product advisories add change contiang folder
This commit is contained in:
Codex Assistant
@@ -333,7 +333,7 @@ src/Authority/
|
||||
|
||||
## References
|
||||
|
||||
- [14-Dec-2025 Offline and Air-Gap Technical Reference](../product-advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
|
||||
- [14-Dec-2025 Offline and Air-Gap Technical Reference](../product/advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
|
||||
- [Air-Gap Mode Playbook](./airgap-mode.md)
|
||||
- [Offline Kit Documentation](../OFFLINE_KIT.md)
|
||||
- [Importer](./importer.md)
|
||||
|
||||
@@ -507,8 +507,8 @@ groups:
|
||||
## 9. REFERENCES
|
||||
|
||||
- [Offline Update Kit (OUK)](../OFFLINE_KIT.md)
|
||||
- [Offline and Air-Gap Technical Reference](../product-advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
|
||||
- [Determinism and Reproducibility Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
|
||||
- [Offline and Air-Gap Technical Reference](../product/advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
|
||||
- [Determinism and Reproducibility Technical Reference](../product/advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
|
||||
- [Determinism CI Harness](../modules/scanner/design/determinism-ci-harness.md)
|
||||
- [Performance Baselines](../benchmarks/performance-baselines.md)
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
**Version**: 1.0
|
||||
**Status**: Implementation Ready
|
||||
**Source**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
|
||||
**Source**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
|
||||
**Last Updated**: 2025-12-14
|
||||
|
||||
---
|
||||
|
||||
@@ -210,6 +210,6 @@ public record ProofSpineResult
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- [Proof and Evidence Chain Technical Reference](../product-advisories/14-Dec-2025%20-%20Proof%20and%20Evidence%20Chain%20Technical%20Reference.md) - §2.4, §4.2, §9
|
||||
- [Proof and Evidence Chain Technical Reference](../product/advisories/14-Dec-2025%20-%20Proof%20and%20Evidence%20Chain%20Technical%20Reference.md) - §2.4, §4.2, §9
|
||||
- [Content-Addressed IDs](./content-addressed-ids.md)
|
||||
- [DSSE Predicates](./dsse-predicates.md)
|
||||
|
||||
@@ -688,4 +688,4 @@ attestor:
|
||||
- [RFC 6962: Certificate Transparency](https://datatracker.ietf.org/doc/html/rfc6962)
|
||||
- [Sigstore Rekor](https://github.com/sigstore/rekor)
|
||||
- [Transparency.dev Checkpoint Format](https://github.com/transparency-dev/formats)
|
||||
- [Advisory: Rekor Integration Technical Reference](../../../product-advisories/14-Dec-2025%20-%20Rekor%20Integration%20Technical%20Reference.md)
|
||||
- [Advisory: Rekor Integration Technical Reference](../../../product/advisories/14-Dec-2025%20-%20Rekor%20Integration%20Technical%20Reference.md)
|
||||
|
||||
@@ -10,7 +10,7 @@ This document freezes the **offline verification inputs** used by Attestor in se
|
||||
|
||||
## Offline Inputs (Air-Gap / Sealed Mode)
|
||||
|
||||
Baseline directory layout is defined in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`:
|
||||
Baseline directory layout is defined in `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`:
|
||||
|
||||
```
|
||||
/evidence/
|
||||
@@ -26,7 +26,7 @@ Baseline directory layout is defined in `docs/product-advisories/14-Dec-2025 - O
|
||||
The offline kit (or any offline DSSE evidence pack) may include a Rekor receipt alongside a DSSE statement.
|
||||
|
||||
- **Schema:** `docs/modules/attestor/schemas/rekor-receipt.schema.json`
|
||||
- **Source:** `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (Section 13.1) and `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (Section 1.4)
|
||||
- **Source:** `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (Section 13.1) and `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (Section 1.4)
|
||||
|
||||
Fields:
|
||||
- `uuid`: Rekor entry UUID.
|
||||
@@ -50,7 +50,7 @@ Contract:
|
||||
|
||||
Contract:
|
||||
- Files are **NDJSON** (one JSON object per line).
|
||||
- Each line uses the "Rekor Entry Structure" defined in `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (Section 4).
|
||||
- Each line uses the "Rekor Entry Structure" defined in `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (Section 4).
|
||||
- **Deterministic ordering**:
|
||||
- File names sort lexicographically (Ordinal).
