL database (`stellaops_platform`). Sprint reduced from 8 tasks to 4 (source consolidation only). | Planning |
## Decisions & Risks
- Decision: Advisory domain is source-consolidation only. No cross-schema DB merge.
- Rationale: All services already share the `stellaops_platform` database. The 49 entities across 5 schemas have distinct lifecycles (raw ingestion vs. proof generation vs. VEX processing). Merging DbContexts would couple unrelated write patterns for zero operational benefit. Schema isolation is a feature, not a problem to solve.
- Decision: Deployable services remain separate at runtime while sharing one domain source root.
- Decision: Each service retains its own DbContext and PostgreSQL schema ownership.
- Risk: Largest project move in the batch (17 csproj). Mitigation: source move is isolated from schema changes, reducing blast radius.
- Note: Sprint 219 generated compiled models for ProofServiceDbContext (under `src/Concelier/`). After the source move, verify that `<Compile Remove>` paths for compiled model assembly attributes in moved `.csproj` files are updated.
## Next Checkpoints
- Milestone 1: domain schema ownership documented and source layout consolidated.
- Milestone 2: CLI/Web references updated and builds pass.
- Milestone 3: docs updated and sprint ready for closure.

104
docs/implplan/SPRINT_20260225_204_Attestor_absorb_signer_provenance.md
View File

@@ -1,104 +0,0 @@
# Sprint 204 - Trust Domain: Attestor, Signer, and Provenance Consolidation
## Topic & Scope
- Shift trust-related modules to a single trust domain model while preserving explicit runtime security boundaries.
- Consolidate source ownership for `Attestor`, `Signer`, and `Provenance` under the trust domain structure.
- Document trust domain schema ownership. Schemas remain separate; the security boundary between signer key material and attestation evidence is preserved deliberately. No cross-schema DB merge.
- Working directory: `src/Attestor/`.
- Cross-module edits explicitly allowed for dependent consumers and runtime paths (`src/Concelier/`, `src/Cli/`, `src/Web/`, `devops/compose/`) as listed in tasks.
- Expected evidence: builds/tests pass, DSSE/signing contracts unchanged, and no API regressions.
## Dependencies & Concurrency
- **Upstream dependency: Sprint 203 (Concelier absorbs Feedser)** — Attestor references Feedser libraries (ProofChain, PatchVerification). Sprint 203 moves Feedser into `src/Concelier/`. This sprint's source move (TASK-204-002) must use Feedser's post-203 paths, so Sprint 203 TASK-203-002 must be complete before this sprint starts TASK-204-002.
- Coordinate with Sprint 216 for broader identity/trust alignment.
## Documentation Prerequisites
- Read `docs/modules/attestor/architecture.md`.
- Read `docs/modules/signer/architecture.md`.
- Read `docs/modules/provenance/architecture.md` (or module docs in repo).
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-204-001 - Document trust domain security boundaries and schema ownership
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Classify trust data: attestation evidence (proofchain schema), provenance evidence, signer metadata, signer key material.
- Document PostgreSQL schema ownership per service and confirm schemas remain separate.
- Record the domain boundary decision: signer key-material isolation from attestation evidence is a deliberate security boundary, not an accident. No cross-schema merge.
Completion criteria:
- [ ] Trust data classification documented.
- [ ] Schema ownership per service documented.
- [ ] Security boundary no-merge decision recorded with rationale.
### TASK-204-002 - Consolidate source layout under trust domain ownership
Status: TODO
Dependency: TASK-204-001
Owners: Developer
Task description:
- Move `src/Signer/` and `src/Provenance/` source into trust domain layout under `src/Attestor/`.
- Preserve deployable service names and package identities.
- Update all `ProjectReference` paths, including external consumers.
- Update solution files and remove old top-level module roots.
Completion criteria:
- [ ] Source layout consolidated under trust domain.
- [ ] Project references compile.
- [ ] Legacy top-level folders removed.
### TASK-204-003 - CLI/Web, compose, and CI updates
Status: TODO
Dependency: TASK-204-002
Owners: Developer
Task description:
- Update CLI references and solution paths for Signer/Provenance relocation.
- Validate Web/platform service identity references for signer health and routing.
- Update compose/workflow paths for moved trust-domain projects.
- Verify DSSE signing endpoint `/api/v1/signer/sign/dsse` remains accessible.
Completion criteria:
- [ ] CLI references updated and buildable.
- [ ] Web/platform references validated.
- [ ] Compose and CI paths updated.
- [ ] Signing API compatibility confirmed.
### TASK-204-004 - Build/test and documentation closeout
Status: TODO
Dependency: TASK-204-003
Owners: Developer
Task description:
- Run trust domain builds and tests plus dependent module tests (Concelier provenance consumer).
- Update trust-domain architecture docs to reflect domain ownership model and schema boundaries.
- Archive superseded standalone Signer/Provenance module docs after replacement content is live.
- Add ADR entry to `docs/modules/attestor/architecture.md` documenting the no-merge decision and security boundary rationale.
Completion criteria:
- [ ] All required builds/tests pass.
- [ ] Trust-domain docs updated for domain model.
- [ ] ADR entry recorded in architecture dossier.
- [ ] Archived docs and active links validated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
| 2026-02-25 | Reworked to trust-domain plan with phased DB merge and key-boundary safeguards. | Planning |
| 2026-02-25 | DB merge REJECTED after deep analysis: the security boundary between signer key material and attestation evidence is a deliberate architectural feature. A merged DbContext would widen blast radius of credential compromise. Sprint reduced from 8 tasks to 4 (source consolidation only). | Planning |
## Decisions & Risks
- Decision: Trust domain is source-consolidation only. No cross-schema DB merge.
- Rationale: The separation between signer (key material, HSM/KMS operations) and proofchain (attestation evidence, provenance records) is a deliberate security boundary. A merged DbContext would mean a single connection string with access to both key material and evidence stores, increasing blast radius of any credential compromise. Schema isolation is a security feature.
- Decision: Signing API contracts remain stable for CLI promotion workflows.
- Decision: Each trust service retains its own DbContext and PostgreSQL schema ownership.
- Risk: ProjectReference path breakage after source move. Mitigation: Attestor references Feedser libraries moved by Sprint 203; this sprint uses post-203 paths.
## Next Checkpoints
- Milestone 1: trust security boundaries documented and source layout consolidated.
- Milestone 2: CLI/Web/compose references updated and builds pass.
- Milestone 3: docs and ADR updated, sprint ready for closure.

108
docs/implplan/SPRINT_20260225_206_Policy_absorb_unknowns.md
View File

@@ -1,108 +0,0 @@
# Sprint 206 - Policy/Unknowns Boundary Preservation (No Consolidation)
## Topic & Scope
- Retain `Unknowns` as its own microservice and database owner.
- Keep `src/Unknowns/` and `src/Policy/` as separate module roots; no source move, no DbContext merge, no schema merge.
- Replace stale assumptions from earlier draft (Unknowns persistence is active and must not be deleted).
- Working directory: `src/Unknowns/`.
- Cross-module edits explicitly allowed for documentation and integration references (`src/Policy/`, `src/Platform/`, `src/Scanner/`, `src/Cli/`, `src/Web/`, `devops/compose/`, `docs/modules/policy/`, `docs/modules/unknowns/`).
- Expected evidence: Unknowns service + DB boundary explicitly documented, compatibility validated, and no consolidation side effects introduced.
## Dependencies & Concurrency
- No upstream dependency.
- Can run in parallel with other sprints, except any sprint that attempts to move/delete `src/Unknowns/`.
- Coordinate with Sprint 218 for final docs alignment.
## Documentation Prerequisites
- Read `docs/modules/unknowns/architecture.md`.
- Read `docs/modules/policy/architecture.md`.
- Read `src/Unknowns/AGENTS.md` and `src/Policy/AGENTS.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-206-001 - Re-baseline Unknowns runtime and persistence reality
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Prove current state with commands and capture output in sprint notes:
- `rg -n "class UnknownsDbContext|DbSet<UnknownEntity>" src/Unknowns -g "*.cs"`
- `rg -n "ProjectReference Include=.*Unknowns\\.Persistence" src -g "*.csproj"`
- `rg -n "Map(Get|Post|Put|Delete|Group)\\(" src/Unknowns -g "Program.cs"`
- Confirm Unknowns is an active service boundary with active persistence and consumers.
- Explicitly identify any placeholder-only context so it is not confused with the active persistence context.
Completion criteria:
- [ ] Active Unknowns persistence context confirmed and documented.
- [ ] Unknowns runtime service surface confirmed and documented.
- [ ] Consumer list captured from project references.
### TASK-206-002 - Record decision: keep Unknowns as standalone microservice + DB owner
Status: TODO
Dependency: TASK-206-001
Owners: Developer
Task description:
- Update sprint `Decisions & Risks` and module docs to state:
- Unknowns remains independently deployable.
- Unknowns retains its own DbContext and schema ownership.
- No source consolidation into Policy and no DbContext merge.
- Remove/replace any stale wording that implies Unknowns DB deletion.
Completion criteria:
- [ ] No-consolidation decision recorded in sprint.
- [ ] Unknowns/Policy architecture docs updated with explicit boundary statement.
- [ ] Stale "empty DbContext delete" language removed.
### TASK-206-003 - Validate integration contracts without consolidation
Status: TODO
Dependency: TASK-206-002
Owners: Developer
Task description:
- Validate that Policy/Scanner/Platform integrations continue to reference Unknowns correctly after decision freeze:
- `dotnet build src/Unknowns/StellaOps.Unknowns.WebService/StellaOps.Unknowns.WebService.csproj`
- `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj`
- `dotnet build src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj`
- `dotnet build src/Platform/__Libraries/StellaOps.Platform.Database/StellaOps.Platform.Database.csproj`
- Verify no accidental path assumptions toward `src/Policy/` ownership of Unknowns.
Completion criteria:
- [ ] Affected projects build successfully.
- [ ] No broken ProjectReference paths.
- [ ] No accidental consolidation changes required.
### TASK-206-004 - CLI/Web/infra reference validation for preserved boundary
Status: TODO
Dependency: TASK-206-003
Owners: Developer
Task description:
- Validate references stay correct with Unknowns still standalone:
- `rg -n "unknowns|Unknowns" src/Cli -g "*.cs"`
- `rg -n "unknowns|Unknowns" src/Web/StellaOps.Web/src -g "*.ts"`
- `rg -n "STELLAOPS_UNKNOWNS_URL|unknowns" devops -g "*.yml" -g "*.yaml" -g "*.json"`
- If any references assume consolidation, create follow-up tasks and keep this sprint `DOING` until addressed.
Completion criteria:
- [ ] CLI references validated.
- [ ] Web references validated.
- [ ] DevOps/env references validated.
- [ ] Follow-up tasks created for any mismatches.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created (initial consolidation draft). | Planning |
| 2026-02-25 | Reworked: Unknowns retained as standalone microservice and DB owner; consolidation and DbContext deletion removed. | Planning |
| 2026-02-25 | Validation evidence captured: active Unknowns DbContext with `DbSet<UnknownEntity>` confirmed; representative builds passed for Unknowns.WebService, Policy.Engine, Scanner.Worker, and Platform.Database. | Planning |
## Decisions & Risks
- Decision: `Unknowns` remains a standalone module/service (`src/Unknowns/`) and is not consolidated into `Policy`.
- Decision: `UnknownsDbContext` and Unknowns schema ownership are retained; no DbContext merge and no schema merge.
- Rationale: current codebase contains active Unknowns persistence/entities and active runtime consumers; deletion/merge assumptions were stale.
- Risk: future duplicate logic across Policy and Unknowns. Mitigation: track explicit API/contract ownership and prefer integration contracts over source moves.
- Risk: reintroduction of consolidation assumptions in later sprints. Mitigation: add cross-reference note in Sprint 218 final docs sweep.
## Next Checkpoints
- Milestone 1: runtime/persistence re-baseline evidence captured.
- Milestone 2: docs and decision records updated to boundary-preserved model.
- Milestone 3: integration validation complete and sprint ready for closure.

97
docs/implplan/SPRINT_20260225_207_Findings_absorb_riskengine_vulnexplorer.md
View File

@@ -1,97 +0,0 @@
# Sprint 207 - Findings: Absorb RiskEngine and VulnExplorer Modules
## Topic & Scope
- Consolidate `src/RiskEngine/` and `src/VulnExplorer/` (1 csproj each) into `src/Findings/`.
- RiskEngine computes risk scores over findings. VulnExplorer is the API surface for browsing findings.
- Working directory: `src/RiskEngine/`, `src/VulnExplorer/`, `src/Findings/`.
- Expected evidence: clean builds, all tests pass.
## Dependencies & Concurrency
- No upstream dependencies. Can run in parallel.
## Documentation Prerequisites
- Read `src/RiskEngine/AGENTS.md` and `src/VulnExplorer/AGENTS.md`.
- Read `docs/modules/findings-ledger/architecture.md`.
## Delivery Tracker
### TASK-207-001 - Map RiskEngine and VulnExplorer structure
Status: TODO
Dependency: none
Owners: Developer
Task description:
- RiskEngine: list csproj files, dependencies, consumers, API surface, port.
- VulnExplorer: list csproj files (1 Api project), dependencies, consumers, port.
- Document Docker definitions for both.
Completion criteria:
- [ ] Both modules fully mapped
### TASK-207-002 - Move RiskEngine and VulnExplorer into Findings
Status: TODO
Dependency: TASK-207-001
Owners: Developer
Task description:
- Move RiskEngine projects → `src/Findings/StellaOps.RiskEngine.*/` or `src/Findings/__Libraries/StellaOps.RiskEngine.*/`.
- Move VulnExplorer → `src/Findings/StellaOps.VulnExplorer.*/`.
- Move tests from both into `src/Findings/__Tests/`.
- Keep project names as-is.
- Update `ProjectReference` paths.
- Add to Findings solution.
- Remove `src/RiskEngine/` and `src/VulnExplorer/` directories.
- Update root solution.
Completion criteria:
- [ ] All projects moved
- [ ] Findings solution includes both
- [ ] Old directories removed
### TASK-207-003 - Update Docker, CI, build verification
Status: TODO
Dependency: TASK-207-002
Owners: Developer
Task description:
- Update `devops/compose/` and `.gitea/workflows/`.
- `dotnet build` Findings solution — must succeed.
- Run all Findings, RiskEngine, and VulnExplorer tests.
- `dotnet build StellaOps.sln` — root solution.
Completion criteria:
- [ ] Docker and CI updated
- [ ] All builds and tests pass
### TASK-207-004 - Update documentation and CLI/Web references
Status: TODO
Dependency: TASK-207-003
Owners: Developer
Task description:
- Archive `docs/modules/risk-engine/` and `docs/modules/vuln-explorer/` to `docs-archived/modules/`.
- Add sections to Findings architecture doc.
- Update `docs/INDEX.md`, `CLAUDE.md`.
- Update all path references in docs.
- Validate runtime entrypoints used by Web and CLI:
- Web risk APIs use `/risk` base from `src/Web/StellaOps.Web/src/app/app.config.ts` (`RISK_API_BASE_URL`) and `risk-http.client.ts`; no direct `/riskengine` path expected.
- Compose/platform environment still carries `STELLAOPS_RISKENGINE_URL`; confirm gateway mapping keeps `/risk` behavior stable.
- Audit `src/Cli/` for direct `RiskEngine` and `VulnExplorer` source-path references (expected minimal to none).
- Update stale module-path references without changing public `/risk` API shape.
Completion criteria:
- [ ] Docs archived and Findings architecture updated.
- [ ] Web `/risk` compatibility verified.
- [ ] CLI audit completed (none or updates documented).
- [ ] All references updated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: RiskEngine and VulnExplorer keep their service identities if they have WebService projects.
- Low risk — small modules (1 csproj each).
## Next Checkpoints
- Estimate: 1 session.

