stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/product/README.md
View File

@@ -15,6 +15,8 @@ Product strategy, competitive analysis, and marketing bridge documents.
| [ebpf-micro-witness-determinism.md](ebpf-micro-witness-determinism.md) | eBPF micro-witness deterministic replay profile and current implementation gaps |
| [portable-audit-pack-plan.md](portable-audit-pack-plan.md) | Portable supply-chain audit pack rollout plan |
| [reachability-benchmark-launch.md](reachability-benchmark-launch.md) | Reachability benchmark launch materials |
| [advisory-translation-20260226.md](advisory-translation-20260226.md) | Advisory to sprint/module traceability for 2026-02-26 batch |
| [advisory-translation-20260304.md](advisory-translation-20260304.md) | Advisory to sprint/module traceability for 2026-03-04 batch |
## Audience

6
docs/product/advisories/README.md
View File

@@ -3,8 +3,8 @@
This directory contains only advisories that are not yet translated into sprint execution.
Current status:
- No open advisories in the 2026-02-20 through 2026-02-26 batch.
- No open advisories in the 2026-02-28 through 2026-03-04 batch.
Related records:
- Translation register: `docs/product/advisory-translation-20260226.md`
- Archive log: `docs-archived/product/advisories/ARCHIVE_LOG_20260303.md`
- Translation register: `docs/product/advisory-translation-20260304.md`
- Archive log: `docs-archived/product/advisories/ARCHIVE_LOG_20260304.md`

71
docs/product/advisory-translation-20260304.md Normal file
View File

@@ -0,0 +1,71 @@
# Advisory Translation Register (2026-03-04 Batch)
This register maps advisories received between 2026-02-28 and 2026-03-04 to code-backed gaps, active implementation sprints, and module documentation commitments.
Batch scope:
- 2026-02-28 advisories: 3
- 2026-03-01 advisories: 2
- 2026-03-04 advisories: 6
- Total advisories translated: 11
## Topic Clusters
| Cluster ID | Topic | Included Advisories |
| --- | --- | --- |
| CL-01 | Trace lineage and smart-diff evidence chain | `2026-02-28 - Auditor-first differentiator mocks`, `2026-03-04 - Smart-diff and binary provenance chain`, `2026-03-04 - Smart-diff algorithm knobs and delta_manifest recipe`, `2026-03-04 - Trace-to-source lineage and reproducible replay harness`, `2026-03-04 - Unified call-stack analyzer and micro-witness schema` |
| CL-02 | Deterministic signed scoring and explainability UX | `2026-03-04 - Deterministic scoring formula and DSSE vectors`, `2026-03-04 - Signed-score explainability UI pattern`, `2026-02-28 - Auditor-first differentiator mocks` |
| CL-03 | Auditable unknown and VEX lifecycle | `2026-03-01 - Auditable unknown VEX lifecycle design`, `2026-02-28 - Closing Stella's top product and roadmap gaps` |
| CL-04 | Federation and remediation marketplace moat execution | `2026-02-28 - Five concrete moats with measurable milestones`, `2026-03-01 - Three dominant vendor architecture patterns`, `2026-02-28 - Closing Stella's top product and roadmap gaps` |
## Confirmed Code-Backed Gaps
| Gap ID | Module | Evidence | Gap Summary |
| --- | --- | --- | --- |
| SCN-001 | Scanner | `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs` | `DeltaCompareService` still uses placeholder compare logic and `GetComparisonAsync` returns `null`. |
| SCN-002 | Scanner | `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ActionablesEndpoints.cs` | Actionables output is demo/sample data rather than findings-derived recommendations. |
| SCN-003 | Scanner | `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Builder/ChangeTraceBuilder.cs` | `BuildPlaceholderTrace` path is still active with TODO integration notes. |
| SCN-004 | Scanner | `src/Scanner/__Libraries/StellaOps.Scanner.Runtime/Ingestion/TraceIngestionService.cs` | `GetTracesForScanAsync` is TODO and always returns an empty list. |
| SCN-005 | Scanner | `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Stack/ReachabilityResultFactory.cs` | Exploitable verdicts return placeholder `Unknown()` instead of affected `PathWitness` results. |
| SCN-006 | Scanner/Web | `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScoreReplayEndpoints.cs`, `src/Web/StellaOps.Web/src/app/core/api/proof.client.ts` | Replay route contract mismatch (`/score/{scanId}/...` vs `/scans/{scanId}/score/...`) and missing aligned score-history path contract. |
| SCN-007 | Scanner | `src/Scanner/StellaOps.Scanner.WebService/Services/DeterministicScoringService.cs` | Deterministic score is hash projection only, without factorized explainability contract. |
| VEX-001 | VexLens | `src/VexLens/StellaOps.VexLens/Models/NormalizedVexModels.cs`, `src/VexLens/StellaOps.VexLens.Core/Normalization/VexLensNormalizer.cs` | Unknown status is not first-class in normalized enum path and defaults collapse to `under_investigation`. |
| UNK-001 | Unknowns | `src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/Postgres/Repositories/PostgresUnknownRepository.cs`, `src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/EfCore/Repositories/UnknownEfRepository.cs` | Provenance-hints persistence/query methods are unimplemented (`NotImplementedException`). |
| POL-001 | Policy | `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyModels.cs`, `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs` | Score policy schema requires `policyId` but runtime model omits it. |
| TEL-001 | Telemetry | `src/Telemetry/StellaOps.Telemetry.Federation/Consent/ConsentManager.cs`, `src/Telemetry/StellaOps.Telemetry.Federation/Bundles/FederatedTelemetryBundleBuilder.cs` | Federation DSSE envelope generation is placeholder in consent and bundle paths. |
| REM-001 | Remediation | `src/Remediation/StellaOps.Remediation.WebService/Endpoints/RemediationSourceEndpoints.cs` | Marketplace source endpoints are stubs; create/update returns `501 NotImplemented`. |
| FE-001 | Web | `src/Web/StellaOps.Web/src/app/features/security/vulnerability-detail-page.component.ts` | Security detail page uses hardcoded vulnerability data payload. |
| FE-002 | Web | `src/Web/StellaOps.Web/src/app/features/security-risk/vulnerability-detail-page.component.ts` | Security-risk detail page remains placeholder-only (`CVE-UNKNOWN` route fallback). |
| FE-003 | Web | `src/Web/StellaOps.Web/src/app/core/api/proof.client.ts` and test tree inspection | No dedicated FE test coverage exists for score replay client and vulnerability detail page contracts. |
## Advisory to Sprint Mapping
| Advisory | Primary Sprint(s) |
| --- | --- |
| `2026-02-28 - Auditor-first differentiator mocks` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion`, `SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment`, `SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring` |
| `2026-02-28 - Five concrete moats with measurable milestones` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion`, `SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening`, `SPRINT_20260304_308_Remediation_marketplace_sources_api_completion` |
| `2026-02-28 - Closing Stella's top product and roadmap gaps` | `SPRINT_20260304_304_Unknowns_provenance_hints_persistence_completion`, `SPRINT_20260304_305_VexLens_unknown_lifecycle_and_merge_determinism`, `SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening` |
| `2026-03-01 - Auditable unknown VEX lifecycle design` | `SPRINT_20260304_304_Unknowns_provenance_hints_persistence_completion`, `SPRINT_20260304_305_VexLens_unknown_lifecycle_and_merge_determinism`, `SPRINT_20260304_306_Policy_score_policy_contract_consistency` |
| `2026-03-01 - Three dominant vendor architecture patterns` | `SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening`, `SPRINT_20260304_308_Remediation_marketplace_sources_api_completion` |
| `2026-03-04 - Deterministic scoring formula and DSSE vectors` | `SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment`, `SPRINT_20260304_306_Policy_score_policy_contract_consistency`, `SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring` |
| `2026-03-04 - Smart-diff algorithm knobs and delta_manifest recipe` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion` |
| `2026-03-04 - Smart-diff and binary provenance chain` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion` |
| `2026-03-04 - Trace-to-source lineage and reproducible replay harness` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion`, `SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment` |
| `2026-03-04 - Unified call-stack analyzer and micro-witness schema` | `SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion`, `SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring` |
| `2026-03-04 - Signed-score explainability UI pattern` | `SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment`, `SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring` |
## Module Documentation Commitments
- `docs/modules/scanner/architecture.md`
- `docs/modules/scanner/design/change-trace-architecture.md`
- `docs/modules/vex-lens/architecture.md`
- `docs/modules/unknowns/architecture.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/telemetry/architecture.md`
- `docs/modules/web/architecture.md`
- `docs/modules/remediation/architecture.md`
## Translation Status
- All advisories from the 2026-02-28 through 2026-03-04 batch are translated into active sprint scope.
- Advisory files are archived under `docs-archived/product/advisories/` with archive log `ARCHIVE_LOG_20260304.md`.
- Open advisories directory status is reset to "no open advisories for this batch".