|
||||
- Within each file, lines sort by `rekor.logIndex` ascending.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Authority Gap Remediation · AU1–AU10 (31-Nov-2025 Findings)
|
||||
|
||||
Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (AU1–AU10). Scope covers Authority scoping, crypto posture, and verifier/offline expectations.
|
||||
Source: `docs/product/advisories/31-Nov-2025 FINDINGS.md` (AU1–AU10). Scope covers Authority scoping, crypto posture, and verifier/offline expectations.
|
||||
|
||||
## Deliverables & Evidence Map
|
||||
| ID | Requirement (from advisory) | Authority deliverable | Evidence & location |
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Rekor Receipt Remediation · RR1–RR10 (Authority/Attestor/Sbomer)
|
||||
|
||||
Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (RR1–RR10). Scope is Rekor receipt schema/catalog and offline verification path consumed by Authority + Sbomer + Attestor.
|
||||
Source: `docs/product/advisories/31-Nov-2025 FINDINGS.md` (RR1–RR10). Scope is Rekor receipt schema/catalog and offline verification path consumed by Authority + Sbomer + Attestor.
|
||||
|
||||
## Deliverables & Evidence Map
|
||||
| ID | Requirement | Deliverable | Evidence & location |
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
> **Status**: Implementation Complete (Sprint 7100)
|
||||
> **Version**: 1.0.0
|
||||
> **Last Updated**: 2025-12-22
|
||||
> **Source Advisory**: `docs/product-advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md`
|
||||
> **Source Advisory**: `docs/product/advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md`
|
||||
|
||||
## 1. Overview
|
||||
|
||||
|
||||
@@ -875,7 +875,7 @@ binaryindex:
|
||||
|
||||
## 10. References
|
||||
|
||||
- Advisory: `docs/product-advisories/21-Dec-2025 - Mapping Evidence Within Compiled Binaries.md`
|
||||
- Advisory: `docs/product/advisories/21-Dec-2025 - Mapping Evidence Within Compiled Binaries.md`
|
||||
- Scanner Native Analysis: `src/Scanner/StellaOps.Scanner.Analyzers.Native/`
|
||||
- Existing Fingerprinting: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/`
|
||||
- Build-ID Index: `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/`
|
||||
|
||||
@@ -38,7 +38,7 @@ The endpoint reuses `EvidenceBundlePackagingService` and caches the packaged obj
|
||||
|
||||
## Verification guidance
|
||||
|
||||
Upcoming EB1–EB10 remediation (Sprint 0161; advisory `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`):
|
||||
Upcoming EB1–EB10 remediation (Sprint 0161; advisory `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`):
|
||||
- Publish `bundle.manifest.schema.json` and `checksums.schema.json` with canonical JSON rules and signatures.
|
||||
- Document the Merkle hash recipe and DSSE predicate/log policy.
|
||||
- Ship an offline verifier script and golden bundles/replay fixtures to prove determinism.
|
||||
|
||||
@@ -27,6 +27,6 @@ Working directory: `docs/implplan` (sprint coordination) with artefacts in `docs
|
||||
- Bump Evidence Locker and CLI SemVer and changelog once above artefacts are wired (EB10) — **completed** with changelog v1.1.0 and fixture drop; wire binaries/CLI version in next release cut.
|
||||
|
||||
## Dependencies and Links
|
||||
- Advisory: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`
|
||||
- Advisory: `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`
|
||||
- Replay rules: `docs/replay/DETERMINISTIC_REPLAY.md`
|
||||
- Sprint tracking: `docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md` (EVID-GAPS-161-007)
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
> **Status**: Implementation Complete (Sprint 7100)
|
||||
> **Version**: 1.0.0
|
||||
> **Last Updated**: 2025-12-22
|
||||
> **Source Advisory**: `docs/product-advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md`
|
||||
> **Source Advisory**: `docs/product/advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md`
|
||||
|
||||
## 1. Overview
|
||||
|
||||
|
||||
@@ -25,7 +25,7 @@ The Export Center is the dedicated service layer that packages StellaOps evidenc
|
||||
- Integrity: require checksum/signature headers and OCI annotations; mirror delta/tombstone rules documented for adapters.
|
||||
- Security: cross-tenant exports denied by default; enforce approval tokens and encryption recipient validation.