97
docs/implplan/SPRINT_20260225_208_Orchestrator_absorb_scheduler_taskrunner_packsregistry.md
View File

@@ -1,97 +0,0 @@
# Sprint 208 - Orchestration Domain: Orchestrator, Scheduler, TaskRunner, PacksRegistry
## Topic & Scope
- Consolidate orchestration components into one domain ownership model.
- Move source layout under `src/Orchestrator/` while preserving deployable services.
- Document orchestration domain schema ownership. Schemas remain separate; OrchestratorDbContext and SchedulerDbContext have entity name collisions (Jobs, JobHistory) with incompatible models. No cross-schema DB merge.
- Working directory: `src/Orchestrator/`.
- Cross-module edits explicitly allowed for dependent consumers and integrations (`src/Platform/`, `src/Cli/`, `src/Web/`, `devops/compose/`) as listed in tasks.
- Expected evidence: all orchestration services remain operational, correct ProjectReference paths, CLI/Web integrations preserved.
## Dependencies & Concurrency
- No upstream dependency.
- Coordinate with Sprint 218 for final architecture and docs updates.
## Documentation Prerequisites
- Read `docs/modules/orchestrator/architecture.md`.
- Read `docs/modules/scheduler/architecture.md`.
- Read `docs/modules/taskrunner/architecture.md`.
- Read module AGENTS files for Scheduler, TaskRunner, and PacksRegistry.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-208-001 - Document orchestration domain schema ownership and service boundaries
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Document DbContext ownership for Orchestrator, Scheduler, TaskRunner, and PacksRegistry.
- Document PostgreSQL schema ownership per service and confirm schemas remain separate.
- Record the domain boundary decision: OrchestratorDbContext (39 entities) and SchedulerDbContext (11 entities) have Jobs/JobHistory name collisions with fundamentally different models. TaskRunner and PacksRegistry have stub contexts with zero entities. No merge.
Completion criteria:
- [ ] Orchestration domain schema ownership documented.
- [ ] Name collision analysis recorded (Jobs, JobHistory).
- [ ] No-merge decision recorded with rationale.
### TASK-208-002 - Consolidate source layout under Orchestrator domain
Status: TODO
Dependency: TASK-208-001
Owners: Developer
Task description:
- Move Scheduler, TaskRunner, and PacksRegistry source trees under Orchestrator domain layout.
- Preserve deployable runtime identities.
- Update all project/solution references and remove legacy top-level roots.
- Update `<Compile Remove>` paths for compiled model assembly attributes in moved `.csproj` files (both OrchestratorDbContext and SchedulerDbContext have compiled models from Sprint 219).
Completion criteria:
- [ ] Source trees consolidated under Orchestrator domain.
- [ ] References compile after move.
- [ ] Compiled model paths verified in moved `.csproj` files.
- [ ] Legacy roots removed.
### TASK-208-003 - CLI/Web, infrastructure, build/test, and documentation closeout
Status: TODO
Dependency: TASK-208-002
Owners: Developer
Task description:
- Validate external contracts for CLI and Web:
- CLI `api/task-runner/simulations` and route aliases.
- Web `/scheduler` proxy and scheduler API base URL providers.
- Validate compose/workflow paths after source move.
- Build/test orchestration domain and root solution.
- Update Orchestrator architecture docs with Scheduler, TaskRunner, and PacksRegistry subdomain sections.
- Archive superseded standalone docs and update INDEX/architecture references.
- Add ADR entry to `docs/modules/orchestrator/architecture.md` documenting the no-merge decision, naming collision rationale, and future rename consideration.
Completion criteria:
- [ ] CLI/Web contracts verified.
- [ ] Compose/workflow updates complete.
- [ ] Domain and root builds/tests pass.
- [ ] Docs updated for domain model.
- [ ] ADR entry recorded in architecture dossier.
- [ ] Archived docs and active links validated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
| 2026-02-25 | Reworked to orchestration domain plan with explicit DB merge and baseline migration tasks. | Planning |
| 2026-02-25 | DB merge REJECTED after deep analysis: OrchestratorDbContext (39 entities) and SchedulerDbContext (11 entities) both define Jobs and JobHistory entities with incompatible semantics (pipeline runs vs. cron executions). Merging would require entity renaming that propagates through entire codebases. Sprint reduced from 8 tasks to 3 (source consolidation only). | Planning |
## Decisions & Risks
- Decision: Orchestration domain is source-consolidation only. No cross-schema DB merge.
- Rationale: OrchestratorDbContext and SchedulerDbContext both define `Jobs` and `JobHistory` entities with incompatible semantics (orchestrator pipeline runs vs. scheduler cron executions). Merging into one DbContext would require renaming one set, propagating through repositories, query code, and external contracts. All data is already in `stellaops_platform`; the schemas provide clean separation at no cost.
- Decision: Services remain independently deployable while source ownership is unified by domain.
- Decision: TaskRunner and PacksRegistry stub contexts (zero entities, deferred by Sprint 219) remain as-is until they have actual persistence needs.
- Risk: Module name confusion between `Orchestrator` (scheduling/execution domain) and `ReleaseOrchestrator` (core release control plane). Future sprint should rename Orchestrator to a less ambiguous name (e.g., `JobScheduler` or `ExecutionEngine`).
- Note: Both OrchestratorDbContext and SchedulerDbContext have compiled models from Sprint 219. After moving Scheduler projects, update `<Compile Remove>` paths.
## Next Checkpoints
- Milestone 1: orchestration domain schema ownership documented and source layout consolidated.
- Milestone 2: CLI/Web/compose references validated and builds pass.
- Milestone 3: docs updated and sprint ready for closure.

97
docs/implplan/SPRINT_20260225_209_Notify_absorb_notifier.md
View File

@@ -1,97 +0,0 @@
# Sprint 209 - Notify/Notifier Boundary Preservation (No Consolidation)
## Topic & Scope
- Keep `Notify` and `Notifier` as separate deployable services.
- Cancel the absorb plan: no source move, no project merge, no deletion of `src/Notifier/`.
- Replace stale assumption that Notifier is a thin host; current code contains substantial independent API surface.
- Working directory: `src/Notify/`, `src/Notifier/`.
- Cross-module edits explicitly allowed for docs and integration references (`src/Cli/`, `src/Web/`, `devops/compose/`, `docs/modules/notify/`, `docs/modules/notifier/`).
- Expected evidence: service boundaries are explicitly documented, builds remain green, and compatibility expectations are clear.
## Dependencies & Concurrency
- No upstream dependency.
- Can run in parallel with other consolidation sprints.
- Coordinate with Sprint 218 documentation closeout.
## Documentation Prerequisites
- Read `docs/modules/notifier/README.md`.
- Read `docs/modules/notify/architecture.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-209-001 - Baseline current Notify/Notifier runtime boundaries
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Capture route and complexity evidence for both services:
- `src/Notifier/.../Program.cs` line count and mapped routes.
- `src/Notify/.../Program.cs` line count and mapped routes.
- Document endpoint overlap and endpoint gaps (Notifier-only and Notify-only).
- Confirm external project references to `Notifier` are zero and record result.
Completion criteria:
- [ ] Notify/Notifier route matrix documented.
- [ ] Complexity and endpoint-gap evidence recorded.
- [ ] Consumer reference scan result recorded.
### TASK-209-002 - Record decision to keep split deployment model
Status: TODO
Dependency: TASK-209-001
Owners: Developer
Task description:
- Update sprint notes and module docs to state:
- Notify and Notifier remain separate services.
- No source consolidation and no project relocation.
- Any future convergence requires explicit API parity plan first.
- Remove stale wording that claims Notifier is purely a host.
Completion criteria:
- [ ] No-consolidation decision recorded in sprint.
- [ ] Notify/notifier docs updated with explicit split rationale.
- [ ] Stale thin-host assumptions removed.
### TASK-209-003 - Validate builds and key contracts without consolidation
Status: TODO
Dependency: TASK-209-002
Owners: Developer
Task description:
- Build both services and representative consumers:
- `dotnet build src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj`
- `dotnet build src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj`
- `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`
- Validate that current API base-path expectations remain unchanged.
Completion criteria:
- [ ] Builds pass for Notify, Notifier, and representative consumer(s).
- [ ] API compatibility assumptions documented.
### TASK-209-004 - Finalize docs and follow-up backlog items
Status: TODO
Dependency: TASK-209-003
Owners: Developer
Task description:
- Update `docs/INDEX.md` and sprint cross-references to reflect canceled consolidation.
- Add follow-up backlog item(s) only if explicit parity/convergence work is still desired.
Completion criteria:
- [ ] Documentation index updated.
- [ ] Follow-up items created only where actionable.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created (initial absorb draft). | Planning |
| 2026-02-25 | Reworked: consolidation canceled; Notify/Notifier remain separate services. | Planning |
| 2026-02-25 | Discovery evidence captured: Notifier Program.cs 3271 lines / 85 map calls; Notify Program.cs 1585 lines / 30 map calls; route sets are not equivalent. | Planning |
## Decisions & Risks
- Decision: keep Notify and Notifier unconsolidated in this consolidation wave.
- Rationale: current endpoint and logic divergence means absorb would be a feature-migration project, not a safe organizational move.
- Risk: dual-service ownership overhead remains. Mitigation: maintain explicit boundary docs and revisit only with approved parity roadmap.
## Next Checkpoints
- Milestone 1: boundary baseline documented.
- Milestone 2: split-deployment decision reflected in docs.
- Milestone 3: compatibility validation complete and sprint ready for closure.

98
docs/implplan/SPRINT_20260225_210_Timeline_absorb_timelineindexer.md
View File

@@ -1,98 +0,0 @@
# Sprint 210 - Timeline: Absorb TimelineIndexer Module
## Topic & Scope
- Consolidate `src/TimelineIndexer/` (4 csproj) into `src/Timeline/`.
- CQRS split (read/write) is an internal architecture pattern, not a module boundary. Same schema domain.
- Working directory: `src/TimelineIndexer/`, `src/Timeline/`.
- Expected evidence: clean build, all tests pass.
## Dependencies & Concurrency
- No upstream dependencies.
- ExportCenter references TimelineIndexer.Core — coordinate path updates.
## Documentation Prerequisites
- Read `docs/modules/timeline/architecture.md`.
- Read `docs/modules/timeline-indexer/architecture.md`.
## Delivery Tracker
### TASK-210-001 - Map TimelineIndexer structure
Status: TODO
Dependency: none
Owners: Developer
Task description:
- List all 4 TimelineIndexer csproj, dependencies, consumers.
- Confirm consumers: ExportCenter references TimelineIndexer.Core.
- Document ports, Docker definitions.
Completion criteria:
- [ ] Module fully mapped
### TASK-210-002 - Move TimelineIndexer into Timeline
Status: TODO
Dependency: TASK-210-001
Owners: Developer
Task description:
- Move TimelineIndexer projects:
- WebService and Worker as deployables under `src/Timeline/`.
- Libraries to `src/Timeline/__Libraries/StellaOps.TimelineIndexer.*/`.
- Tests to `src/Timeline/__Tests/StellaOps.TimelineIndexer.*/`.
- Keep project names.
- Update all references.
- Add to Timeline solution.
- Remove `src/TimelineIndexer/`.
- Update root solution.
Completion criteria:
- [ ] All projects moved
- [ ] Old directory removed
### TASK-210-003 - Update consumers, Docker, CI, build, and test
Status: TODO
Dependency: TASK-210-002
Owners: Developer
Task description:
- Update ExportCenter references to TimelineIndexer.Core (new path).
- Update `devops/compose/`, `.gitea/workflows/`.
- Build and test Timeline solution.
- Build root solution.
Completion criteria:
- [ ] All references updated
- [ ] Docker and CI updated
- [ ] All builds and tests pass
### TASK-210-004 - Update documentation and CLI/Web references
Status: TODO
Dependency: TASK-210-003
Owners: Developer
Task description:
- Archive `docs/modules/timeline-indexer/` to `docs-archived/modules/`.
- Add "TimelineIndexer (Event Ingestion and Indexing)" section to Timeline architecture.
- Update `docs/INDEX.md`, `CLAUDE.md`.
- Update path references.
- Update CLI TimelineIndexer references:
- `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj` `TimelineIndexer.Infrastructure` project reference path.
- `src/Cli/StellaOps.Cli.sln` `TimelineIndexer.Core` project entry path.
- Audit `src/Web/StellaOps.Web` for direct `timelineindexer` references (expected none in current audit) and document result.
Completion criteria:
- [ ] Docs archived and Timeline architecture updated.
- [ ] CLI TimelineIndexer references updated.
- [ ] Web audit recorded (none or updates documented).
- [ ] All references updated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: TimelineIndexer keeps its Worker as a separately deployable container.
- Risk: TimelineIndexer has EfCore compiled model — migration identity must be preserved.
## Next Checkpoints
- Estimate: 1 session.

96
docs/implplan/SPRINT_20260225_211_ExportCenter_absorb_mirror_airgap.md
View File

@@ -1,96 +0,0 @@
# Sprint 211 - Offline Distribution Boundary Preservation (No Consolidation)
## Topic & Scope
- Keep `ExportCenter`, `AirGap`, and `Mirror` as separate module roots and service boundaries.
- Cancel merge plan: no source move under `src/ExportCenter/`, no DbContext merge, no schema merge.
- Preserve existing database ownership: `ExportCenterDbContext` and `AirGapDbContext` stay separate.
- Working directory: `src/ExportCenter/`, `src/AirGap/`, `src/Mirror/`.
- Cross-module edits explicitly allowed for docs/integration checks (`src/Cli/`, `src/Web/`, `devops/compose/`, `docs/modules/export-center/`, `docs/modules/airgap/`).
- Expected evidence: boundaries are explicit, key builds pass, and offline workflows remain stable.
## Dependencies & Concurrency
- No upstream dependency.
- Can run in parallel with other consolidation sprints.
- Coordinate with Sprint 218 documentation closeout.
## Documentation Prerequisites
- Read `docs/modules/export-center/architecture.md`.
- Read `docs/modules/airgap/architecture.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-211-001 - Baseline current offline boundary and coupling
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Record current DbContext ownership and entity sets for AirGap and ExportCenter.
- Record external consumer coupling (ProjectReference counts and key consumers).
- Capture evidence that `AirGap` is cross-cutting and `ExportCenter` is narrower in dependency footprint.
Completion criteria:
- [ ] DbContext ownership map documented.
- [ ] Coupling evidence documented.
- [ ] Boundary rationale evidence recorded in sprint notes.
### TASK-211-002 - Record no-consolidation/no-merge decision
Status: TODO
Dependency: TASK-211-001
Owners: Developer
Task description:
- Update sprint and module docs to state:
- no source consolidation,
- no DbContext merge,
- no schema merge.
- Remove stale wording about unified offline domain DbContext.
Completion criteria:
- [ ] No-consolidation decision recorded.
- [ ] No-merge decision recorded.
- [ ] Stale merge wording removed.
### TASK-211-003 - Validate critical build paths without consolidation
Status: TODO
Dependency: TASK-211-002
Owners: Developer
Task description:
- Run representative builds:
- `dotnet build src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj`
- `dotnet build src/AirGap/StellaOps.AirGap.Controller/StellaOps.AirGap.Controller.csproj`
- `dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`
- Confirm no integration breaks from decision freeze.
Completion criteria:
- [ ] Representative builds pass.
- [ ] No integration regressions identified from boundary-preserved model.
### TASK-211-004 - Document deferred convergence criteria (if ever revisited)
Status: TODO
Dependency: TASK-211-003
Owners: Developer
Task description:
- Add explicit criteria required before any future merge attempt (for example: reduced AirGap external coupling, approved rollback plan, measured performance gain target).
- If no convergence objective is active, record `deferred` and close sprint.
Completion criteria:
- [ ] Future-convergence entry criteria documented.
- [ ] Deferred state explicitly recorded when applicable.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created (initial consolidation draft). | Planning |
| 2026-02-25 | Reworked: consolidation canceled; AirGap/ExportCenter/Mirror boundaries preserved. | Planning |
| 2026-02-25 | Discovery evidence captured: AirGap has materially broader cross-module coupling than ExportCenter; merge risk exceeds benefit for current wave. | Planning |
## Decisions & Risks
- Decision: keep AirGap and ExportCenter unconsolidated in this consolidation wave.
- Decision: keep separate DbContexts and schema ownership.
- Rationale: asymmetric coupling and blast radius make DbContext/source merge a poor tradeoff now.
- Risk: duplicated offline-domain concepts remain across modules. Mitigation: define explicit contracts and revisit only under measured business need.
## Next Checkpoints
- Milestone 1: boundary/coupling baseline documented.
- Milestone 2: no-merge decision propagated to docs.
- Milestone 3: build validation complete and sprint ready for closure.

130
docs/implplan/SPRINT_20260225_212_Tools_absorb_bench_verifier_sdk_devportal.md
View File

@@ -1,130 +0,0 @@
# Sprint 212 - Tools: Absorb Bench, Verifier, Sdk, and DevPortal
## Topic & Scope
- Consolidate `src/Bench/` (5 csproj benchmarks), `src/Verifier/` (1 csproj CLI), `src/Sdk/` (2 csproj generator), and `src/DevPortal/` into `src/Tools/`.
- All are non-service, developer-facing tooling with no production deployment.
- Working directory: `src/Bench/`, `src/Verifier/`, `src/Sdk/`, `src/DevPortal/`, `src/Tools/`.
- Expected evidence: clean builds, all tools still function.
## Dependencies & Concurrency
- No upstream dependencies. Can run in parallel.
- Coordinate with Attestor sprint (204) if Provenance CLI tool also moves here.
## Documentation Prerequisites
- Read `src/Bench/AGENTS.md`, `src/Tools/AGENTS.md`.
## Delivery Tracker
### TASK-212-001 - Map all four modules
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Bench: 5 benchmark csproj, no external consumers.
- Verifier: 1 CLI csproj (`BundleVerifier`), no external consumers.
- Sdk: 2 csproj (Generator + Release), no external consumers.
- DevPortal: list csproj files, confirm no external consumers.
- Tools: list existing 7+ csproj for naming conventions.
Completion criteria:
- [ ] All modules mapped
### TASK-212-002 - Move Bench into Tools
Status: TODO
Dependency: TASK-212-001
Owners: Developer
Task description:
- Move `src/Bench/StellaOps.Bench/` → `src/Tools/StellaOps.Bench/`.
- Move individual benchmark projects:
- `Bench.LinkNotMerge`, `Bench.Notify`, `Bench.PolicyEngine`, `Bench.ScannerAnalyzers`, `Bench.LinkNotMerge.Vex`.
- Move tests.
- Update references (Bench projects reference Policy, Scanner, Notify — these paths change).
- Remove `src/Bench/`.
Completion criteria:
- [ ] All Bench projects moved
- [ ] Old directory removed
### TASK-212-003 - Move Verifier into Tools
Status: TODO
Dependency: TASK-212-001
Owners: Developer
Task description:
- Move `src/Verifier/StellaOps.Verifier/` → `src/Tools/StellaOps.Verifier/`.
- Move tests.
- Remove `src/Verifier/`.
Completion criteria:
- [ ] Verifier moved
- [ ] Old directory removed
### TASK-212-004 - Move Sdk into Tools
Status: TODO
Dependency: TASK-212-001
Owners: Developer
Task description:
- Move `src/Sdk/StellaOps.Sdk.Generator/` → `src/Tools/StellaOps.Sdk.Generator/`.
- Move `src/Sdk/StellaOps.Sdk.Release/` → `src/Tools/StellaOps.Sdk.Release/`.
- Move tests.
- Remove `src/Sdk/`.
Completion criteria:
- [ ] Both Sdk projects moved
- [ ] Old directory removed
### TASK-212-005 - Move DevPortal into Tools
Status: TODO
Dependency: TASK-212-001
Owners: Developer
Task description:
- Move `src/DevPortal/` projects → `src/Tools/StellaOps.DevPortal.*/`.
- Move tests.
- Remove `src/DevPortal/`.
Completion criteria:
- [ ] DevPortal moved
- [ ] Old directory removed
### TASK-212-006 - Update solutions, build, and test
Status: TODO
Dependency: TASK-212-002, TASK-212-003, TASK-212-004, TASK-212-005
Owners: Developer
Task description:
- Add all moved projects to Tools solution (or create one if none exists).
- Update root solution.
- Build all moved projects.
- Run all benchmark and tool tests.
Completion criteria:
- [ ] Tools solution includes all moved projects
- [ ] All builds succeed
- [ ] All tests pass
### TASK-212-007 - Update documentation and CLI
Status: TODO
Dependency: TASK-212-006
Owners: Developer
Task description:
- Archive `docs/modules/bench/`, `docs/modules/sdk/`, `docs/modules/devportal/` to `docs-archived/modules/`.
- Note: `docs/modules/verifier/` — archive if it exists.
- Add sections to Tools architecture doc.
- Update `docs/INDEX.md`, `CLAUDE.md`.
- Update path references.
Completion criteria:
- [ ] Docs archived
- [ ] Tools architecture updated
- [ ] All references updated
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
## Decisions & Risks
- Low risk — all are non-service, dev-only tools.
- Decision: Keep individual tool identities (project names) for independent `dotnet tool` packaging.
## Next Checkpoints
- Estimate: 1-2 sessions.