4
docs/product/claims-citation-index.md
View File

@@ -28,8 +28,8 @@ This document is the **authoritative source** for all competitive positioning cl
| REACH-002 | "Signed reachability graphs with DSSE attestation" | `src/Attestor/` module; DSSE envelope implementation | High | 2025-12-14 | 2026-03-14 |
| REACH-003 | "~85% of critical vulnerabilities in containers are in inactive code" | Sysdig 2024 Container Security Report (external) | Medium | 2025-11-01 | 2026-02-01 |
| REACH-004 | "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" | Language analyzer implementations in `src/Scanner/Analyzers/` | High | 2025-12-14 | 2026-03-14 |
| REACH-005 | "Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" | `src/Symbols/` module; `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/`; Symbol Manifest v1 spec | High | 2026-02-19 | 2026-05-19 |
| REACH-006 | "OCI-attached symbol packs as first-class referrer artifacts" | Symbol manifest OCI artifact type `application/vnd.stella.symbols.manifest.v1+json`; `src/Symbols/` server REST API | High | 2026-02-19 | 2026-05-19 |
| REACH-005 | "Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" | `src/BinaryIndex/__Libraries/StellaOps.Symbols.*` (moved from `src/Symbols/`); `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/`; Symbol Manifest v1 spec | High | 2026-02-19 | 2026-05-19 |
| REACH-006 | "OCI-attached symbol packs as first-class referrer artifacts" | Symbol manifest OCI artifact type `application/vnd.stella.symbols.manifest.v1+json`; `src/BinaryIndex/StellaOps.Symbols.Server/` REST API | High | 2026-02-19 | 2026-05-19 |
### 3. VEX & Lattice Claims