|
||||
- Offline parity: provide export-kit packaging + verify script for air-gap consumers; include fixtures under `src/ExportCenter/__fixtures`.
|
||||
- Advisory link: see `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md` (EC1–EC10) for original requirements and keep it alongside sprint tasks for implementers.
|
||||
- Advisory link: see `docs/product/advisories/28-Nov-2025 - Export Center and Reporting Strategy.md` (EC1–EC10) for original requirements and keep it alongside sprint tasks for implementers.
|
||||
|
||||
## Job lifecycle
|
||||
1. **Profile selection.** Operator or automation picks a profile (`json:raw`, `json:policy`, `trivy:db`, `trivy:java-db`, `mirror:full`, `mirror:delta`) and submits scope selectors (tenant, time window, products, SBOM subjects, ecosystems). See `docs/modules/export-center/profiles.md` for profile definitions and configuration fields.
|
||||
@@ -88,7 +88,7 @@ Audit bundles are a specialized Export Center output: a deterministic, immutable
|
||||
- `GET /v1/audit-bundles` - List previously created bundles.
|
||||
- `GET /v1/audit-bundles/{bundleId}` - Returns job metadata (`Accept: application/json`) or streams bundle bytes (`Accept: application/octet-stream`).
|
||||
- **Typical contents**: vuln reports, SBOM(s), VEX decisions, policy evaluations, and DSSE attestations, plus an integrity root hash and optional OCI reference.
|
||||
- **Reference**: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
- **Reference**: `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
|
||||
## Adapter responsibilities
|
||||
- **JSON (`json:raw`, `json:policy`).**
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Export Center Determinism & Rerun Hash Guide
|
||||
|
||||
Advisory anchor: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Export Center and Reporting Strategy.md` (EC1–EC10).
|
||||
Advisory anchor: `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Export Center and Reporting Strategy.md` (EC1–EC10).
|
||||
|
||||
## EC1 — Signed schemas
|
||||
- Export profile schema: `docs/modules/export-center/schemas/export-profile.schema.json` (selectors, approvals, quotas).
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Findings Ledger — FL1–FL10 Remediation (LEDGER-GAPS-121-009)
|
||||
|
||||
**Source advisory:** `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`
|
||||
**Source advisory:** `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`
|
||||
**Created:** 2025-12-02 · **Owner:** Findings Ledger Guild
|
||||
|
||||
## Gap closure map
|
||||
|
||||
@@ -457,7 +457,7 @@ spec:
|
||||
- Router ASP.NET Endpoint Bridge: `docs/modules/router/aspnet-endpoint-bridge.md`
|
||||
- Router Messaging (Valkey) Transport: `docs/modules/router/messaging-valkey-transport.md`
|
||||
- Authority Integration: `docs/modules/authority/architecture.md`
|
||||
- Reference Architecture: `docs/product-advisories/archived/2025-12-21-reference-architecture/`
|
||||
- Reference Architecture: `docs/product/advisories/archived/2025-12-21-reference-architecture/`
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Notify Gaps NR1–NR10 — Remediation Blueprint (source: `docs/product-advisories/31-Nov-2025 FINDINGS.md`)
|
||||
# Notify Gaps NR1–NR10 — Remediation Blueprint (source: `docs/product/advisories/31-Nov-2025 FINDINGS.md`)
|
||||
|
||||
## Scope
|
||||
Close NR1–NR10 by defining contracts, evidence, and deterministic test hooks for the Notifier runtime (service + worker + offline kit). This doc is the detailed layer referenced by sprint `SPRINT_0171_0001_0001_notifier_i` and NOTIFY-GAPS-171-014.
|
||||
|
||||
@@ -12,20 +12,20 @@ This dossier summarises the end-to-end runtime topology after the Aggregation-On
|
||||
|
||||
> Testing strategy models and CI lanes live in `docs/technical/testing/testing-strategy-models.md`, with the source catalog in `docs/technical/testing/TEST_CATALOG.yml`.
|
||||
|
||||
> Planner note: the [SBOM→VEX proof blueprint](../product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md) shows the DSSE → Rekor v2 tiles → VEX linkage, so threat-model and compliance teams can copy the capture/verification checkpoints.
|
||||
> Planner note: the [SBOM→VEX proof blueprint](../product/advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md) shows the DSSE → Rekor v2 tiles → VEX linkage, so threat-model and compliance teams can copy the capture/verification checkpoints.