105
docs/implplan/SPRINT_20260225_213_AdvisoryAI_absorb_opsmemory.md
View File

@@ -1,105 +0,0 @@
# Sprint 213 - AdvisoryAI: Absorb OpsMemory Module
## Topic & Scope
- Consolidate `src/OpsMemory/` (2 csproj: WebService + library) into `src/AdvisoryAI/`.
- OpsMemory is primarily owned by AdvisoryAI and serves the AI operational memory / RAG domain; Web UI consumes its HTTP API for playbook suggestions.
- Working directory: `src/OpsMemory/`, `src/AdvisoryAI/`.
- Expected evidence: clean build, all tests pass, OpsMemory service still deploys.
## Dependencies & Concurrency
- No upstream dependencies. Can run in parallel.
## Documentation Prerequisites
- Read `docs/modules/opsmemory/architecture.md`.
- Read `docs/modules/advisory-ai/architecture.md`.
## Delivery Tracker
### TASK-213-001 - Map OpsMemory dependencies
Status: TODO
Dependency: none
Owners: Developer
Task description:
- OpsMemory: `StellaOps.OpsMemory` (library) + `StellaOps.OpsMemory.WebService`.
- Confirm AdvisoryAI is the only consumer.
- Check if OpsMemory has its own database schema/migrations.
- Document API surface, port, Docker definition.
- Note: AdvisoryAI currently references OpsMemory via ProjectReference — this coupling should be evaluated (could become HTTP client).
Completion criteria:
- [ ] Full dependency map
- [ ] Consumer list confirmed
- [ ] Schema/migration status documented
### TASK-213-002 - Move OpsMemory into AdvisoryAI
Status: TODO
Dependency: TASK-213-001
Owners: Developer
Task description:
- Move `src/OpsMemory/StellaOps.OpsMemory/``src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/`.
- Move `src/OpsMemory/StellaOps.OpsMemory.WebService/``src/AdvisoryAI/StellaOps.OpsMemory.WebService/`.
- Move tests → `src/AdvisoryAI/__Tests/StellaOps.OpsMemory.*/`.
- Keep project names.
- Update `ProjectReference` paths.
- Add to AdvisoryAI solution.
- Remove `src/OpsMemory/`.
- Update root solution.
Completion criteria:
- [ ] All projects moved
- [ ] AdvisoryAI solution includes OpsMemory
- [ ] Old directory removed
### TASK-213-003 - Update Docker, CI, build, test
Status: TODO
Dependency: TASK-213-002
Owners: Developer
Task description:
- Update `devops/compose/` for OpsMemory service.
- Update `.gitea/workflows/`.
- Build AdvisoryAI solution — must succeed.
- Run all AdvisoryAI + OpsMemory tests.
- Build root solution.
Completion criteria:
- [ ] Docker and CI updated
- [ ] All builds and tests pass
### TASK-213-004 - Update documentation and CLI/Web references
Status: TODO
Dependency: TASK-213-003
Owners: Developer
Task description:
- Archive `docs/modules/opsmemory/` to `docs-archived/modules/`.
- Add "OpsMemory (Operational Memory and RAG)" section to AdvisoryAI architecture.
- Update `docs/INDEX.md`, `CLAUDE.md`.
- Update path references.
- Update Web OpsMemory references:
- `src/Web/StellaOps.Web/src/app/features/opsmemory/services/playbook-suggestion.service.ts` base URL (`/api/v1/opsmemory`).
- OpsMemory-related feature components/models and triage integrations under `src/Web/StellaOps.Web/src/app/features/opsmemory/**`.
- E2E and unit tests hitting `/api/v1/opsmemory/suggestions`.
- Audit CLI for direct OpsMemory references (expected none in current audit) and document outcome.
- Preserve `/api/v1/opsmemory` endpoint contract.
Completion criteria:
- [ ] Docs archived and AdvisoryAI architecture updated.
- [ ] Web OpsMemory references validated/updated.
- [ ] CLI audit recorded (none or updates documented).
- [ ] OpsMemory API path compatibility verified.
- [ ] All references updated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: OpsMemory WebService keeps its own container for independent deployment.
- Risk: OpsMemory README and architecture doc have content overlap. Consolidation into AdvisoryAI resolves this.
## Next Checkpoints
- Estimate: 1 session.

119
docs/implplan/SPRINT_20260225_214_Integrations_absorb_extensions.md
View File

@@ -1,119 +0,0 @@
# Sprint 214 - Integrations: Absorb Extensions Module
## Topic & Scope
- Consolidate `src/Extensions/` (VS Code + JetBrains IDE plugins) into `src/Integrations/`.
- Extensions are developer-facing tooling that consumes the same Orchestrator/Router APIs as other integrations. Logically part of the Integrations domain.
- Note: Extensions are non-.NET projects (TypeScript/Kotlin). No .csproj files. No .sln. No Docker service.
- Working directory: `src/Extensions/`, `src/Integrations/`.
- Expected evidence: both IDE plugins still build and function, docs updated.
## Dependencies & Concurrency
- No upstream dependencies. Can run in parallel.
## Documentation Prerequisites
- Read `docs/modules/integrations/architecture.md`.
- Read `docs/modules/extensions/architecture.md`.
- Read `src/Integrations/AGENTS.md`.
## Delivery Tracker
### TASK-214-001 - Map Extensions structure
Status: TODO
Dependency: none
Owners: Developer
Task description:
- VS Code extension: `src/Extensions/vscode-stella-ops/` — TypeScript, package.json.
- JetBrains plugin: `src/Extensions/jetbrains-stella-ops/` — Kotlin, build.gradle.kts.
- Confirm zero .NET csproj files in Extensions.
- Confirm zero external consumers (no other src/ module references Extensions).
- Document any shared configs, scripts, or CI steps for Extensions.
- Check if Extensions has its own AGENTS.md (expected: missing — create task if so).
Completion criteria:
- [ ] Extensions module fully mapped
- [ ] Consumer list confirmed (expected: none)
- [ ] Build tooling documented (npm/gradle)
### TASK-214-002 - Move Extensions into Integrations
Status: TODO
Dependency: TASK-214-001
Owners: Developer
Task description:
- Move `src/Extensions/vscode-stella-ops/` -> `src/Integrations/__Extensions/vscode-stella-ops/`.
- Move `src/Extensions/jetbrains-stella-ops/` -> `src/Integrations/__Extensions/jetbrains-stella-ops/`.
- Use `__Extensions/` prefix (not `__Plugins/`) to avoid confusion with Integrations plugin system.
- Copy any root-level Extensions files (README, AGENTS.md if created, etc.).
- Remove `src/Extensions/`.
- Update root solution file if Extensions was referenced.
Completion criteria:
- [ ] Both IDE extensions moved to `src/Integrations/__Extensions/`
- [ ] Old `src/Extensions/` directory removed
- [ ] No broken imports or path references
### TASK-214-003 - Verify builds and functionality
Status: TODO
Dependency: TASK-214-002
Owners: Developer
Task description:
- VS Code extension:
- `cd src/Integrations/__Extensions/vscode-stella-ops && npm install && npm run build` (or equivalent).
- Verify extension manifest (`package.json`) references are intact.
- JetBrains plugin:
- `cd src/Integrations/__Extensions/jetbrains-stella-ops && ./gradlew build` (or equivalent).
- Verify plugin descriptor references are intact.
- Check for any hardcoded paths in extension source code that referenced `src/Extensions/`.
- Build Integrations .NET solution — must still succeed (Extensions are non-.NET, should not affect).
Completion criteria:
- [ ] VS Code extension builds successfully
- [ ] JetBrains plugin builds successfully
- [ ] Integrations .NET solution builds successfully
### TASK-214-004 - Update CI and build scripts
Status: TODO
Dependency: TASK-214-003
Owners: Developer
Task description:
- Search `.gitea/workflows/` for any Extensions-specific CI steps. Update paths.
- Search `devops/` for any Extensions build scripts. Update paths.
- Search root `package.json` or workspace configs for Extensions references. Update.
- If no CI exists for Extensions, note this in Decisions & Risks.
Completion criteria:
- [ ] All CI/build references updated
- [ ] Build pipeline verified
### TASK-214-005 - Update documentation and CLI/Web audits
Status: TODO
Dependency: TASK-214-004
Owners: Developer
Task description:
- Archive `docs/modules/extensions/` to `docs-archived/modules/extensions/`.
- Add "IDE Extensions (VS Code, JetBrains)" section to Integrations architecture doc.
- Update `docs/INDEX.md`, `CLAUDE.md` section 1.4.
- Update path references across docs.
- Audit `src/Cli/` and `src/Web/` for runtime references to `Extensions` / `__Extensions` (expected none because these are IDE plugins, not runtime services).
- Create `src/Integrations/__Extensions/AGENTS.md` documenting the non-.NET projects.
Completion criteria:
- [ ] Docs archived and Integrations architecture updated.
- [ ] CLI/Web audit result recorded.
- [ ] All references updated.
- [ ] Extensions AGENTS.md created.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
## Decisions & Risks
- Decision: Use `__Extensions/` subfolder (not `__Plugins/`) to clearly separate IDE tooling from the Integrations plugin framework (GitHubApp, Harbor, etc.).
- Risk: Extensions are non-.NET (TypeScript, Kotlin). Build verification requires npm and Gradle toolchains. If not available in CI, mark build tasks as BLOCKED.
- Note: Extensions have no AGENTS.md currently — one will be created as part of this sprint.
## Next Checkpoints
- Estimate: 1 session.

107
docs/implplan/SPRINT_20260225_216_Authority_absorb_issuerdirectory.md
View File

@@ -1,107 +0,0 @@
# Sprint 216 - Identity and Trust Domain: Authority and IssuerDirectory
## Topic & Scope
- Consolidate identity and issuer trust capabilities into one domain ownership model.
- Move IssuerDirectory source ownership under `src/Authority/` while preserving runtime service identity.
- Document identity domain schema ownership. Schemas remain separate; Authority is the most security-critical domain and schema isolation from IssuerDirectory is a deliberate security feature. No cross-schema DB merge.
- Working directory: `src/Authority/`.
- Cross-module edits explicitly allowed for consumer/client and runtime integration paths (`src/Excititor/`, `src/DeltaVerdict/`, `src/__Libraries/`, `devops/compose/`) as listed in tasks.
- Expected evidence: authority and issuer flows remain stable, client consumers continue to build, and no API regressions.
## Dependencies & Concurrency
- No hard upstream dependency, but **coordinate with Sprint 203** — IssuerDirectory.Client is consumed by Excititor. If Sprint 203 has already moved Excititor into `src/Concelier/`, this sprint's TASK-216-002 must update the IssuerDirectory.Client ProjectReference path in Excititor's new location under Concelier. If Sprint 203 has not yet run, this sprint's consumer path updates will target the original `src/Excititor/` location (and Sprint 203 will later update the path during its own move).
- Sprint 205 is deferred in the current wave; no active dependency.
## Documentation Prerequisites
- Read `docs/modules/authority/architecture.md`.
- Read `docs/modules/issuer-directory/architecture.md`.
- Read `src/Authority/AGENTS.md` and `src/IssuerDirectory/AGENTS.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
## Delivery Tracker
### TASK-216-001 - Document identity domain schema ownership and security boundaries
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Document AuthorityDbContext schema ownership (users, sessions, tokens, roles, permissions, MFA, tenants).
- Document IssuerDirectoryDbContext schema ownership (issuer metadata, key metadata, audit).
- Record the domain boundary decision: Authority is the most security-critical domain (passwords, MFA state, token material). Schema isolation from IssuerDirectory is a security feature. No merge.
Completion criteria:
- [ ] Identity domain schema ownership documented.
- [ ] Security classification per schema documented.
- [ ] No-merge decision recorded with rationale.
### TASK-216-002 - Consolidate source layout under Authority domain
Status: TODO
Dependency: TASK-216-001
Owners: Developer
Task description:
- Move IssuerDirectory source/projects under `src/Authority/` domain structure.
- Move `StellaOps.IssuerDirectory.Client` under Authority domain libraries.
- Update all project/solution references for Excititor and DeltaVerdict consumers.
- Remove legacy top-level module roots after reference updates.
- Verify `<Compile Remove>` paths for compiled model assembly attributes (AuthorityDbContext has compiled models from Sprint 219).
Completion criteria:
- [ ] IssuerDirectory and client library relocated under Authority domain.
- [ ] Consumer references compile.
- [ ] Compiled model paths verified.
- [ ] Legacy roots removed.
### TASK-216-003 - Runtime compatibility, infra updates, and validation
Status: TODO
Dependency: TASK-216-002
Owners: Developer
Task description:
- Validate compose and launch settings references (`STELLAOPS_ISSUERDIRECTORY_URL` and IssuerDirectory client base address).
- Validate CLI/Web direct references (expected minimal from matrix audit) and record outcome.
- Build/test Authority, IssuerDirectory, and known consumers (Excititor and DeltaVerdict).
- Update CI workflow paths for moved source.
Completion criteria:
- [ ] Infra references validated or updated.
- [ ] Consumer compatibility builds pass.
- [ ] CI paths updated.
- [ ] CLI/Web audit outcome recorded.
### TASK-216-004 - Documentation and AGENTS closeout
Status: TODO
Dependency: TASK-216-003
Owners: Developer
Task description:
- Update Authority docs with IssuerDirectory domain ownership (source consolidation, schema boundaries unchanged).
- Archive superseded IssuerDirectory standalone docs after replacement content exists.
- Update Authority and moved subproject AGENTS files for new paths and ownership.
- Update docs index/architecture references.
- Add ADR entry to `docs/modules/authority/architecture.md` documenting the no-merge decision and security rationale.
Completion criteria:
- [ ] Docs updated for domain-first model.
- [ ] ADR entry recorded in architecture dossier.
- [ ] AGENTS files updated.
- [ ] Archived docs and links validated.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | CLI/UI module reference audit completed and sprint rework aligned to `AUDIT_20260225_cli_ui_module_reference_matrix.md`. | Planning |
| 2026-02-25 | Reworked to identity/trust domain plan with explicit Authority-IssuerDirectory DB merge phases. | Planning |
| 2026-02-25 | DB merge REJECTED after deep analysis: Authority is the most security-critical domain (passwords, MFA, tokens, tenant isolation). Merging IssuerDirectory tables into AuthorityDbContext would widen the blast radius of any credential compromise. Sprint reduced from 6 tasks to 4 (source consolidation only). | Planning |
## Decisions & Risks
- Decision: Identity domain is source-consolidation only. No cross-schema DB merge.
- Rationale: AuthorityDbContext manages the most security-sensitive data in the system (password hashes, MFA state, session tokens, refresh tokens, tenant boundaries). A merged DbContext would mean any code path with access to issuer metadata could also reach authentication internals via the same connection. The security principle of least privilege demands keeping these schemas separate even though they are in the same PostgreSQL instance.
- Decision: Authority and IssuerDirectory are managed as one identity/trust domain for source ownership.
- Decision: Runtime service contracts remain compatible during source relocation.
- Risk: shared client breakage in downstream modules. Mitigation: explicit consumer build gates.
- Note: AuthorityDbContext has compiled models generated by Sprint 219. After moving IssuerDirectory projects into `src/Authority/`, verify `<Compile Remove>` paths.
## Next Checkpoints
- Milestone 1: identity domain schema ownership documented and source layout consolidated.
- Milestone 2: infrastructure validated and builds pass.
- Milestone 3: docs and ADR updated, sprint ready for closure.

