consolidation of some of the modules, localization fixes, product advisories work, qa work
This commit is contained in:
master
@@ -82,3 +82,25 @@ All responses include provenance fields (`consensus_digest`, `derived_from`, DSS
|
||||
|
||||
- Bundle format: `consensus.jsonl`, `conflicts.jsonl`, `manifest.json`, `signatures/`. Each record references raw statement digests and trust metadata.
|
||||
- Export Center uses the bundle for mirror profiles; CLI supports `stella vex consensus export` mirroring the API.
|
||||
|
||||
## 9) Advisory Gap Status (2026-03-04 Batch)
|
||||
|
||||
Status: implementation delivered in Sprint 305.
|
||||
|
||||
- Normalized status contract now exposes explicit `unknown` (`VexStatus.Unknown`) in active model paths.
|
||||
- Normalizers preserve unknown semantics instead of collapsing unrecognized statuses to `under_investigation`:
|
||||
- OpenVEX unknown values map to `unknown`.
|
||||
- CycloneDX unknown `analysis.state` maps to `unknown` with warning `WARN_CDX_008`.
|
||||
- CSAF explicit unknown product status categories (`known_unknown`, `unknown`) map to `unknown`.
|
||||
- Consensus merge precedence is deterministic with explicit tie-breaks:
|
||||
- trust weight desc
|
||||
- statement timestamp desc
|
||||
- lexical source id asc
|
||||
- statement id asc
|
||||
- Unresolvable ties now remain explicit `unknown` with `indeterminate` outcome and zero confidence.
|
||||
- Projection storage/list/history ordering includes deterministic secondary keys for equal timestamps in both in-memory and Postgres paths.
|
||||
- Projection API contracts include unknown audit fields (`unknownRationale`, `unknownProvenanceTrace`) for summary/detail responses.
|
||||
|
||||
Closure sprint:
|
||||
|
||||
- `docs/implplan/SPRINT_20260304_305_VexLens_unknown_lifecycle_and_merge_determinism.md`
|
||||
|
||||
Reference in New Issue
Block a user