|
||||
|
||||
> Working on a feature? Check the [Implementor Guidelines](../product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md) to align with the SRS + release playbook checklist before you merge anything into main.
|
||||
> Working on a feature? Check the [Implementor Guidelines](../product/advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md) to align with the SRS + release playbook checklist before you merge anything into main.
|
||||
|
||||
> Need to prove Rekor receipts? The [Rekor Receipt Checklist](../product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md) maps each field to a module owner and explains offline metadata for deterministic re-verification.
|
||||
> Need to prove Rekor receipts? The [Rekor Receipt Checklist](../product/advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md) maps each field to a module owner and explains offline metadata for deterministic re-verification.
|
||||
|
||||
> Taming unknowns? The [Unknowns Decay & Triage Heuristics](../product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md) explains the confidence decay card, triage queue view, and the daily export artifact for planning.
|
||||
> Taming unknowns? The [Unknowns Decay & Triage Heuristics](../product/advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md) explains the confidence decay card, triage queue view, and the daily export artifact for planning.
|
||||
|
||||
> Check the [Ecosystem Reality Test Cases](../product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md) for reproducible acceptance tests based on credential leaks, offline DB schema issues, SBOM parity drift, and scanner version divergence.
|
||||
> Check the [Ecosystem Reality Test Cases](../product/advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md) for reproducible acceptance tests based on credential leaks, offline DB schema issues, SBOM parity drift, and scanner version divergence.
|
||||
|
||||
> Need unblocker tasks? The [Standup Sprint Kickstarters](../product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md) lists three day-0 wins (scanner regressions, Postgres slice, DSSE/Rekor sweep) plus ready-to-copy ticket names.
|
||||
> Compare how evidence/suppression/audit flows work elsewhere via the [Comparative Evidence Patterns](../product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md) brief—Snyk, GitHub, Aqua, Anchore/Grype, Prisma Cloud, and the UX trade-offs.
|
||||
> Need unblocker tasks? The [Standup Sprint Kickstarters](../product/advisories/30-Nov-2025 - Standup Sprint Kickstarters.md) lists three day-0 wins (scanner regressions, Postgres slice, DSSE/Rekor sweep) plus ready-to-copy ticket names.
|
||||
> Compare how evidence/suppression/audit flows work elsewhere via the [Comparative Evidence Patterns](../product/advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md) brief—Snyk, GitHub, Aqua, Anchore/Grype, Prisma Cloud, and the UX trade-offs.
|
||||
|
||||
> Evaluate public scanner incidents? The [Ecosystem Test Cases](../product-advisories/30-Nov-2025 - Ecosystem Test Cases for StellaOps.md) document five hardened regressions (Grype credential leak, Trivy offline schema, SBOM parity, Grype instability) that you can turn into acceptance tests today.
|
||||
> Evaluate public scanner incidents? The [Ecosystem Test Cases](../product/advisories/30-Nov-2025 - Ecosystem Test Cases for StellaOps.md) document five hardened regressions (Grype credential leak, Trivy offline schema, SBOM parity, Grype instability) that you can turn into acceptance tests today.