127
docs/implplan/SPRINT_20260225_217_Platform_orphan_library_cleanup.md
View File

@@ -1,127 +0,0 @@
# Sprint 217 - Platform: Orphan Library Cleanup
## Topic & Scope
- Clean up confirmed orphan libraries with zero production consumers.
- Two confirmed orphans:
- `src/__Libraries/StellaOps.AdvisoryLens/` — 0 consumers, not in main solution, has tests.
- `src/__Libraries/StellaOps.Resolver/` — 0 consumers, in main solution, has tests. Research/PoC code.
- One previously suspected orphan confirmed ACTIVE:
- `src/__Libraries/StellaOps.Configuration.SettingsStore/` — actively used by ReleaseOrchestrator, Platform, Cli, AdvisoryAI. **Do NOT archive.**
- Working directory: `src/__Libraries/`.
- Expected evidence: orphan source archived, solution file cleaned, docs updated.
## Dependencies & Concurrency
- No upstream dependencies. Can run in parallel with other consolidation sprints.
- Must verify no consumers were missed before archiving.
## Documentation Prerequisites
- Read `src/__Libraries/StellaOps.AdvisoryLens/` source to understand purpose.
- Read `src/__Libraries/StellaOps.Resolver/AGENTS.md`.
- Read `docs/features/checked/libraries/advisory-lens.md`.
- Read `docs/features/checked/libraries/unified-deterministic-resolver.md`.
## Delivery Tracker
### TASK-217-001 - Final consumer verification
Status: TODO
Dependency: none
Owners: Developer
Task description:
- For each orphan library, perform a final comprehensive search:
- Search all `.csproj` files for any `ProjectReference` mentioning `AdvisoryLens`.
- Search all `.csproj` files for any `ProjectReference` mentioning `StellaOps.Resolver`.
- Search all `.cs` files for `using StellaOps.AdvisoryLens` (outside the library itself).
- Search all `.cs` files for `using StellaOps.Resolver` (outside the library and its tests).
- Search Docker compose and CI for references to either library.
- Confirm: SettingsStore is NOT an orphan (used by ReleaseOrchestrator, Platform, Cli, AdvisoryAI via indirect dependency through Plugin/IntegrationHub).
- Document findings in Execution Log.
Completion criteria:
- [ ] AdvisoryLens confirmed as orphan (zero consumers)
- [ ] Resolver confirmed as orphan (zero consumers)
- [ ] SettingsStore confirmed as active (removed from cleanup scope)
### TASK-217-002 - Archive AdvisoryLens
Status: TODO
Dependency: TASK-217-001
Owners: Developer
Task description:
- Move `src/__Libraries/StellaOps.AdvisoryLens/` -> `src/__Libraries/_archived/StellaOps.AdvisoryLens/`.
- Move `src/__Libraries/__Tests/StellaOps.AdvisoryLens.Tests/` -> `src/__Libraries/_archived/StellaOps.AdvisoryLens.Tests/`.
- AdvisoryLens is NOT in the main solution file — no .sln update needed.
- If any other solution files reference it, remove those references.
- Archive docs: move `docs/modules/advisory-lens/` to `docs-archived/modules/advisory-lens/`.
- Update `docs/features/checked/libraries/advisory-lens.md` to note the library is archived/dormant.
Completion criteria:
- [ ] Source archived to `_archived/`
- [ ] Tests archived
- [ ] Docs archived
- [ ] Feature file updated
### TASK-217-003 - Archive Resolver
Status: TODO
Dependency: TASK-217-001
Owners: Developer
Task description:
- Move `src/__Libraries/StellaOps.Resolver/` -> `src/__Libraries/_archived/StellaOps.Resolver/`.
- Move `src/__Libraries/StellaOps.Resolver.Tests/` -> `src/__Libraries/_archived/StellaOps.Resolver.Tests/`.
- Remove from `StellaOps.sln` (root solution):
- Remove `StellaOps.Resolver` project entry.
- Remove `StellaOps.Resolver.Tests` project entry.
- Archive docs: check `docs/modules/` for any Resolver-specific docs. Archive if found.
- Update `docs/features/checked/libraries/unified-deterministic-resolver.md` to note the library is archived/dormant.
- Archive audit materials if they exist in `docs-archived/implplan-blocked/audits/`.
Completion criteria:
- [ ] Source archived to `_archived/`
- [ ] Tests archived
- [ ] Removed from root solution
- [ ] Feature file updated
### TASK-217-004 - Verify builds
Status: TODO
Dependency: TASK-217-002, TASK-217-003
Owners: Developer
Task description:
- Build root solution: `dotnet build StellaOps.sln` — must succeed.
- Verify no broken references anywhere in the codebase.
- Run a quick test of any module that might have had indirect dependencies.
Completion criteria:
- [ ] Root solution builds successfully
- [ ] No broken references
### TASK-217-005 - Update documentation
Status: TODO
Dependency: TASK-217-004
Owners: Developer
Task description:
- Update `docs/INDEX.md` if AdvisoryLens or Resolver are referenced.
- Update `CLAUDE.md` if either is referenced.
- Add note in `src/__Libraries/_archived/README.md` explaining the archive policy:
- Libraries here are dormant — zero production consumers at time of archival.
- They can be restored if a future feature needs them.
- Each library retains its tests for easy reactivation.
- Check for any references in feature docs, architecture docs, or sprint docs. Update.
Completion criteria:
- [ ] INDEX.md updated
- [ ] CLAUDE.md updated
- [ ] Archive README created
- [ ] All references updated
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
## Decisions & Risks
- Decision: Archive to `src/__Libraries/_archived/` (not delete) — preserves code history and enables reactivation.
- Decision: SettingsStore removed from cleanup scope — actively used by 4+ modules.
- Risk: AdvisoryLens may have been intended for a feature not yet implemented. Archiving (not deleting) preserves the option to restore.
- Risk: Resolver has extensive SOLID review and audit documentation. Archiving does not lose this — it moves with the code.
## Next Checkpoints
- Estimate: 1 session (small scope).

89
docs/implplan/SPRINT_20260225_218_DOCS_consolidation_final_update.md
View File

@@ -1,89 +0,0 @@
# Sprint 218 - DOCS: Consolidation Decision Finalization
## Topic & Scope
- Final documentation sweep after consolidation-plan rework and boundary decisions.
- Publish final outcomes per sprint: proceed, deferred, canceled, or boundary-preserved.
- Remove stale claims about DbContext/service merges that were rejected.
- Working directory: `docs/`.
- Cross-module edits explicitly allowed for root documentation files and sprint evidence files under `docs/implplan/`.
- Expected evidence: active docs reflect actual approved work; canceled/no-op sprint assumptions are removed.
## Dependencies & Concurrency
- Depends on active implementation-affecting consolidation sprints being completed or explicitly canceled.
- Must run after Sprint 221 rename execution.
## Documentation Prerequisites
- Read `docs/INDEX.md`.
- Read `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
- Read `AUDIT_20260225_cli_ui_module_reference_matrix.md`.
- Read execution logs of active consolidation sprints.
## Delivery Tracker
### TASK-218-001 - Publish consolidation decision ledger
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Create/update a decision ledger that marks each consolidation sprint as one of:
- Proceed (implementation)
- Boundary-preserved (no consolidation)
- Deferred (future wave)
- Canceled/no-op (removed from active plan)
- Link each row to sprint file evidence.
Completion criteria:
- [ ] Decision ledger published.
- [ ] Every impacted sprint has explicit state.
### TASK-218-002 - Remove stale merge language from active docs
Status: TODO
Dependency: TASK-218-001
Owners: Developer
Task description:
- Remove claims that DbContext merges were executed where they are now rejected/deferred.
- Ensure docs describe preserved boundaries for Unknowns, Notify/Notifier, AirGap/ExportCenter, and SbomService.
Completion criteria:
- [ ] Stale merge claims removed.
- [ ] Boundary-preserved outcomes reflected in docs.
### TASK-218-003 - Align indexes and architecture maps with approved scope
Status: TODO
Dependency: TASK-218-001, TASK-218-002
Owners: Developer
Task description:
- Update `docs/INDEX.md` and architecture references so they match approved sprint outcomes.
- Ensure renamed orchestration domain references remain consistent with Sprint 221 execution.
Completion criteria:
- [ ] Index and architecture references aligned.
- [ ] No stale references to canceled/no-op consolidations.
### TASK-218-004 - Final documentation quality gate
Status: TODO
Dependency: TASK-218-003
Owners: Developer
Task description:
- Run final docs cross-reference checks.
- Record residual risks and deferred items.
Completion criteria:
- [ ] Cross-reference checks completed.
- [ ] Residual risks/deferred items documented.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. | Planning |
| 2026-02-25 | Reworked to decision-finalization closeout after consolidation scope changes. | Planning |
| 2026-02-25 | Updated outcomes: 206 boundary-preserved; 209 boundary-preserved; 211 boundary-preserved; 205 deferred/no-op; 215 no-op in consolidation wave; 220 canceled per decision not to merge SbomService; 221 proceed. | Planning |
## Decisions & Risks
- Decision: final docs must mirror approved execution scope, not earlier consolidation drafts.
- Risk: stale references to canceled/deferred merges may reappear from older notes. Mitigation: decision ledger + final grep gate.
## Next Checkpoints
- Milestone 1: decision ledger complete.
- Milestone 2: stale merge language removed.
- Milestone 3: final docs gate passed and sprint ready for closure.

192
docs/implplan/SPRINT_20260225_221_Orchestrator_domain_rename.md
View File

@@ -1,192 +0,0 @@
# Sprint 221 - Rename Orchestrator Domain to Resolve ReleaseOrchestrator Naming Collision
## Topic & Scope
- Rename the `src/Orchestrator/` domain directory, all `StellaOps.Orchestrator.*` namespaces, Docker images, API routes, authority scopes, and documentation to a new unambiguous name.
- The current name creates persistent confusion with `src/ReleaseOrchestrator/` (the core product feature — release promotion pipeline). This confusion will compound as the product matures and onboards contributors.
- Pre-alpha with zero clients — this is the last low-cost window for a clean rename.
- Working directory: `src/Orchestrator/` (becomes `src/<NewName>/` after rename).
- Cross-module edits explicitly allowed for all consumers, infrastructure, and documentation.
- Expected evidence: zero references to old name in code/config/docs (except PostgreSQL schema name, which is preserved for data continuity), all builds/tests pass.
## Dependencies & Concurrency
- **Upstream dependency: Sprint 208** — Sprint 208 consolidates Scheduler, TaskRunner, and PacksRegistry under `src/Orchestrator/`. This sprint renames the result. Sprint 208 must be DONE before this sprint starts.
- **Sprint 218 (DOCS) must wait for this sprint** — final docs sweep needs the rename to be complete.
- No other dependencies. Can run in parallel with any non-Orchestrator sprint.
## Documentation Prerequisites
- Read `docs/modules/orchestrator/architecture.md`.
- Read `src/Orchestrator/StellaOps.Orchestrator/AGENTS.md`.
- Read Sprint 208 execution log for post-consolidation layout.
- Read `devops/compose/docker-compose.stella-ops.yml` for infrastructure references.
- Read `devops/helm/stellaops/values-orchestrator.yaml` for Helm config.
## Naming Decision
The new name must satisfy:
1. **Unambiguous** — cannot be confused with ReleaseOrchestrator.
2. **Descriptive** — captures the domain: job scheduling, task DAG execution, pack runs, quotas, SLOs, circuit breakers, dead letters.
3. **Short enough** for a directory name and namespace prefix.
Candidate names (to be decided in TASK-221-001):
| Candidate | Pros | Cons |
|-----------|------|------|
| `JobEngine` | Clear, short, matches "job" terminology used throughout. | Doesn't capture pack-run or DAG aspects explicitly. |
| `Conductor` | Evocative of orchestration without the word. No collision risk. | Slightly abstract. May conflict with MassTransit's "Conductor" concept. |
| `Dispatch` | Short, action-oriented. Captures scheduling and routing. | Might be confused with message dispatch/event dispatch patterns. |
| `RunEngine` | Matches the existing "runs" terminology in the API. | Could be confused with test runner or CI runner concepts. |
## Delivery Tracker
### TASK-221-001 - Confirm new domain name and document impact assessment
Status: TODO
Dependency: Sprint 208 DONE
Owners: Developer
Task description:
- Select the new domain name from candidates (or propose alternative).
- Produce a complete rename mapping document:
- Directory: `src/Orchestrator/``src/<NewName>/`
- Namespaces: `StellaOps.Orchestrator.*``StellaOps.<NewName>.*` (3,268 references)
- Projects: 5 main + 2 shared library csproj files
- External ProjectReferences: 36 consumer csproj files
- Docker images: `stellaops/orchestrator`, `stellaops/orchestrator-worker`
- Compose services: `orchestrator`, `orchestrator-worker`
- Hostnames: `orchestrator.stella-ops.local`, `orchestrator-worker.stella-ops.local`
- API routes: `/api/v1/orchestrator/*` (5+ endpoint groups, 20+ endpoint files)
- OpenAPI spec: `/openapi/orchestrator.json`
- Authority scopes: `orchestrator:read`, `orchestrator:write`, `orchestrator:admin`
- Kafka consumer group: `orchestrator`
- Helm values: `values-orchestrator.yaml`
- Frontend: 40+ TypeScript files, Angular route config, proxy config
- PostgreSQL schema: `orchestrator`**DO NOT RENAME** (data continuity; schema name stays)
- EF compiled models: regeneration required after namespace change
- Record the decision and mapping in sprint notes.
Completion criteria:
- [ ] New name selected with rationale.
- [ ] Complete rename mapping documented.
- [ ] PostgreSQL schema preservation strategy confirmed.
### TASK-221-002 - Source directory, namespace, and project rename
Status: TODO
Dependency: TASK-221-001
Owners: Developer
Task description:
- Rename `src/Orchestrator/` directory to `src/<NewName>/`.
- Rename all `.csproj` files: `StellaOps.Orchestrator.*``StellaOps.<NewName>.*`.
- Rename shared library: `src/__Libraries/StellaOps.Orchestrator.Schemas/``src/__Libraries/StellaOps.<NewName>.Schemas/`.
- Update all `namespace` declarations in 324 C# files.
- Update all `using StellaOps.Orchestrator.*` statements in 222 C# files.
- Update all 36 external `ProjectReference` paths in consumer csproj files.
- Update solution files (`.sln`, `.slnf`).
- Verify build compiles: `dotnet build` on domain solution and root solution.
Completion criteria:
- [ ] Directory and all projects renamed.
- [ ] All namespace declarations updated.
- [ ] All using statements updated.
- [ ] All external ProjectReferences updated.
- [ ] Domain solution builds.
- [ ] Root solution builds.
### TASK-221-003 - Infrastructure and deployment rename
Status: TODO
Dependency: TASK-221-002
Owners: Developer
Task description:
- Update Docker image names in Dockerfiles: `stellaops/orchestrator``stellaops/<newname>`.
- Update Docker Compose files (3 files): service names, hostnames, environment variables.
- Update `STELLAOPS_ORCHESTRATOR_URL` environment variable name across all compose/launch/helm files.
- Update Helm values file: rename `values-orchestrator.yaml``values-<newname>.yaml`.
- Update Helm templates referencing orchestrator service.
- Update Kafka consumer group name.
- Update Authority scope names: `orchestrator:read/write/admin``<newname>:read/write/admin`.
- Update any launch settings or local dev configuration.
Completion criteria:
- [ ] Docker images and compose services renamed.
- [ ] Environment variable names updated.
- [ ] Helm values and templates updated.
- [ ] Kafka consumer group updated.
- [ ] Authority scopes updated.
- [ ] Local dev tooling updated.
### TASK-221-004 - API routes and frontend rename
Status: TODO
Dependency: TASK-221-002
Owners: Developer
Task description:
- Update all API endpoint route prefixes: `/api/v1/orchestrator/*``/api/v1/<newname>/*`.
- Update OpenAPI spec path: `/openapi/orchestrator.json``/openapi/<newname>.json`.
- Update Web proxy config: `src/Web/StellaOps.Web/proxy.conf.json` (`/orchestrator` target).
- Update Angular API clients: `orchestrator.client.ts`, `orchestrator-control.client.ts`.
- Update Angular feature routes and components under `src/app/features/orchestrator/`.
- Update Angular app config and navigation references.
- Update CLI route references if any exist for orchestrator endpoints.
Completion criteria:
- [ ] All API route prefixes updated.
- [ ] OpenAPI spec path updated.
- [ ] Web proxy config updated.
- [ ] Angular clients and routes updated.
- [ ] CLI references updated.
### TASK-221-005 - EF compiled model regeneration and database compatibility
Status: TODO
Dependency: TASK-221-002
Owners: Developer
Task description:
- PostgreSQL schema name `orchestrator` is **preserved** (no data migration). The DbContextFactory maps the new namespace to the existing schema name.
- Verify OrchestratorDbContextFactory (renamed) still sets `HasDefaultSchema("orchestrator")`.
- Verify SchedulerDbContextFactory still sets its existing schema.
- Regenerate EF compiled models for both DbContexts using `dotnet ef dbcontext optimize`.
- Verify `<Compile Remove>` entries for compiled model assembly attributes.
- Run all migration scripts to confirm they still apply against the existing schema.
- Run integration tests to confirm database operations work with renamed context.
Completion criteria:
- [ ] PostgreSQL schema name preserved (confirmed `orchestrator` in factory).
- [ ] EF compiled models regenerated for both contexts.
- [ ] `<Compile Remove>` entries verified.
- [ ] Migration scripts still apply cleanly.
- [ ] Integration tests pass.
### TASK-221-006 - Documentation, cross-references, and final validation
Status: TODO
Dependency: TASK-221-003, TASK-221-004, TASK-221-005
Owners: Developer
Task description:
- Rename and update `docs/modules/orchestrator/``docs/modules/<newname>/`.
- Update architecture dossier content for new name.
- Update all feature docs under `docs/features/checked/orchestrator/`.
- Update API docs: `docs/api/gateway/orchestrator.md`, `docs/api/orchestrator-first-signal.md`.
- Update `AGENTS.md` files (module-local and repo-wide CLAUDE.md references).
- Update `docs/code-of-conduct/CODE_OF_CONDUCT.md` Section 15.1 canonical domain roots table.
- Run repo-wide search for any remaining `orchestrator` references (excluding PostgreSQL schema name, which stays).
- Run full build and test suite to confirm zero regressions.
Completion criteria:
- [ ] All docs renamed and updated.
- [ ] AGENTS.md and CLAUDE.md references updated.
- [ ] CODE_OF_CONDUCT.md domain roots table updated.
- [ ] Zero stale `orchestrator` references remain (except PostgreSQL schema).
- [ ] Full build and test pass.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-25 | Sprint created. Rename scope assessed: 3,268 namespace references, 336 C# files, 36 external ProjectReferences, 40+ TypeScript files, Docker/Helm/Compose/Kafka/authority scopes. | Planning |
## Decisions & Risks
- Decision: Orchestrator is renamed to avoid confusion with ReleaseOrchestrator (the core product feature).
- Decision: PostgreSQL schema name `orchestrator` is preserved for data continuity. The factory class maps the new code name to the existing schema.
- Decision: Pre-alpha with zero clients — all API routes, Docker images, authority scopes, and Kafka consumer groups are renamed cleanly without backward-compatibility aliases.
- Risk: Rename scope is large (3,268+ references). Mitigation: automated find-and-replace with manual review for edge cases (serialized type names, reflection, string interpolation).
- Risk: missed references cause runtime failures. Mitigation: repo-wide grep for old name as final validation step. PostgreSQL schema exclusion must be explicit and documented.
- Risk: Helm/Compose rename coordination with any active deployment. Mitigation: pre-alpha with no production deployments.
## Next Checkpoints
- Milestone 1: name decided and mapping document approved.
- Milestone 2: source + infrastructure + frontend rename complete.
- Milestone 3: compiled models regenerated, full build/test pass, docs updated.

104
docs/implplan/SPRINT_20260305_002_JobEngine_packsregistry_taskrunner_storage_completion.md Normal file
View File

@@ -0,0 +1,104 @@
# Sprint 20260305-002 - JobEngine Storage Completion (PacksRegistry and TaskRunner)
## Topic & Scope
- Complete the remaining delivery gap for Point 1: Postgres-first metadata/state with production-ready object-store blob handling for `PacksRegistry` and `TaskRunner`.
- Preserve deterministic replay semantics while removing non-dev ambiguity in storage-driver behavior.
- Align runtime wiring, compose overlays, and tests so storage mode is explicit and verifiable.
- Working directory: `src/JobEngine`.
- Expected evidence: targeted persistence/integration test passes, compose config validation output, and updated JobEngine/platform architecture docs.
## Dependencies & Concurrency
- Depends on shared storage contract documented in `docs/modules/platform/architecture.md`.
- Can run in parallel with Replay, Remediation, and Platform boundary sprints.
- Documentation cleanup sprint (`SPRINT_20260305_006_DOCS_webservice_catalog_and_domain_consistency.md`) depends on final runtime behavior from this sprint.
## Documentation Prerequisites
- `docs/modules/platform/architecture.md`
- `docs/modules/jobengine/architecture.md`
- `src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs`
- `src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs`
- `docs/implplan/CONSOLIDATION_WEBSERVICE_FUNCTION_DB_MATRIX_20260305.md`
## Delivery Tracker
### JOBENG-STOR-001 - Reconcile declared driver contract with actual runtime behavior
Status: TODO
Dependency: none
Owners: Project Manager, Implementer
Task description:
- Produce a precise behavior matrix for `Storage:Driver` and `Storage:ObjectStore:Driver` for both services.
- Confirm and document current mismatch points (for example, drivers accepted by validation but not backed by concrete adapter behavior).
Completion criteria:
- [ ] Behavior matrix committed under module docs with config keys, defaults, and startup fail-fast rules.
- [ ] Every accepted driver value is either fully implemented or explicitly rejected with deterministic startup failure.
### JOBENG-STOR-002 - Implement production RustFS object-store adapters for blob payloads
Status: TODO
Dependency: JOBENG-STOR-001
Owners: Implementer, Test Automation
Task description:
- Implement and wire RustFS/S3-compatible blob adapters for:
- `PacksRegistry` pack/provenance/attestation payload channels.
- `TaskRunner` run artifact payload channel.
- Preserve existing Postgres-backed metadata stores and deterministic ordering semantics.
Completion criteria:
- [ ] `Storage:ObjectStore:Driver=rustfs` uses concrete RustFS adapter implementations in both services.
- [ ] Existing `seed-fs` behavior remains supported for local/offline deterministic workflows.
- [ ] Non-development startup fails when RustFS is configured without required endpoint/credentials settings.
### JOBENG-STOR-003 - Harden non-development startup behavior and fallback policy
Status: TODO
Dependency: JOBENG-STOR-002
Owners: Implementer
Task description:
- Remove silent non-dev behavior drift by enforcing explicit fail-fast for missing Postgres/object-store configuration.
- Ensure development-only fallback behavior is intentional, documented, and test-covered.
Completion criteria:
- [ ] Non-development runtime has no implicit filesystem fallback for stores expected to be Postgres-backed.
- [ ] Error messages are actionable and identify missing config keys.
- [ ] Startup behavior is covered by automated tests for success/failure modes.
### JOBENG-STOR-004 - Expand deterministic storage tests across drivers
Status: TODO
Dependency: JOBENG-STOR-002
Owners: Test Automation
Task description:
- Add targeted tests that validate parity across `postgres + seed-fs` and `postgres + rustfs`.
- Include replay-critical assertions for stable ordering, digest consistency, and tenant isolation.
Completion criteria:
- [ ] Targeted test projects include both happy-path and misconfiguration-path assertions.
- [ ] Evidence captures command output and test counts for each driver profile.
- [ ] No regression in existing persistence tests for Postgres repositories.
### JOBENG-STOR-005 - Update architecture and operations docs for final storage contract
Status: TODO
Dependency: JOBENG-STOR-003
Owners: Documentation author, Implementer
Task description:
- Update JobEngine and platform storage docs with final runtime contract, config examples, and migration notes.
- Record decisions and residual risks in sprint log and link to docs changed.
Completion criteria:
- [ ] `docs/modules/jobengine/architecture.md` and `docs/modules/platform/architecture.md` reflect final behavior.
- [ ] Compose/ops guidance references valid config keys for both services.
- [ ] Sprint Decisions & Risks includes links to all updated docs.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-05 | Sprint created from architecture review; points 1 and 2 were partially implemented and require completion/hardening work. | Project Manager |
## Decisions & Risks
- Current code already wires Postgres state stores for TaskRunner and Postgres persistence extension for PacksRegistry, but remaining object-store adapter parity and fallback hardening are unresolved.
- `PacksRegistry` currently carries an explicit RustFS-not-implemented guard in runtime contract paths; this blocks full completion of Point 1 in production modes.
- `TaskRunner` currently accepts object-store driver values while artifact reading remains filesystem-root based; implementation parity must be enforced to avoid config drift.
- Mitigation: complete adapter implementation and add startup contract tests before documentation sprint declares Point 1 as complete.
## Next Checkpoints
- Driver matrix and gap report complete.
- RustFS adapter PR ready with targeted test evidence.
- Docs and compose parity review complete before marking DONE.

93
docs/implplan/SPRINT_20260305_003_Replay_feed_snapshot_storage_completion.md Normal file
View File

@@ -0,0 +1,93 @@
# Sprint 20260305-003 - Replay Feed Snapshot Storage Completion
## Topic & Scope
- Complete the remaining Replay portion of Point 2: durable Postgres index plus production-ready object-store blob channel behavior.
- Preserve deterministic replay guarantees across storage drivers and deployment profiles.
- Remove ambiguous driver semantics for Replay object storage in non-development runtime.
- Working directory: `src/Replay`.
- Expected evidence: targeted Replay storage tests, startup contract tests, and updated Replay/platform docs.
## Dependencies & Concurrency
- Depends on shared storage contract in `docs/modules/platform/architecture.md`.
- Can run in parallel with JobEngine and Remediation workstreams.
- Documentation cleanup sprint depends on this sprint's final object-store behavior.
## Documentation Prerequisites
- `docs/modules/replay/architecture.md`
- `docs/modules/platform/architecture.md`
- `src/Replay/StellaOps.Replay.WebService/Program.cs`
- `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/ReplayFeedSnapshotStoresTests.cs`
- `docs/implplan/CONSOLIDATION_WEBSERVICE_FUNCTION_DB_MATRIX_20260305.md`
## Delivery Tracker
### REPLAY-STOR-001 - Finalize Replay storage driver contract and reject unsupported runtime paths
Status: DOING
Dependency: none
Owners: Project Manager, Implementer
Task description:
- Review current `Storage:Driver` and `Storage:ObjectStore:Driver` behavior and define final accepted production combinations.
- Ensure unsupported combinations fail deterministically at startup with precise error text.
Completion criteria:
- [ ] Contract table is documented with defaults, required keys, and non-dev fail-fast behavior.
- [ ] Contract tests cover valid and invalid storage configuration paths.
### REPLAY-STOR-002 - Implement RustFS blob adapter path or narrow contract explicitly
Status: DOING
Dependency: REPLAY-STOR-001
Owners: Implementer
Task description:
- Implement a concrete RustFS blob adapter for Replay snapshots, or formally narrow the contract to `seed-fs` and remove ambiguous `rustfs` acceptance.
- Keep Postgres index storage unchanged and deterministic.
Completion criteria:
- [x] Runtime behavior matches documented contract without hidden fallback semantics.
- [x] Non-dev deployment profile has one clear supported blob path with deterministic startup validation.
- [ ] Blob read/write paths are integration-tested.
### REPLAY-STOR-003 - Validate deterministic replay behavior under finalized storage modes
Status: BLOCKED
Dependency: REPLAY-STOR-002
Owners: Test Automation
Task description:
- Add or extend tests to verify index/blob persistence consistency, stable ordering, and deterministic replay outputs.
- Execute targeted test runs against Replay core and webservice projects for selected storage modes.
Completion criteria:
- [ ] Replay storage tests cover create/read/list flows and deterministic ordering.
- [ ] Test evidence includes command lines, test counts, and pass/fail status.
- [ ] No regression in existing point-in-time query and verdict replay tests.
### REPLAY-STOR-004 - Update replay docs and storage runbook references
Status: DOING
Dependency: REPLAY-STOR-003
Owners: Documentation author, Implementer
Task description:
- Update Replay module architecture docs with finalized storage contract and operator guidance.
- Link the final contract from platform architecture docs and sprint Decisions & Risks.
Completion criteria:
- [x] `docs/modules/replay/architecture.md` reflects final storage behavior and required config.
- [ ] Platform-level storage contract docs reference Replay accurately.
- [ ] Sprint log links to all updated docs and evidence artifacts.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-05 | Sprint created from architecture review; Replay index persistence is in place, but object-store driver contract remains incomplete for production parity. | Project Manager |
| 2026-03-05 | Started REPLAY-STOR-001/002/004: narrowed object-store contract by rejecting `rustfs` at startup and keeping `seed-fs` as the only supported blob driver. | Implementer |
| 2026-03-05 | Updated `docs/modules/replay/architecture.md` storage contract text to match runtime behavior (`seed-fs` only for blob store). | Documentation author |
| 2026-03-05 | REPLAY-STOR-003 blocked by unrelated replay API auth regressions in existing suite: `dotnet test src/Replay/__Tests/StellaOps.Replay.Core.Tests/StellaOps.Replay.Core.Tests.csproj --filter FullyQualifiedName~FeedSnapshots -m:1 -v minimal` ran full suite (`MTP0001` indicates filter ignored) and failed `2/99` with `401` on point-in-time API integration tests. | Test Automation |
## Decisions & Risks
- Replay already resolves Postgres index store with non-dev fail-fast when connection is missing.
- Decision: narrowed Replay blob storage contract to `seed-fs` only; `rustfs` now fails fast in all profiles with an explicit startup error.
- Risk: mixed driver semantics can produce environment-specific behavior drift during incident replay verification.
- Risk: existing replay API integration auth failures currently block a clean green run of the targeted feed-snapshot suite and prevent closing REPLAY-STOR-003.
- Mitigation: resolve/triage auth regression in replay API tests, then rerun targeted storage suite and complete platform-level doc linkage.
## Next Checkpoints
- Storage contract decision recorded (narrowed to `seed-fs` blob driver).
- Resolve replay API auth test failures and rerun targeted feed-snapshot suite.
- Complete platform storage-contract doc linkage once REPLAY-STOR-003 is unblocked.

116
docs/implplan/SPRINT_20260305_004_Remediation_postgres_runtime_wiring.md Normal file
View File

@@ -0,0 +1,116 @@
# Sprint 20260305-004 - Remediation Postgres Runtime Wiring and Service Standardization
## Topic & Scope
- Complete Point 3 by wiring Remediation runtime to real Postgres data source and removing implicit in-memory production behavior.
- Bring Remediation webservice in line with StellaOps webservice baseline (router/local hostname integration, explicit storage contract, deterministic startup rules).
- Add missing module-level AGENTS contract for `src/Remediation`.
- Working directory: `src/Remediation`.
- Expected evidence: Remediation webservice startup contract tests, persistence integration tests, and updated module docs/AGENTS.
## Dependencies & Concurrency
- Depends on platform storage contract from `docs/modules/platform/architecture.md`.
- Can run in parallel with JobEngine, Replay, and Platform boundary sprints.
- Documentation cleanup sprint depends on this sprint for final Remediation inventory and host/path metadata.
## Documentation Prerequisites
- `docs/modules/remediation/architecture.md`
- `src/Remediation/StellaOps.Remediation.WebService/Program.cs`
- `src/Remediation/StellaOps.Remediation.Persistence/Postgres/RemediationDataSource.cs`
- `src/Remediation/StellaOps.Remediation.Persistence/Repositories/PostgresFixTemplateRepository.cs`
- `src/Remediation/StellaOps.Remediation.Persistence/Repositories/PostgresPrSubmissionRepository.cs`
- `src/Remediation/StellaOps.Remediation.Persistence/Repositories/PostgresMarketplaceSourceRepository.cs`
## Delivery Tracker
### REMED-RUNTIME-001 - Create module-local AGENTS contract for Remediation
Status: DONE
Dependency: none
Owners: Project Manager, Documentation author
Task description:
- Add `src/Remediation/AGENTS.md` with required reading, working directory scope, deterministic/testing requirements, and endpoint metadata.
- Ensure repo-wide and module-level instructions are aligned and enforceable for implementers.
Completion criteria:
- [x] `src/Remediation/AGENTS.md` exists and is consistent with repo-wide AGENTS rules.
- [x] Sprint docs reference the new module-local AGENTS contract.
### REMED-RUNTIME-002 - Replace parameterless repository wiring with data-source-backed DI
Status: DONE
Dependency: REMED-RUNTIME-001
Owners: Implementer
Task description:
- Register and inject `RemediationDataSource` and remove parameterless repository construction from webservice runtime.
- Preserve deterministic behavior while ensuring non-dev runtime does not silently degrade to in-memory mode.
Completion criteria:
- [x] Webservice DI uses data-source-backed repository constructors.
- [x] Non-development startup fails fast when required Postgres config is missing.
- [x] In-memory mode remains explicit and test-profile scoped only.
### REMED-RUNTIME-003 - Add standard webservice integration hooks and policy-safe defaults
Status: DONE
Dependency: REMED-RUNTIME-002
Owners: Implementer
Task description:
- Align Remediation host with standard middleware and service integrations used by peer webservices:
- Router microservice integration.
- Local hostname logging/binding.
- Explicit CORS and auth policy conventions matching module scope.
Completion criteria:
- [x] Remediation host exposes deterministic local alias behavior (`*.stella-ops.local`) consistent with platform conventions.
- [x] Router integration and endpoint exposure are documented and test-verified.
- [x] Authz policy behavior is explicit and covered in tests.
### REMED-RUNTIME-004 - Add persistence and startup contract tests
Status: DONE
Dependency: REMED-RUNTIME-002
Owners: Test Automation
Task description:
- Add targeted tests validating startup contract behavior for:
- valid Postgres configuration.
- missing Postgres configuration in non-development profile.
- explicit in-memory test profile behavior.
- Add integration tests for repository CRUD paths against Postgres fixture.
Completion criteria:
- [x] Tests assert deterministic ordering and tenant-safe behavior for repository operations.
- [x] Startup contract tests fail when configuration contract is violated.
- [x] Evidence includes command output and test counts.
### REMED-RUNTIME-005 - Update Remediation architecture docs and migration notes
Status: DONE
Dependency: REMED-RUNTIME-004
Owners: Documentation author, Implementer
Task description:
- Update module architecture docs to reflect final runtime wiring and configuration contract.
- Record migration guidance from current behavior to finalized storage mode.
Completion criteria:
- [x] `docs/modules/remediation/architecture.md` matches implemented runtime behavior.
- [x] Sprint Decisions & Risks links all relevant docs and test evidence.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-05 | Sprint created after architecture review identified Remediation runtime still using parameterless repository constructors and in-memory fallback behavior. | Project Manager |
| 2026-03-05 | REMED-RUNTIME-001 completed: added `src/Remediation/AGENTS.md` with scope, required reading, and deterministic/testing rules. | Implementer |
| 2026-03-05 | Started REMED-RUNTIME-002/003/004/005: switched webservice to storage-driver contract wiring, added router/local-hostname integration, and added startup-contract tests plus architecture doc updates. | Implementer |
| 2026-03-05 | Test evidence: `dotnet test src/Remediation/__Tests/StellaOps.Remediation.WebService.Tests/StellaOps.Remediation.WebService.Tests.csproj -m:1 -v minimal` -> Passed `8/8`; includes startup contract and source endpoint integration checks. | Test Automation |
| 2026-03-05 | Test evidence: `dotnet test src/Remediation/__Tests/StellaOps.Remediation.Tests/StellaOps.Remediation.Tests.csproj -m:1 -v minimal` -> Passed `28/28` (with existing `MTP0001` warning from project settings). | Test Automation |
| 2026-03-05 | REMED-RUNTIME-002/003/004/005 marked DONE after runtime wiring, router/local alias integration, startup tests, and architecture migration notes were merged. | Implementer |
## Decisions & Risks
- Decision: Remediation webservice now defaults to `Storage:Driver=postgres` with explicit startup failure when Postgres connection settings are absent.
- Decision: `Storage:Driver=inmemory` is allowed only in `Test`/`Testing` profiles to keep non-test deployments from silently degrading to process memory.
- Decision: Remediation host now follows baseline webservice integration (`AddRouterMicroservice`, `TryAddStellaOpsLocalBinding`, `LogStellaOpsLocalHostname`, `UseStellaOpsCors`).
- References:
- `src/Remediation/AGENTS.md`
- `src/Remediation/StellaOps.Remediation.WebService/Program.cs`
- `src/Remediation/__Tests/StellaOps.Remediation.WebService.Tests/RemediationStartupContractTests.cs`
- `docs/modules/remediation/architecture.md`
- Residual risk: production startup still cannot validate Postgres connectivity without invoking repository operations.
- Mitigation: add explicit connectivity health probe in follow-up ops hardening if required.
## Next Checkpoints
- Completed for this sprint stream; handoff can proceed to cross-sprint docs synchronization (`SPRINT_20260305_006_DOCS_webservice_catalog_and_domain_consistency.md`).