|
||||
|
||||
## 1 · System landscape
|
||||
|
||||
|
||||
@@ -201,7 +201,7 @@ Per advisory, a release is "done" only if:
|
||||
|
||||
## References
|
||||
|
||||
- **Advisory**: `docs/product-advisories/archived/21-Dec-2025 - Designing Explainable Triage Workflows.md`
|
||||
- **Advisory**: `docs/product/advisories/archived/21-Dec-2025 - Designing Explainable Triage Workflows.md`
|
||||
- **Sprint Summary**: `docs/implplan/SPRINT_7000_SUMMARY.md`
|
||||
- **Individual Sprints**: `docs/implplan/SPRINT_7000_*.md`
|
||||
|
||||
|
||||
@@ -272,5 +272,5 @@ This document captures the gap analysis between the competitive moat advisory an
|
||||
## References
|
||||
|
||||
- **Sprints**: `docs/implplan/SPRINT_4300_*.md`, `SPRINT_4400_*.md`, `SPRINT_4500_*.md`, `SPRINT_4600_*.md`
|
||||
- **Original Advisory**: `docs/product-advisories/archived/19-Dec-2025 - Stella Ops candidate features mapped to moat strength.md`
|
||||
- **Original Advisory**: `docs/product/advisories/archived/19-Dec-2025 - Stella Ops candidate features mapped to moat strength.md`
|
||||
- **Architecture**: `docs/ARCHITECTURE_OVERVIEW.md`
|
||||
|
||||
@@ -781,9 +781,9 @@ audit-bundle-{artifact-digest}.stella.bundle.tgz
|
||||
|
||||
### 12.1 Product Advisories
|
||||
|
||||
- `docs/product-advisories/23-Dec-2026 - Proof‑Driven Moats Stella Ops Can Ship.md`
|
||||
- `docs/product-advisories/23-Dec-2026 - Binary Mapping as Attestable Proof.md`
|
||||
- `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
|
||||
- `docs/product/advisories/23-Dec-2026 - Proof‑Driven Moats Stella Ops Can Ship.md`
|
||||
- `docs/product/advisories/23-Dec-2026 - Binary Mapping as Attestable Proof.md`
|
||||
- `docs/product/advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
|
||||
|
||||
### 12.2 Standards
|
||||
|
||||
|
||||
@@ -682,13 +682,13 @@ stella exception status <request-id>
|
||||
|
||||
The following product advisories provide strategic context for Policy Engine features:
|
||||
|
||||
- **[Consolidated: Diff-Aware Release Gates and Risk Budgets](../../product-advisories/CONSOLIDATED%20-%20Diff-Aware%20Release%20Gates%20and%20Risk%20Budgets.md)** — Master reference for risk budgets, delta verdicts, VEX trust scoring, and release gate policies. Key sections:
|
||||
- **[Consolidated: Diff-Aware Release Gates and Risk Budgets](../../product/advisories/CONSOLIDATED%20-%20Diff-Aware%20Release%20Gates%20and%20Risk%20Budgets.md)** — Master reference for risk budgets, delta verdicts, VEX trust scoring, and release gate policies. Key sections:
|
||||
- §2 Risk Budget Model: Service tier definitions and RP scoring formulas
|
||||
- §4 Delta Verdict Engine: Deterministic evaluation pipeline and replay contract
|
||||
- §5 Smart-Diff Algorithm: Material risk change detection rules
|
||||
- §7 VEX Trust Scoring: Confidence/freshness lattice for VEX source weighting
|
||||
|
||||
- **[Consolidated: Deterministic Evidence and Verdict Architecture](../../product-advisories/CONSOLIDATED%20-%20Deterministic%20Evidence%20and%20Verdict%20Architecture.md)** — Master reference for determinism guarantees, canonical serialization, and signing. Key sections:
|
||||
- **[Consolidated: Deterministic Evidence and Verdict Architecture](../../product/advisories/CONSOLIDATED%20-%20Deterministic%20Evidence%20and%20Verdict%20Architecture.md)** — Master reference for determinism guarantees, canonical serialization, and signing. Key sections:
|
||||
- §3 Canonical Serialization: RFC 8785 JCS + Unicode NFC rules
|
||||
- §5 Signing & Attestation: Keyless signing with Sigstore
|
||||
- §6 Proof-Carrying Reachability: Minimal proof chains
|
||||
@@ -696,7 +696,7 @@ The following product advisories provide strategic context for Policy Engine fea
|
||||
|
||||
- **[Determinism Specification](../../technical/architecture/determinism-specification.md)** — Technical specification for all digest algorithms (VerdictId, EvidenceId, GraphRevisionId, ManifestId) and canonicalization rules.
|
||||
|
||||
- **[Smart-Diff Technical Reference](../../product-advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)** — Detailed algorithm specifications for reachability gates, delta computation, and call-stack analysis.
|
||||
- **[Smart-Diff Technical Reference](../../product/advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)** — Detailed algorithm specifications for reachability gates, delta computation, and call-stack analysis.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -79,4 +79,4 @@ Establish versioned spine API/DTO schemas with migration rules, determinism guar
|
||||
|
||||
## Links
|
||||
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (SP1–SP10)
|
||||
- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`
|
||||
- Advisory: `docs/product/advisories/31-Nov-2025 FINDINGS.md`
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# CVSS v4.0 Receipts – Hardening Guide
|
||||
|
||||
Source advisory: `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (CV1–CV10). This guide turns the gaps into implementable rules for Sprint 0190.
|
||||
Source advisory: `docs/product/advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (CV1–CV10). This guide turns the gaps into implementable rules for Sprint 0190.