95
docs/implplan/SPRINT_20260305_005_Platform_read_model_boundary_enforcement.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 20260305-005 - Platform Read-Model Boundary Enforcement
## Topic & Scope
- Execute Point 4 by formalizing and enforcing Platform read-model boundaries to prevent cross-module persistence coupling drift.
- Preserve aggregation behavior while introducing explicit contract and test guardrails for future changes.
- Ensure migration-management dependencies are clearly separated from runtime query dependencies.
- Working directory: `src/Platform`.
- Expected evidence: boundary inventory, guard tests, updated architecture dossier/ADR, and endpoint-level verification.
## Dependencies & Concurrency
- Depends on current Platform architecture docs and runtime service inventory.
- Can run in parallel with storage sprints for JobEngine/Replay/Remediation.
- Documentation cleanup sprint depends on final boundary statement from this sprint.
## Documentation Prerequisites
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/platform/architecture.md`
- `src/Platform/StellaOps.Platform.WebService/Program.cs`
- `src/Platform/StellaOps.Platform.WebService/Services/TopologyReadModelService.cs`
- `src/Platform/StellaOps.Platform.WebService/Services/SecurityReadModelService.cs`
- `src/Platform/StellaOps.Platform.WebService/Services/IntegrationsReadModelService.cs`
- `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModulePlugins.cs`
## Delivery Tracker
### PLATFORM-BOUND-001 - Produce runtime dependency inventory and classify boundary risks
Status: TODO
Dependency: none
Owners: Project Manager, Implementer
Task description:
- Inventory Platform runtime dependencies and classify each as:
- allowed runtime read-model dependency.
- migration-only dependency.
- prohibited cross-module persistence coupling.
- Capture inventory output in module docs so future reviewers can validate changes quickly.
Completion criteria:
- [ ] Inventory table committed with explicit allowed/prohibited categories.
- [ ] Every cross-module reference in Platform runtime code is justified or queued for remediation.
### PLATFORM-BOUND-002 - Add enforceable guard tests for persistence boundary violations
Status: TODO
Dependency: PLATFORM-BOUND-001
Owners: Implementer, Test Automation
Task description:
- Add architecture-style tests that fail if `StellaOps.Platform.WebService` references foreign module DbContext/persistence internals outside approved contracts.
- Keep migration plugin assembly scanning excluded from runtime boundary assertions by explicit allowlist.
Completion criteria:
- [ ] Guard tests fail on introduced boundary violations.
- [ ] Allowlist exceptions are minimal and documented.
- [ ] Test project and commands are documented in sprint evidence.
### PLATFORM-BOUND-003 - Introduce explicit query contract interfaces where boundary is implicit
Status: TODO
Dependency: PLATFORM-BOUND-001
Owners: Implementer
Task description:
- For any remaining implicit data coupling paths, introduce explicit query interfaces/adapters to make dependency direction clear.
- Preserve deterministic ordering and tenant isolation semantics of existing read-model endpoints.
Completion criteria:
- [ ] Runtime read-model services depend on explicit contracts rather than ad-hoc persistence internals.
- [ ] Endpoint behavior remains backward-compatible or includes versioned contract notes.
- [ ] Deterministic ordering tests remain green.
### PLATFORM-BOUND-004 - Document boundary policy and migration/runtime separation
Status: TODO
Dependency: PLATFORM-BOUND-002
Owners: Documentation author, Implementer
Task description:
- Update Platform architecture docs with a "runtime boundary policy" section.
- Add clear guidance differentiating:
- migration orchestration references (allowed in database module plugins).
- runtime read-model dependencies (must stay behind explicit contracts).
Completion criteria:
- [ ] `docs/modules/platform/architecture.md` and/or `architecture-overview.md` include boundary policy text and examples.
- [ ] Decision log links to updated docs and guard test evidence.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-05 | Sprint created to execute architecture Point 4 and prevent Platform cross-module coupling regressions. | Project Manager |
## Decisions & Risks
- Platform runtime currently uses in-service read-model services; this sprint codifies and enforces that boundary rather than assuming it remains stable.
- `StellaOps.Platform.Database` migration plugins intentionally reference multiple module persistence assemblies; runtime boundary tests must not conflate migration wiring with runtime coupling.
- Risk: over-restrictive guards can block valid evolution.
- Mitigation: maintain explicit allowlist and update via documented architectural decisions only.
## Next Checkpoints
- Dependency inventory reviewed.
- Guard tests merged and running in CI.
- Boundary policy documented and referenced by docs sprint.

129
docs/implplan/SPRINT_20260305_006_DOCS_webservice_catalog_and_domain_consistency.md Normal file
View File

@@ -0,0 +1,129 @@
# Sprint 20260305-006 - Docs Webservice Catalog and Domain Consistency
## Topic & Scope
- Deliver the documentation improvements needed to support points 1-4 implementation and handoff.
- Create one canonical service catalog for webservice domain, hostname, purpose, and persistence backing.
- Resolve stale path/hostname inconsistencies across architecture and operations docs.
- Working directory: `docs`.
- Expected evidence: updated docs pages, link/path validation output, and cross-sprint references in Decisions & Risks.
## Dependencies & Concurrency
- Depends on finalized behavior from:
- `SPRINT_20260305_002_JobEngine_packsregistry_taskrunner_storage_completion.md`
- `SPRINT_20260305_003_Replay_feed_snapshot_storage_completion.md`
- `SPRINT_20260305_004_Remediation_postgres_runtime_wiring.md`
- `SPRINT_20260305_005_Platform_read_model_boundary_enforcement.md`
- Can start in parallel for baseline cleanup, then finalize after implementation sprints converge.
## Documentation Prerequisites
- `docs/implplan/CONSOLIDATION_WEBSERVICE_FUNCTION_DB_MATRIX_20260305.md`
- `docs/technical/architecture/port-registry.md`
- `docs/modules/router/webservices-valkey-rollout-matrix.md`
- `docs/quickstart.md`
- `docs/INSTALL_GUIDE.md`
- `docs/modules/platform/architecture.md`
- `docs/technical/architecture/README.md`
## Delivery Tracker
### DOCS-SVC-001 - Publish canonical webservice catalog page
Status: TODO
Dependency: none
Owners: Documentation author, Project Manager
Task description:
- Create a canonical service-catalog doc listing each webservice with:
- module domain.
- local hostname/domain alias.
- purpose/functional surface summary.
- persistence mode and primary backing technology.
- source path and owner module.
- Mark this catalog as source-of-truth and link it from architecture index pages.
Completion criteria:
- [ ] Canonical catalog exists under `docs/technical/architecture/`.
- [ ] `docs/technical/architecture/README.md` links to the catalog.
- [ ] Catalog includes all active webservices, including Remediation.
### DOCS-SVC-002 - Correct stale path and service-name drift in port registry
Status: TODO
Dependency: DOCS-SVC-001
Owners: Documentation author
Task description:
- Update `docs/technical/architecture/port-registry.md` entries whose source paths no longer match repository layout.
- Add or correct missing service rows where runtime services exist but are absent/inaccurate.
Completion criteria:
- [ ] All path references in the port table resolve to existing directories.
- [ ] Service naming/path mapping matches current module consolidation layout.
- [ ] Port registry includes Remediation or documents its absence with explicit rationale and follow-up.
### DOCS-SVC-003 - Standardize runtime hostname/domain convention guidance
Status: TODO
Dependency: DOCS-SVC-001
Owners: Documentation author
Task description:
- Define canonical runtime hostname form (`*.stella-ops.local`) and document permitted exceptions.
- Normalize conflicting usage examples across quickstart, operations, and API docs.
- Preserve intentional schema ID and non-runtime examples where needed, with explicit explanation.
Completion criteria:
- [ ] Runtime URL examples are consistent with canonical hostname convention.
- [ ] Exception policy is documented (schema IDs, synthetic examples, external references).
- [ ] Search audit evidence is captured in sprint log.
### DOCS-SVC-004 - Update router rollout inventory and service integration docs
Status: TODO
Dependency: DOCS-SVC-002
Owners: Documentation author, Implementer
Task description:
- Update router rollout matrix and integration guide to include missing/renamed services and current route ownership.
- Ensure service hostnames and route prefixes align with the canonical service catalog.
Completion criteria:
- [ ] `docs/modules/router/webservices-valkey-rollout-matrix.md` is synchronized with active service inventory.
- [ ] Missing Remediation routing status is explicitly tracked.
- [ ] Route ownership and fallback notes are current and actionable.
### DOCS-SVC-005 - Synchronize consolidation matrix with verified runtime state
Status: TODO
Dependency: DOCS-SVC-001
Owners: Documentation author, Project Manager
Task description:
- Refresh `CONSOLIDATION_WEBSERVICE_FUNCTION_DB_MATRIX_20260305.md` so per-service DB rows match current code.
- Remove contradictory statements between matrix rows and later remediation-status sections.
Completion criteria:
- [ ] DB/Persistence column reflects verified runtime wiring.
- [ ] Contradictions are removed and replaced by one clear status statement.
- [ ] Matrix references point to current source file paths.
### DOCS-SVC-006 - Add lightweight docs validation for service-path and hostname drift
Status: TODO
Dependency: DOCS-SVC-002
Owners: Test Automation, Documentation author
Task description:
- Add a deterministic docs validation script/check for:
- unresolved service path references in registry tables.
- forbidden runtime hostname variants where canonical form is required.
- Integrate check into docs/testing guidance and optionally CI path filters.
Completion criteria:
- [ ] Validation command/script is documented and runnable locally.
- [ ] At least one failing fixture/case demonstrates drift detection.
- [ ] Sprint log captures validation command output.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-05 | Sprint created to execute documentation improvements and provide an actionable handoff surface for points 1-4. | Project Manager |
## Decisions & Risks
- Current docs contain drift between inventory, runtime wiring notes, and path/domain conventions; this blocks efficient multi-agent execution.
- Canonical catalog and validation checks are required to keep docs synchronized after module consolidation work.
- Risk: broad doc edits can unintentionally rewrite historical examples.
- Mitigation: document exception policy and scope normalization to runtime/service-discovery contexts first.
## Next Checkpoints
- Canonical service catalog draft completed and linked.
- Port registry and router inventory path verification complete.
- Hostname normalization pass completed with validation evidence.

4
docs/key-features.md
View File

@@ -242,7 +242,7 @@ Fail-closed controls:
**Modules:** `Attestor`, `ReleaseOrchestrator`, `EvidenceLocker`, `AirGap`, `Policy`
**Docs:** `docs/modules/attestor/repro-bundle-profile.md`, `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
**Docs:** `docs/modules/attestor/repro-bundle-profile.md`, `docs/modules/release-jobengine/workflow/evidence-based-release-gates.md`
### 14. Controlled Conversational Advisor
@@ -311,7 +311,7 @@ Key controls:
- **Product Vision**: [`docs/product/VISION.md`](product/VISION.md)
- **Architecture Overview**: [`docs/ARCHITECTURE_OVERVIEW.md`](ARCHITECTURE_OVERVIEW.md)
- **Release Orchestrator Architecture**: [`docs/modules/release-orchestrator/architecture.md`](modules/release-orchestrator/architecture.md)
- **Release Orchestrator Architecture**: [`docs/modules/release-jobengine/architecture.md`](modules/release-jobengine/architecture.md)
- **Competitive Landscape**: [`docs/product/competitive-landscape.md`](product/competitive-landscape.md)
- **Quickstart**: [`docs/quickstart.md`](quickstart.md)
- **Feature Matrix**: [`docs/FEATURE_MATRIX.md`](FEATURE_MATRIX.md)

274
docs/modules/README.md
View File

@@ -24,43 +24,36 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Authority](./authority/) | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP |
| [Gateway](./gateway/) | `src/Gateway/` | API gateway with routing and transport abstraction |
| [Router](./router/) | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Note: also contains a `StellaOps.Gateway.WebService` for binary protocol bridging, separate from `src/Gateway/`. |
| [Authority](./authority/) | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP. Includes IssuerDirectory (Sprint 216). |
| [Router](./router/) | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Also contains `StellaOps.Gateway.WebService` for HTTP ingress and binary protocol bridging. |
| [Platform](./platform/) | `src/Platform/` | Platform architecture and Platform Service aggregation APIs |
### Data Ingestion
| Module | Path | Description |
|--------|------|-------------|
| [Concelier](./concelier/) | `src/Concelier/` | Vulnerability advisory ingestion and merge engine |
| [Excititor](./excititor/) | `src/Excititor/` | VEX document ingestion and export |
| [Concelier](./concelier/) | `src/Concelier/` | Vulnerability advisory ingestion and merge engine. Includes Feedser and Excititor (Sprint 203). |
| [VexLens](./vex-lens/) | `src/VexLens/` | VEX consensus computation across issuers |
| [VexHub](./vex-hub/) | `src/VexHub/` | VEX distribution and exchange hub |
| [IssuerDirectory](./issuer-directory/) | `src/IssuerDirectory/` | Issuer trust registry (CSAF publishers) |
| [Feedser](./feedser/) | `src/Feedser/` | Evidence collection library for backport detection |
| [Mirror](./mirror/) | `src/Mirror/` | Vulnerability feed mirror and distribution |
### Scanning & Analysis
| Module | Path | Description |
|--------|------|-------------|
| [Scanner](./scanner/) | `src/Scanner/` | Container scanning with SBOM generation |
| [BinaryIndex](./binary-index/) | `src/BinaryIndex/` | Binary identity extraction and fingerprinting |
| [AdvisoryAI](./advisory-ai/) | `src/AdvisoryAI/` | AI-assisted advisory analysis |
| [Symbols](./symbols/) | `src/Symbols/` | Symbol resolution and debug information |
| [Scanner](./scanner/) | `src/Scanner/` | Container scanning with SBOM generation. Includes Cartographer (Sprint 201). |
| [BinaryIndex](./binary-index/) | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). |
| [AdvisoryAI](./advisory-ai/) | `src/AdvisoryAI/` | AI-assisted advisory analysis. Includes OpsMemory (Sprint 213). |
| [ReachGraph](./reach-graph/) | `src/ReachGraph/` | Reachability graph service |
### Artifacts & Evidence
| Module | Path | Description |
|--------|------|-------------|
| [Attestor](./attestor/) | `src/Attestor/` | in-toto/DSSE attestation generation |
| [Signer](./signer/) | `src/Signer/` | Cryptographic signing operations |
| [Attestor](./attestor/) | `src/Attestor/` | in-toto/DSSE attestation generation. Includes Signer and Provenance (Sprint 204). |
| [SbomService](./sbom-service/) | `src/SbomService/` | SBOM storage, versioning, and lineage ledger |
| [EvidenceLocker](./evidence-locker/) | `src/EvidenceLocker/` | Sealed evidence storage and export |
| [ExportCenter](./export-center/) | `src/ExportCenter/` | Batch export and report generation |
| [Provenance](./provenance/) | `src/Provenance/` | SLSA/DSSE attestation tooling |
| [Provcache](./prov-cache/) | Library | Production provenance cache shared library family |
### Policy & Risk
@@ -68,20 +61,15 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Policy](./policy/) | `src/Policy/` | Policy engine with K4 lattice logic |
| [RiskEngine](./risk-engine/) | `src/RiskEngine/` | Risk scoring runtime |
| [VulnExplorer](./vuln-explorer/) | `src/VulnExplorer/` | Vulnerability exploration and triage |
| [Unknowns](./unknowns/) | `src/Unknowns/` | Unknown component tracking registry |
| [Findings](./findings-ledger/) | `src/Findings/` | Centralized findings aggregation and evidence graphs |
| [Unknowns](./unknowns/) | `src/Unknowns/` | Unknown component tracking registry (boundary preserved, Sprint 206) |
| [Findings](./findings-ledger/) | `src/Findings/` | Centralized findings aggregation and evidence graphs. Includes RiskEngine and VulnExplorer (Sprint 207). |
### Release & Orchestration
| Module | Path | Description |
|--------|------|-------------|
| [ReleaseOrchestrator](./release-orchestrator/) | `src/ReleaseOrchestrator/` | Central release control plane (active development) |
| [Orchestrator](./orchestrator/) | `src/Orchestrator/` | Workflow orchestration and task coordination |
| [Scheduler](./scheduler/) | `src/Scheduler/` | Job scheduling and queue management |
| [TaskRunner](./taskrunner/) | `src/TaskRunner/` | Task pack execution engine |
| [PacksRegistry](./packs-registry/) | `src/PacksRegistry/` | Task packs registry |
| [ReleaseOrchestrator](./release-jobengine/) | `src/ReleaseOrchestrator/` | Central release control plane (active development) |
| [JobEngine](./jobengine/) | `src/JobEngine/` | Workflow orchestration, job scheduling, task execution, and pack registry. Includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). |
| [Remediation](./remediation/) | `src/Remediation/` | Fix template marketplace for CVE remediation |
### Operations & Observability
@@ -89,11 +77,9 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Doctor](./doctor/) | `src/Doctor/` | Diagnostic framework for system health validation |
| [Notify](./notify/) | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) |
| [Notifier](./notifier/) | `src/Notifier/` | Notifications Studio host |
| [OpsMemory](./opsmemory/) | `src/OpsMemory/` | Decision ledger with similarity-based suggestions |
| [Timeline](./timeline/) | `src/Timeline/` | Timeline query service for event browsing |
| [TimelineIndexer](./timeline-indexer/) | `src/TimelineIndexer/` | Timeline event indexing |
| [Notify](./notify/) | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks). Boundary preserved with Notifier (Sprint 209). |
| [Notifier](./notifier/) | `src/Notifier/` | Notifications Studio host. Boundary preserved with Notify (Sprint 209). |
| [Timeline](./timeline/) | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). |
| [Replay](./replay/) | `src/Replay/` | Deterministic replay engine |
### Integration & Clients
@@ -105,10 +91,7 @@ This directory contains architecture documentation for all StellaOps modules.
| [Web/UI](./ui/) | `src/Web/` | Angular 21 frontend SPA |
| [API](./api/) | `src/Api/` | OpenAPI contracts and governance |
| [Registry](./registry/) | `src/Registry/` | Container registry integration |
| [Integrations](./integrations/) | `src/Integrations/` | Integration hub for external systems (SCM, CI, registries, secrets) |
| [Extensions](./extensions/) | `src/Extensions/` | IDE extensions for JetBrains and VS Code |
| [Sdk](./sdk/) | `src/Sdk/` | Client SDK generator and release SDK |
| [DevPortal](./devportal/) | `src/DevPortal/` | Developer portal static site |
| [Integrations](./integrations/) | `src/Integrations/` | Integration hub for external systems (SCM, CI, registries, secrets). Includes IDE extensions (VS Code, JetBrains) under `__Extensions/` (Sprint 214). |
### Infrastructure & Libraries
@@ -123,7 +106,6 @@ This directory contains architecture documentation for all StellaOps modules.
| [AOC](./aoc/) | `src/Aoc/` | Append-Only Contract enforcement |
| [Plugin](./plugin/) | `src/Plugin/` | Plugin SDK, registry, sandbox, and host framework |
| [RuntimeInstrumentation](./runtime-instrumentation/) | `src/RuntimeInstrumentation/` | Tetragon-based eBPF runtime instrumentation |
| [Cartographer](./cartographer/) | `src/Cartographer/` | Infrastructure topology discovery |
| [Facet](./facet/) | Library | Production cross-module faceting library (Scanner + Policy) |
### Testing & Benchmarks
@@ -131,9 +113,7 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Benchmark](./benchmark/) | Scanner library | Competitive benchmarking (accuracy comparison) |
| [Bench](./bench/) | `src/Bench/` | Performance benchmarks |
| [Tools](./tools/) | `src/Tools/` | Developer utility tools (fixtures, golden pairs, smoke tests) |
| [Verifier](./verifier/) | `src/Verifier/` | Standalone evidence bundle verification CLI |
| [Tools](./tools/) | `src/Tools/` | Developer utility tools, benchmarks, SDK generator, verifier, dev portal. Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). |
### Cross-Cutting Concepts
@@ -231,14 +211,14 @@ On-premises OIDC/OAuth2 identity service issuing short-lived, sender-constrained
---
### Bench
- **Source**: `src/Bench/`
- **Docs**: [`docs/modules/bench/`](./bench/)
### Bench (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Bench/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Tool
- **Database**: None
- **Endpoints**: None
Performance benchmark harnesses (BenchmarkDotNet) for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Results establish performance baselines and detect regressions.
Performance benchmark harnesses for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (standalone benchmarks).
@@ -257,14 +237,14 @@ Vulnerable binaries database enabling detection of vulnerable code at the binary
---
### Cartographer
- **Source**: `src/Cartographer/`
- **Docs**: [`docs/modules/cartographer/`](./cartographer/)
### Cartographer (absorbed into Scanner -- Sprint 201)
- **Source**: `src/Scanner/StellaOps.Scanner.Cartographer/` (moved from `src/Cartographer/`)
- **Docs**: Historical doc archived at `docs-archived/modules/cartographer/README.md`; active contract is [`docs/modules/scanner/`](./scanner/)
- **Type**: Service
- **Database**: None
- **Endpoints**: Defined in Program.cs
- **Endpoints**: Defined in Scanner Program.cs
Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator.
Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator. Consolidated into Scanner per Sprint 201.
**Dependencies**: Graph, Scanner.
@@ -309,14 +289,14 @@ Pluggable cryptographic primitives supporting regional standards (eIDAS, FIPS, G
---
### DevPortal
- **Source**: `src/DevPortal/`
- **Docs**: [`docs/modules/devportal/`](./devportal/)
### DevPortal (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.DevPortal.Site/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Static Site
- **Database**: None
- **Endpoints**: None
Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Aggregates OpenAPI specifications from all services for third-party developers and integrators.
Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (static site).
@@ -344,20 +324,20 @@ Diagnostic framework for validating system health, configuration, integration co
Tamper-proof, immutable evidence storage for vulnerability scan evidence, audit logs, and compliance artifacts with cryptographic sealing. Evidence is content-addressable. Once sealed, evidence cannot be modified. Supports threads, verdicts, bundle packaging, and portable bundles for offline compliance audits.
**Dependencies**: Signer, Attestor, Authority, object storage.
**Dependencies**: Attestor, Authority, object storage.
---
### Excititor
- **Source**: `src/Excititor/`
- **Docs**: [`docs/modules/excititor/`](./excititor/)
### Excititor (absorbed into Concelier -- Sprint 203)
- **Source**: `src/Concelier/` (moved from `src/Excititor/`)
- **Docs**: [`docs/modules/excititor/`](./excititor/) (historical reference; see [`docs/modules/concelier/`](./concelier/))
- **Type**: Service
- **Database**: PostgreSQL (10 SQL migrations)
- **Database**: PostgreSQL (10 SQL migrations, separate ExcititorDbContext)
- **Endpoints**: 11 (attestation, evidence, ingest, linkset, mirror, mirror registration, observation, policy, Rekor attestation, resolve, risk feed)
VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged.
VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged. Consolidated into Concelier per Sprint 203; DbContext remains separate.
**Dependencies**: Policy Engine, Concelier, Attestor / Signer, Graph.
**Dependencies**: Policy Engine, Concelier, Attestor, Graph.
---
@@ -370,31 +350,31 @@ VEX ingestion and consensus pipeline converting heterogeneous VEX statements (Op
Evidence and policy overlay packaging service producing reproducible, deterministic export bundles in multiple formats (JSON, SARIF, offline kit). Enforces AOC guardrails and produces deterministic manifests with optional signing and distribution to OCI registries or object storage.
**Dependencies**: Findings Ledger, Policy Engine, Orchestrator, Authority, Signer, object storage.
**Dependencies**: Findings Ledger, Policy Engine, JobEngine, Authority, Attestor, object storage.
---
### Extensions
- **Source**: `src/Extensions/`
- **Docs**: [`docs/modules/extensions/`](./extensions/)
- **Type**: IDE Extensions
### Extensions (absorbed into Integrations -- Sprint 214)
- **Source**: `src/Integrations/__Extensions/` (moved from `src/Extensions/`)
- **Docs**: See [Integrations architecture](./integrations/architecture.md#ide-extensions-vs-code-jetbrains)
- **Type**: IDE Extensions (non-.NET: TypeScript/Kotlin)
- **Database**: None
- **Endpoints**: None
IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment.
IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment. Now lives under the Integrations module.
**Dependencies**: Platform API.
**Dependencies**: Platform API, JobEngine API, Authority.
---
### Feedser
- **Source**: `src/Feedser/`
- **Docs**: [`docs/modules/feedser/`](./feedser/)
### Feedser (absorbed into Concelier -- Sprint 203)
- **Source**: `src/Concelier/` (moved from `src/Feedser/`)
- **Docs**: [`docs/modules/feedser/`](./feedser/) (historical reference; see [`docs/modules/concelier/`](./concelier/))
- **Type**: Library
- **Database**: None
- **Endpoints**: None
Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization.
Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization. Consolidated into Concelier per Sprint 203.
**Dependencies**: None (consumed as a library by Concelier).
@@ -413,16 +393,16 @@ Centralized findings aggregation service providing backport tracking, evidence g
---
### Gateway
- **Source**: `src/Gateway/`
- **Docs**: [`docs/modules/gateway/`](./gateway/)
- **Type**: Service
- **Database**: None (stateless)
- **Endpoints**: None (reverse proxy)
### Gateway (deleted -- Sprint 200)
- **Source**: _(deleted)_ -- Gateway WebService now lives under `src/Router/StellaOps.Gateway.WebService/`
- **Docs**: [`docs-archived/modules/gateway/`](../docs-archived/modules/gateway/) (historical reference)
- **Type**: _(deleted)_
- **Database**: None
- **Endpoints**: None
Single HTTP ingress point for all external traffic providing authentication, routing, OpenAPI aggregation, health monitoring, rate limiting, and tenant propagation. A separate `StellaOps.Gateway.WebService` also exists under `src/Router/` which serves as the transport-layer gateway for the Router's binary protocol.
The standalone `src/Gateway/` module was deleted in Sprint 200. The canonical Gateway WebService (`StellaOps.Gateway.WebService`) now lives under `src/Router/`. The Router module owns HTTP ingress, binary protocol bridging, routing, and transport abstraction.
**Dependencies**: Authority, Router, all microservices (proxied requests).
**Dependencies**: See Router.
---
@@ -452,14 +432,14 @@ Integration hub managing connections to external systems (SCM, CI, registries, s
---
### IssuerDirectory
- **Source**: `src/IssuerDirectory/`
- **Docs**: [`docs/modules/issuer-directory/`](./issuer-directory/)
### IssuerDirectory (absorbed into Authority -- Sprint 216)
- **Source**: `src/Authority/` (moved from `src/IssuerDirectory/`)
- **Docs**: [`docs/modules/issuer-directory/`](./issuer-directory/) (historical reference; see [`docs/modules/authority/`](./authority/))
- **Type**: Service
- **Database**: PostgreSQL (1 SQL migration)
- **Database**: PostgreSQL (1 SQL migration, separate IssuerDirectoryDbContext)
- **Endpoints**: 3 (issuer, issuer key, issuer trust)
Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant.
Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant. Consolidated into Authority per Sprint 216; DbContext remains separate for security isolation.
**Dependencies**: Authority.
@@ -504,42 +484,43 @@ Rules-driven, tenant-aware notification engine providing event consumption, oper
---
### OpsMemory
- **Source**: `src/OpsMemory/`
- **Docs**: [`docs/modules/opsmemory/`](./opsmemory/)
### OpsMemory (consolidated into AdvisoryAI)
- **Source**: `src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/` (library), `src/AdvisoryAI/StellaOps.OpsMemory.WebService/` (service)
- **Docs**: [`docs/modules/advisory-ai/architecture.md` section 15](./advisory-ai/architecture.md#15-opsmemory-operational-memory-and-rag)
- **Archived docs**: `docs-archived/modules/opsmemory/`
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure, schema managed programmatically)
- **Endpoints**: 1 (OpsMemoryEndpoints)
Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation.
Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation. Consolidated from standalone `src/OpsMemory/` module into `src/AdvisoryAI/` per Sprint 213.
**Dependencies**: AdvisoryAI, Authority.
**Dependencies**: AdvisoryAI, Authority, Findings Ledger.
---
### Orchestrator
- **Source**: `src/Orchestrator/`
- **Docs**: [`docs/modules/orchestrator/`](./orchestrator/)
### JobEngine (formerly Orchestrator)
- **Source**: `src/JobEngine/`
- **Docs**: [`docs/modules/jobengine/`](./jobengine/)
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure)
- **Endpoints**: 25 (approvals, audit, circuit breakers, DAG, dead letter, export jobs, first signal, health, jobs, KPIs, ledger, OpenAPI, pack registry, pack runs, quotas, governance, release control v2, release dashboard, releases, runs, scale, SLOs, sources, streams, workers)
Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers.
Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers. Renamed from Orchestrator (Sprint 221). Now includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208).
**Dependencies**: TaskRunner, Concelier / Excititor / Scheduler / ExportCenter / Policy (job producers), Valkey or NATS, Authority.
**Dependencies**: Concelier / Excititor / ExportCenter / Policy (job producers), Valkey or NATS, Authority.
---
### PacksRegistry
- **Source**: `src/PacksRegistry/`
- **Docs**: [`docs/modules/packs-registry/`](./packs-registry/)
### PacksRegistry (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/PacksRegistry/`)
- **Docs**: [`docs/modules/packs-registry/`](./packs-registry/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (`PacksRegistryDbContext`, EF Core managed)
- **Endpoints**: Defined in WebService Program.cs
- **Database**: PostgreSQL (`PacksRegistryDbContext`, EF Core managed, stub)
- **Endpoints**: Defined in JobEngine Program.cs
Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Pack execution is handled by TaskRunner.
Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Consolidated into JobEngine per Sprint 208.
**Dependencies**: TaskRunner, object storage, Authority.
**Dependencies**: JobEngine, object storage, Authority.
---
@@ -582,16 +563,16 @@ Deterministic policy evaluation engine and gateway service compiling stella-dsl
---
### Provenance
- **Source**: `src/Provenance/`
- **Docs**: [`docs/modules/provenance/`](./provenance/)
### Provenance (absorbed into Attestor -- Sprint 204)
- **Source**: `src/Attestor/` (moved from `src/Provenance/`)
- **Docs**: [`docs/modules/provenance/`](./provenance/) (historical reference; see [`docs/modules/attestor/`](./attestor/))
- **Type**: Library / Tool
- **Database**: None
- **Endpoints**: None
Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at `src/__Libraries/StellaOps.Provcache.Postgres/`.
Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at `src/__Libraries/StellaOps.Provcache.Postgres/`. Consolidated into Attestor per Sprint 204.
**Dependencies**: Signer, Attestor.
**Dependencies**: Attestor.
---
@@ -623,7 +604,7 @@ Docker registry bearer token service issuing short-lived tokens for private or m
### ReleaseOrchestrator
- **Source**: `src/ReleaseOrchestrator/`
- **Docs**: [`docs/modules/release-orchestrator/`](./release-orchestrator/)
- **Docs**: [`docs/modules/release-jobengine/`](./release-jobengine/)
- **Type**: Service (Active Development)
- **Database**: PostgreSQL (planned, via Platform migrations)
- **Endpoints**: 1
@@ -661,8 +642,8 @@ Deterministic replay engine ensuring vulnerability assessments can be reproduced
---
### RiskEngine
- **Source**: `src/RiskEngine/`
- **Docs**: [`docs/modules/risk-engine/`](./risk-engine/)
- **Source**: `src/Findings/StellaOps.RiskEngine.*` (consolidated into Findings, Sprint 207)
- **Docs**: [`docs-archived/modules/risk-engine/`](../../docs-archived/modules/risk-engine/)
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure)
- **Endpoints**: 1 (exploit maturity)
@@ -680,9 +661,9 @@ Risk scoring runtime computing deterministic, explainable risk scores by aggrega
- **Database**: None
- **Endpoints**: 4
Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The Router's `StellaOps.Gateway.WebService` bridges binary protocol connections to HTTP; this is separate from `src/Gateway/` which is the HTTP ingress gateway.
Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The `StellaOps.Gateway.WebService` under Router serves as both the HTTP ingress gateway and binary protocol bridge (the standalone `src/Gateway/` was deleted in Sprint 200).
**Dependencies**: Gateway, all microservices, Valkey.
**Dependencies**: Authority, all microservices, Valkey.
---
@@ -725,27 +706,27 @@ Deterministic SBOM generation and vulnerability scanning engine for container im
---
### Scheduler
- **Source**: `src/Scheduler/`
- **Docs**: [`docs/modules/scheduler/`](./scheduler/)
### Scheduler (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/Scheduler/`)
- **Docs**: [`docs/modules/scheduler/`](./scheduler/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (11 SQL migrations)
- **Database**: PostgreSQL (11 SQL migrations, separate SchedulerDbContext)
- **Endpoints**: 8 (event webhook, failure signature, graph job, policy run, policy simulation, run, schedule, resolver job)
Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs.
Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs. Consolidated into JobEngine per Sprint 208; DbContext remains separate.
**Dependencies**: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, Orchestrator.
**Dependencies**: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, JobEngine.
---
### Sdk
- **Source**: `src/Sdk/`
- **Docs**: [`docs/modules/sdk/`](./sdk/)
### Sdk (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Sdk.Generator/`, `src/Tools/StellaOps.Sdk.Release/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Library / Code Generator
- **Database**: None
- **Endpoints**: None
Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Includes `StellaOps.Sdk.Generator` (code generator) and `StellaOps.Sdk.Release` (publishing SDK).
Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: Gateway / OpenAPI specs.
@@ -764,14 +745,14 @@ Unified evidence-weighted scoring system aggregating reachability, runtime obser
---
### Signer
- **Source**: `src/Signer/`
- **Docs**: [`docs/modules/signer/`](./signer/)
### Signer (absorbed into Attestor -- Sprint 204)
- **Source**: `src/Attestor/` (moved from `src/Signer/`)
- **Docs**: [`docs/modules/signer/`](./signer/) (historical reference; see [`docs/modules/attestor/`](./attestor/))
- **Type**: Service
- **Database**: PostgreSQL (`KeyManagementDbContext`, 2 SQL migrations)
- **Database**: PostgreSQL (`KeyManagementDbContext`, 2 SQL migrations, separate DbContext)
- **Endpoints**: 3 (ceremony, key rotation, signer)
The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM).
The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM). Consolidated into Attestor per Sprint 204; DbContext remains separate for security isolation.
**Dependencies**: Authority, Cryptography library, KMS/HSM.
@@ -790,29 +771,29 @@ Remote service for Chinese SM2/SM3/SM4 cryptographic operations enabling soverei
---
### Symbols
- **Source**: `src/Symbols/`
- **Docs**: [`docs/modules/symbols/`](./symbols/)
### Symbols (absorbed into BinaryIndex -- Sprint 202)
- **Source**: `src/BinaryIndex/StellaOps.Symbols.*` (moved from `src/Symbols/`)
- **Docs**: [`docs/modules/binary-index/architecture.md`](./binary-index/architecture.md) (Symbols section)
- **Type**: Service
- **Database**: None (content-addressed storage)
- **Endpoints**: 1 (symbol source)
Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores.
Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores. Consolidated into BinaryIndex per Sprint 202.
**Dependencies**: Scanner, BinaryIndex.
---
### TaskRunner
- **Source**: `src/TaskRunner/`
- **Docs**: [`docs/modules/taskrunner/`](./taskrunner/)
### TaskRunner (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/TaskRunner/`)
- **Docs**: [`docs/modules/taskrunner/`](./taskrunner/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (via infrastructure layer)
- **Endpoints**: Defined in WebService/Worker Program.cs
- **Database**: PostgreSQL (via infrastructure layer, stub DbContext)
- **Endpoints**: Defined in JobEngine Program.cs
Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped.
Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped. Consolidated into JobEngine per Sprint 208.
**Dependencies**: Orchestrator, PacksRegistry, Authority, Signer / Attestor, object storage.
**Dependencies**: JobEngine, Authority, Attestor, object storage.
---
@@ -838,20 +819,7 @@ Observability library providing OpenTelemetry-based metrics, traces, and logs wi
Timeline query service providing export, replay, and timeline browsing endpoints for vulnerability history and event streams. Uses shared libraries from `StellaOps.Eventing` for event envelope schemas and `StellaOps.Timeline.Core` for core logic including critical path view.
**Dependencies**: All services (event sources), TimelineIndexer.
---
### TimelineIndexer
- **Source**: `src/TimelineIndexer/`
- **Docs**: [`docs/modules/timeline-indexer/`](./timeline-indexer/)
- **Type**: Service
- **Database**: PostgreSQL (1 SQL migration)
- **Endpoints**: Defined in WebService Program.cs
Timeline event indexing and query service providing fast indexed access to events across all StellaOps services. Receives events from NATS/Valkey streams, indexes them, and provides efficient time-range queries with filtering. Enables vulnerability history browsing, scan timeline analysis, and policy evaluation trail inspection.
**Dependencies**: NATS / Valkey, Timeline.
**Dependencies**: All services (event sources). TimelineIndexer is now consolidated into the Timeline module (`src/Timeline/`).
---
@@ -881,14 +849,14 @@ Structured registry for tracking unresolved components, symbols, and incomplete
---
### Verifier
- **Source**: `src/Verifier/`
- **Docs**: [`docs/modules/verifier/`](./verifier/)
### Verifier (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Verifier/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: CLI Tool
- **Database**: None
- **Endpoints**: None
Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Validates DSSE envelope signatures, Merkle inclusion proofs, and bundle manifest checksums. Designed for operators and auditors who need independent verification without a full StellaOps installation.
Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (standalone verification).
@@ -921,8 +889,8 @@ VEX consensus viewer and analysis service providing issuer-aware VEX statement e
---
### VulnExplorer
- **Source**: `src/VulnExplorer/`
- **Docs**: [`docs/modules/vuln-explorer/`](./vuln-explorer/)
- **Source**: `src/Findings/StellaOps.VulnExplorer.*` (consolidated into Findings, Sprint 207)
- **Docs**: [`docs-archived/modules/vuln-explorer/`](../../docs-archived/modules/vuln-explorer/)
- **Type**: Service
- **Database**: None (reads from other modules' databases)
- **Endpoints**: Defined in Program.cs