|
||||
|
||||
## Canonical hashing (CV2)
|
||||
- Serializer: JSON Canonicalization Scheme (JCS).
|
||||
|
||||
@@ -287,5 +287,5 @@ Future schema versions (e.g., `score.v2`) will include migration guides and back
|
||||
## Related Documentation
|
||||
|
||||
- [Architecture Overview](../ARCHITECTURE_OVERVIEW.md)
|
||||
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
|
||||
- [Determinism Technical Reference](../product/advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
|
||||
- [Policy Engine Architecture](../modules/policy/architecture.md)
|
||||
|
||||
@@ -202,5 +202,5 @@ Gates are included in the reachability report:
|
||||
## Related Documentation
|
||||
|
||||
- [Reachability Architecture](../modules/scanner/architecture.md)
|
||||
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Sections 2.2, 4.3
|
||||
- [Determinism Technical Reference](../product/advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Sections 2.2, 4.3
|
||||
- [Signals Service](../modules/signals/architecture.md)
|
||||
|
||||
@@ -73,6 +73,6 @@ Source: internal advisory “23-Nov-2025 - Where Stella Ops Can Truly Lead”.
|
||||
- `GET /vex/:artifact` — streams OpenVEX with embedded proofs.
|
||||
|
||||
## Links
|
||||
- Advisory source: `docs/product-advisories/23-Nov-2025 - Where Stella Ops Can Truly Lead.md`
|
||||
- Advisory source: `docs/product/advisories/23-Nov-2025 - Where Stella Ops Can Truly Lead.md`
|
||||
- Schemas: `docs/modules/reach-graph/guides/evidence-schema.md`, `docs/modules/reach-graph/guides/hybrid-attestation.md`
|
||||
- Sprint tracking: `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md`
|
||||
|
||||
@@ -31,13 +31,13 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/modules/scanner/implementation_plan.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
- `docs/product-advisories/CONSOLIDATED - Diff-Aware Release Gates and Risk Budgets.md` — Master reference for delta verdicts, smart-diff algorithms, and determinism requirements that Scanner must honor.
|
||||
- `docs/product/advisories/CONSOLIDATED - Diff-Aware Release Gates and Risk Budgets.md` — Master reference for delta verdicts, smart-diff algorithms, and determinism requirements that Scanner must honor.
|
||||
|
||||
## Related Product Advisories
|
||||
- **[Consolidated: Diff-Aware Release Gates and Risk Budgets](../../product-advisories/CONSOLIDATED%20-%20Diff-Aware%20Release%20Gates%20and%20Risk%20Budgets.md)** — Risk budgets, delta verdicts, smart-diff algorithms
|
||||
- **[Consolidated: Deterministic Evidence and Verdict Architecture](../../product-advisories/CONSOLIDATED%20-%20Deterministic%20Evidence%20and%20Verdict%20Architecture.md)** — Determinism guarantees, canonical serialization, keyless signing
|
||||
- **[Consolidated: Diff-Aware Release Gates and Risk Budgets](../../product/advisories/CONSOLIDATED%20-%20Diff-Aware%20Release%20Gates%20and%20Risk%20Budgets.md)** — Risk budgets, delta verdicts, smart-diff algorithms
|
||||
- **[Consolidated: Deterministic Evidence and Verdict Architecture](../../product/advisories/CONSOLIDATED%20-%20Deterministic%20Evidence%20and%20Verdict%20Architecture.md)** — Determinism guarantees, canonical serialization, keyless signing
|
||||
- **[Determinism Specification](../../technical/architecture/determinism-specification.md)** — Technical spec for digest algorithms and canonicalization rules
|
||||
- **[Smart-Diff Technical Reference](../../product-advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)** — Detailed reachability gate and call-stack analysis specs
|
||||
- **[Smart-Diff Technical Reference](../../product/advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)** — Detailed reachability gate and call-stack analysis specs
|
||||
|
||||
## Working Agreement
|
||||
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
|
||||
|
||||
@@ -74,4 +74,4 @@ Define how external SBOM/scan outputs (Syft, Trivy, Clair) are normalized into S
|
||||
|
||||
## Links
|
||||
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (CM1–CM10)
|
||||
- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`
|
||||
- Advisory: `docs/product/advisories/31-Nov-2025 FINDINGS.md`
|
||||
|
||||
@@ -72,4 +72,4 @@ Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), an
|
||||
|
||||
## Links
|
||||
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (tasks SC1–SC10)
|
||||
- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`
|
||||
- Advisory: `docs/product/advisories/31-Nov-2025 FINDINGS.md`
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# EPSS Integration Architecture
|
||||
|
||||
> **Advisory Source**: `docs/product-advisories/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
|
||||
> **Advisory Source**: `docs/product/advisories/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
|
||||
> **Last Updated**: 2025-12-17
|
||||
> **Status**: Approved for Implementation
|
||||
|
||||
|
||||
@@ -165,5 +165,5 @@ See `docs/api/scanner-drift-api.md` for details.