56
docs/modules/advisory-ai/architecture.md
View File

@@ -96,7 +96,7 @@ All context references include `content_hash` and `source_id` enabling verifiabl
- Registered via `AddAdvisoryDeterministicToolset` for reuse across orchestrator, CLI, and services.
- **Orchestration pipeline** — see `orchestration-pipeline.md` for prerequisites, task breakdown, and cross-guild responsibilities before wiring the execution flows.
- **Planned extensions** — NEVRA/EVR comparators, ecosystem-specific normalisers, dependency chain scorers (AIAI-31-003 scope).
- Exposed via internal interfaces to allow orchestrator/toolchain reuse; all helpers stay side-effect free and deterministic for golden testing.
- Exposed via internal interfaces to allow jobengine/toolchain reuse; all helpers stay side-effect free and deterministic for golden testing.
## 6) Output persistence
@@ -165,3 +165,57 @@ All endpoints accept `profile` parameter (default `fips-local`) and return `outp
- **Offline parity.** Local model profiles are the default; remote inference is opt-in and blocked in sealed mode.
See `docs/modules/advisory-ai/chat-interface.md` and `docs-archived/product/advisories/13-Jan-2026 - Controlled Conversational Interface.md`.
## 15) OpsMemory (Operational Memory and RAG)
> Consolidated from `src/OpsMemory/` into `src/AdvisoryAI/` (Sprint 213, 2026-03-04).
> Archived docs: `docs-archived/modules/opsmemory/`.
### Overview
OpsMemory provides a decision ledger for security operations learning. It captures the complete lifecycle of a security decision -- from situation context through action taken to eventual outcome -- enabling playbook suggestions for future similar situations.
### Source layout (post-consolidation)
- **Library:** `src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/` -- core domain: models, similarity vectors, playbook suggestion engine, storage abstractions.
- **WebService:** `src/AdvisoryAI/StellaOps.OpsMemory.WebService/` -- HTTP API (`/api/v1/opsmemory/*`), auth, Swagger, health checks. Deploys as its own container (`opsmemory-web`).
- **Tests:** `src/AdvisoryAI/__Tests/StellaOps.OpsMemory.Tests/` -- unit (similarity vectors, playbook suggestions, context enrichers, chat provider) and integration (Postgres store with Testcontainers).
### Key components
| Component | Purpose |
|-----------|---------|
| `SimilarityVectorGenerator` | 50-dimensional feature vectors from CVE, severity, reachability, EPSS/CVSS, component type, context tags |
| `PlaybookSuggestionService` | Confidence-ranked suggestions from historical decisions |
| `OutcomeTrackingService` | Records decision outcomes for feedback loop |
| `PostgresOpsMemoryStore` | Postgres storage with array-based cosine similarity (no pgvector dependency) |
| `OpsMemoryChatProvider` | Chat integration for conversational playbook queries |
| `OpsMemoryContextEnricher` | Enriches AdvisoryAI context packs with operational memory |
### API surface
| Method | Path | Description |
|--------|------|-------------|
| POST | `/api/v1/opsmemory/decisions` | Record a new decision |
| GET | `/api/v1/opsmemory/decisions/{id}` | Get decision details |
| POST | `/api/v1/opsmemory/decisions/{id}/outcome` | Record outcome |
| GET | `/api/v1/opsmemory/suggestions` | Get playbook suggestions |
| GET | `/api/v1/opsmemory/decisions` | Query past decisions |
| GET | `/api/v1/opsmemory/stats` | Get statistics |
### Database
OpsMemory uses the shared Postgres instance with an `opsmemory` schema. No EF Core migrations -- schema is managed via raw SQL (`CREATE TABLE opsmemory.decisions ...`). Tenant isolation is enforced at the query level.
Connection contract (Sprint 312 remediation):
- Connection resolution precedence: `ConnectionStrings:OpsMemory` -> `ConnectionStrings:Default`.
- In non-development environments, missing DB configuration is a startup error (fail-fast).
- Localhost fallback is limited to development-only workflows.
### Dependencies
- `StellaOps.Findings.Ledger` (upstream library)
- `StellaOps.Auth.ServerIntegration` (authentication)
- `StellaOps.Determinism.Abstractions` (deterministic time/GUID providers)
- `StellaOps.Localization` (i18n)
- AdvisoryAI core references OpsMemory via ProjectReference for context enrichment

2
docs/modules/airgap/guides/promotion-rekor-tile-verification.md
View File

@@ -72,4 +72,4 @@ stella promotion preview-gates --promotion <promotion-id> --offline-rekor
- `docs/modules/airgap/README.md`
- `docs/modules/airgap/guides/proof-chain-verification.md`
- `docs/modules/evidence-locker/promotion-evidence-contract.md`
- `docs/modules/release-orchestrator/promotion-runtime-gap-closure-plan.md`
- `docs/modules/release-jobengine/promotion-runtime-gap-closure-plan.md`

2
docs/modules/api/README.md
View File

@@ -18,7 +18,7 @@ API contains OpenAPI 3.1 specifications for all StellaOps services and governanc
- `policy/openapi.yaml`
- `graph/openapi.yaml`
- `export-center/openapi.yaml`
- `orchestrator/openapi.yaml`
- `jobengine/openapi.yaml`
**Shared Components:**
- `_shared/schemas/` - Common schema definitions

90
docs/modules/attestor/architecture.md
View File

@@ -2660,4 +2660,92 @@ Meter: `StellaOps.Attestor.ProofChain.Receipts.Sidebar`
null/empty/whitespace throws
- DeriveVerificationStatus: single pass, single fail
- Register: null throws
- RegisterContext: null/empty/whitespace bundleId throws
- RegisterContext: null/empty/whitespace bundleId throws
## Advisory Commitments (2026-02-26 Batch)
- `SPRINT_20260226_225_Attestor_signature_trust_and_verdict_api_hardening` governs:
- DSSE signature verifier trust behavior (including deterministic failure reasons).
- authority roster validation for verdict creation.
- authenticated tenant context enforcement over header-only spoofable inputs.
- deterministic verdict retrieval APIs for hash-based lookup.
- Rekor/tile verification commitments from `Deterministic tile verification with Rekor v2` are coordinated with Symbols sprint `SPRINT_20260226_226_Symbols_dsse_rekor_merkle_and_hash_integrity`.
---
## Trust Domain Model (Sprint 204 -- 2026-03-04)
### Overview
As of Sprint 204, the Attestor module directory (`src/Attestor/`) is the trust domain owner for three runtime services and their supporting libraries:
1. **Attestor** -- transparency log submission, inclusion proof verification, evidence caching
2. **Signer** -- DSSE envelope creation, cryptographic signing (keyless/keyful/HSM), entitlement enforcement
3. **Provenance** -- SLSA/DSSE attestation generation, Merkle tree construction, verification tooling
Source consolidation places all trust-domain code under a single directory for ownership clarity, while preserving runtime service identities and security boundaries.
### Trust Data Classification
| Data Category | Owner Service | Storage | Sensitivity |
|---|---|---|---|
| Attestation evidence (proofchain, inclusion proofs, Rekor entries) | Attestor | `attestor` PostgreSQL schema | High -- tamper-evident, integrity-critical |
| Provenance evidence (SLSA predicates, build attestations, Merkle trees) | Provenance (library) | Consumed by Attestor/EvidenceLocker | High -- deterministic, reproducible |
| Signer metadata (audit events, signing ceremony state, rate limits) | Signer | `signer` PostgreSQL schema | High -- operational security |
| Signer key material (KMS/HSM refs, Fulcio certs, trust anchors, rotation state) | Signer (KeyManagement) | `key_management` PostgreSQL schema | Critical -- cryptographic trust root |
### PostgreSQL Schema Ownership
Each trust-domain service retains its own DbContext and dedicated PostgreSQL schema:
- **`attestor` schema** -- Owned by the Attestor service. Contains `entries`, `dedupe`, `audit` tables for transparency log state.
- **`signer` schema** -- Owned by the Signer service. Contains signing ceremony audit, rate limit state, and operational metadata.
- **`key_management` schema** -- Owned by the Signer KeyManagement library. Contains key rotation records, trust anchor configurations, and HSM/KMS binding metadata.
There is **no cross-schema merge**. Each service connects with its own connection string scoped to its own schema.
### Security Boundary: No-Merge Decision (ADR)
**Decision:** Signer key-material isolation from attestation evidence is a deliberate security boundary. The schemas will NOT be merged into a unified DbContext.
**Rationale:**
- A merged DbContext would require a single connection string with access to both key material (signing keys, HSM/KMS bindings, trust anchors) and evidence stores (proofchain entries, Rekor logs).
- This widens the blast radius of any credential compromise: an attacker gaining the Attestor database credential would also gain access to key rotation state and trust anchor configurations.
- Schema isolation is a defense-in-depth measure. Each service authenticates to PostgreSQL independently, with schema-level `GRANT` restrictions.
- The Signer's KeyManagement database contains material that, if compromised, could allow forging of signatures. This material must be isolated from the higher-volume, lower-privilege evidence store.
**Implications:**
- No shared EF Core DbContext across trust services.
- Each service manages its own migrations independently (`src/Attestor/__Libraries/StellaOps.Attestor.Persistence/` for Attestor; `src/Attestor/__Libraries/StellaOps.Signer.KeyManagement/` for Signer key management).
- Cross-service queries (e.g., "find the signing identity for a given attestation entry") use API calls, not database joins.
### Source Layout (post-Sprint 204)
```
src/Attestor/
StellaOps.Attestation/ # DSSE envelope model library
StellaOps.Attestation.Tests/
StellaOps.Attestor/ # Attestor service (Core, Infrastructure, WebService, Tests)
StellaOps.Attestor.Envelope/ # Envelope serialization
StellaOps.Attestor.TileProxy/ # Rekor tile proxy
StellaOps.Attestor.Types/ # Shared predicate types
StellaOps.Attestor.Verify/ # Verification pipeline
StellaOps.Signer/ # Signer service (Core, Infrastructure, WebService, Tests)
StellaOps.Provenance.Attestation/ # Provenance attestation library
StellaOps.Provenance.Attestation.Tool/ # Forensic verification CLI tool
__Libraries/
StellaOps.Attestor.*/ # Attestor domain libraries
StellaOps.Signer.KeyManagement/ # Key rotation and trust anchor management
StellaOps.Signer.Keyless/ # Keyless (Fulcio/Sigstore) signing support
__Tests/
StellaOps.Attestor.*/ # Attestor test projects
StellaOps.Provenance.Attestation.Tests/ # Provenance test project
```
### What Did NOT Change
- **Namespaces** -- All `StellaOps.Signer.*` and `StellaOps.Provenance.*` namespaces are preserved.
- **Runtime service identities** -- Docker image names (`stellaops/signer`), container names, network aliases, and API base paths (`/api/v1/signer/`) are unchanged.
- **Database schemas** -- No schema changes, no migrations, no data movement.
- **API contracts** -- All endpoints including `/api/v1/signer/sign/dsse` remain stable.

12
docs/modules/attestor/guides/offline-verification.md
View File

@@ -123,3 +123,15 @@ stella bundle verify --bundle light-bundle/ --replay --blob-source https://regis
- `docs/modules/attestor/guides/timestamp-policy.md`
- `docs/modules/attestor/airgap.md`
- `docs/modules/airgap/guides/staleness-and-time.md`
## 8. Deterministic Error Triage Guidance (Sprint 20260226_225)
Use stable error classes to route remediation:
- `signature_untrusted`: key not present in authority roster; refresh roster snapshot and retry.
- `signature_revoked`: signing key revoked; rotate signer and regenerate attestation.
- `tenant_mismatch`: authenticated tenant differs from verdict owner; re-run with correct principal context.
- `verdict_not_found`: no verdict exists for requested hash; verify hash source and storage replication.
Operator rule:
- Do not treat these as transient network faults unless the error class is explicitly retryable.

Some files were not shown because too many files have changed in this diff Show More