|
||||
- `docs/implplan/archived/SPRINT_3600_0003_0001_drift_detection_engine.md`
|
||||
- `docs/api/scanner-drift-api.md`
|
||||
- `docs/operations/reachability-drift-guide.md`
|
||||
- `docs/product-advisories/archived/17-Dec-2025 - Reachability Drift Detection.md`
|
||||
- `docs/product/advisories/archived/17-Dec-2025 - Reachability Drift Detection.md`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/`
|
||||
|
||||
@@ -187,4 +187,4 @@ The `scheduler_log` table can be retained for audit purposes or dropped if no lo
|
||||
|
||||
- [Scheduler Architecture](architecture.md)
|
||||
- [HLC Library Documentation](../../__Libraries/StellaOps.HybridLogicalClock/README.md)
|
||||
- [Product Advisory: Audit-safe Job Queue Ordering](../../product-advisories/audit-safe-job-queue-ordering.md)
|
||||
- [Product Advisory: Audit-safe Job Queue Ordering](../../product/advisories/audit-safe-job-queue-ordering.md)
|
||||
|
||||
@@ -207,7 +207,7 @@ The Signals module maintains strict determinism:
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- Product Advisory: `docs/product-advisories/24-Dec-2025 - Evidence-Weighted Score Model.md`
|
||||
- Product Advisory: `docs/product/advisories/24-Dec-2025 - Evidence-Weighted Score Model.md`
|
||||
- Sprint Plans: `docs/implplan/SPRINT_8200_0012_*.md`
|
||||
- Policy Confidence (deprecated): `docs/modules/policy/confidence-scoring.md`
|
||||
- Backport Detection: `docs/modules/concelier/backport-detection.md`
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Confidence Decay Controls · Signals Runtime
|
||||
|
||||
**Compiled:** 2025-12-01 (UTC)
|
||||
**Scope:** Close U1–U10 gaps from `docs/product-advisories/31-Nov-2025 FINDINGS.md` for confidence decay of unknowns/signals.
|
||||
**Scope:** Close U1–U10 gaps from `docs/product/advisories/31-Nov-2025 FINDINGS.md` for confidence decay of unknowns/signals.
|
||||
**Status:** Draft for review on 2025-12-03; to be signed (DSSE) after sign-off.
|
||||
|
||||
## Decisions (U1–U10)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Signals Heuristic Catalog · Deterministic Scoring
|
||||
|
||||
**Compiled:** 2025-12-01 (UTC)
|
||||
**Scope:** Close UT1–UT10 gaps from `docs/product-advisories/31-Nov-2025 FINDINGS.md` by publishing a signed heuristic catalog and golden outputs.
|
||||
**Scope:** Close UT1–UT10 gaps from `docs/product/advisories/31-Nov-2025 FINDINGS.md` by publishing a signed heuristic catalog and golden outputs.
|
||||
**Status:** Draft; target publish 2025-12-05 with DSSE signature.
|
||||
|
||||
## Decisions (UT1–UT10)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Unknowns Registry & Scoring Manifest
|
||||
|
||||
**Compiled:** 2025-12-01 (UTC)
|
||||
**Scope:** Close UN1–UN10 gaps from `docs/product-advisories/31-Nov-2025 FINDINGS.md` for Unknowns Registry.
|
||||
**Scope:** Close UN1–UN10 gaps from `docs/product/advisories/31-Nov-2025 FINDINGS.md` for Unknowns Registry.
|
||||
**Status:** Draft; review 2025-12-04; DSSE signing required before adoption.
|
||||
|
||||
## Decisions (UN1–UN10)
|
||||
|
||||
@@ -94,6 +94,6 @@
|
||||
- **Fail-closed gates (TP10):** Approval/policy/timeline gates default to fail-closed on missing evidence, expired DSSE, or absent quotas; remediation hints surface in `pack_run_logs` and API error payloads.
|
||||
|
||||
## 13. References
|
||||
- Product advisory: `docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md`.
|
||||
- Product advisory: `docs/product/advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md`.
|
||||
- Task Pack spec + authoring + runbook: `docs/modules/packs-registry/guides/spec.md`, `docs/modules/packs-registry/guides/authoring-guide.md`, `docs/modules/packs-registry/guides/runbook.md`.
|
||||
- Migration detail: `docs/modules/taskrunner/migrations/pack-run-collections.md`.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Telemetry Gap Remediation (TO1–TO10) — v1 · 2025-12-01
|
||||
|
||||
Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (Telemetry gaps TO1–TO10).
|
||||
Source: `docs/product/advisories/31-Nov-2025 FINDINGS.md` (Telemetry gaps TO1–TO10).
|
||||
Scope: telemetry core (collectors/SDK defaults/bundles) across services; applicable to default/forensic/airgap profiles.
|
||||
|
||||
## Decisions (mapped to gaps)
|
||||
|
||||
@@ -172,6 +172,6 @@ Aggregated daily statistics for efficient dashboard queries:
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Section 13.2
|
||||
- [Determinism Technical Reference](../product/advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Section 13.2
|
||||
- [Scanner Architecture](../modules/scanner/architecture.md)
|
||||
- [Telemetry Stack](../modules/telemetry/architecture.md)
|
||||
|
||||
@@ -417,7 +417,7 @@ Load tests validate TTFS performance under realistic conditions.
|
||||
|
||||
## 13) References
|
||||
|
||||
- Advisory: `docs/product-advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
|
||||
- Advisory: `docs/product/advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
|
||||
- Sprint 1 (Foundation): `docs/implplan/SPRINT_0338_0001_0001_ttfs_foundation.md`
|
||||
- Sprint 2 (API): `docs/implplan/SPRINT_0339_0001_0001_first_signal_api.md`
|
||||
- Sprint 3 (UI): `docs/implplan/SPRINT_0340_0001_0001_first_signal_card_ui.md`
|
||||
|
||||
@@ -122,7 +122,7 @@ Each feature folder builds as a **standalone route** (lazy loaded). All HTTP sha
|
||||
* **VEX decisions**: evidence-first VEX modal with scope + validity + evidence links; bulk apply supported; uses `/v1/vex-decisions`.
|
||||
* **Audit bundles**: "Create immutable audit bundle" UX to build and download an evidence pack; uses `/v1/audit-bundles`.
|
||||
* **Schemas**: `docs/modules/vuln-explorer/schemas/vex-decision.schema.json`, `docs/modules/attestor/schemas/attestation-vuln-scan.schema.json`, `docs/modules/evidence-locker/schemas/audit-bundle-index.schema.json`.
|
||||
* **Reference**: `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
* **Reference**: `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
|
||||
|
||||
### 3.10 Integration Hub (Sprint 011)
|
||||
|
||||
|
||||
@@ -205,7 +205,7 @@ EvidencePanel:
|
||||
- TypeScript tokens: `src/Web/StellaOps.Web/src/app/styles/motion-tokens.ts`
|
||||
- Storybook stories: `src/Web/StellaOps.Web/src/stories/motion-tokens.stories.ts`
|
||||
- TTFS Architecture: `docs/modules/telemetry/ttfs-architecture.md`
|
||||
- Advisory: `docs/product-advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
|
||||
- Advisory: `docs/product/advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -79,7 +79,7 @@ CLI mirrors these endpoints (`stella findings list|view|update|export`). Console
|
||||
|
||||
## 8) VEX-First Triage UX
|
||||
|
||||
> Reference: Product advisory `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
|
||||
> Reference: Product advisory `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
|
||||
|
||||
### 8.1 Evidence-First Finding Cards
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Zastava Runtime Signals Gaps (ZR1–ZR10)
|
||||
|
||||
**Source:** `docs/product-advisories/31-Nov-2025 FINDINGS.md`
|
||||
**Source:** `docs/product/advisories/31-Nov-2025 FINDINGS.md`
|
||||
**Compiled:** 2025-12-02 (UTC)
|
||||
**Scope:** Close ZR1–ZR10 for Observer + Webhook (Surface.Env/Secrets/FS) with offline parity and auditability.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user