diff --git a/AGENTS.md b/AGENTS.md index 2c14a5812..52bf95491 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -24,10 +24,11 @@ All modules are contained by one or more projects. Each project goes in its dedi - **Ops posture**: offline‑first, allowlist for remote hosts, strict schema validation, gated LLM fallback (only where explicitly configured). ## 3.3) Task workflow & guild coordination -- **Always sync state before coding.** When you pick up a task, immediately flip its status from `TODO` (or current state) to `DOING` in **both** `docs/implplan/SPRINTS.md` and the module’s local `TASKS.md`. Tasks must return to `TODO` if you step away, or `DONE` when you ship. +- **Always sync state before coding.** When you pick up a task, immediately flip its status from `TODO` (or current state) to `DOING` in **both** `docs/implplan/SPRINT_*.md` and the module’s local `TASKS.md`. Tasks must return to `TODO` if you step away, or `DONE` when you ship. - **Read the local agent charter first.** Every task directory must contain an `AGENTS.md` describing roles, expectations, and required prep docs. Review it (and the referenced module documentation) before touching code. -- **Mirror state across artefacts.** Any status update in `TASKS.md` requires the same change in `SPRINTS.md`, plus context noted in commit/PR descriptions. +- **Mirror state across artefacts.** Any status update in `TASKS.md` requires the same change in `SPRINT_*.md`, plus context noted in commit/PR descriptions. - **Document prerequisites.** If an `AGENTS.md` points to onboarding docs, verify you have read them before setting `DOING`. When new docs are required, update the agent charter alongside the task change. +- **Coordination**. Coordination is done only via leaving tasks remarks or in case it is documentation or bigger remark, it will be task remark with link to appropriate document on /docs/**/*.md # 4) Modules StellaOps ships as containerised building blocks; each module owns a clear boundary and has its own code folder, deployable image, and deep-dive architecture dossier. @@ -201,9 +202,9 @@ You main characteristics: - **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. - **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. - **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. -- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. +- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINT_*.md file. - **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. -- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. +- **Sprint synchronization**: When given task seek for relevant directory to work on from correspoding sprint file SPRINT_*.md. Confirm its state on both correspoding sprint file SPRINT_*.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. - **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. - **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. - **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. @@ -218,7 +219,7 @@ You main characteristics: - Review the relevant module dossier (for example, `docs/modules/authority/architecture.md`) before editing component-specific content. ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both corresponding `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/AGENTS.md b/docs/AGENTS.md index 0fcbad36c..b58076872 100644 --- a/docs/AGENTS.md +++ b/docs/AGENTS.md @@ -27,7 +27,7 @@ Produce and maintain offline-friendly documentation for StellaOps modules, cover - Module-specific README and architecture dossiers for the area you are updating (for example, `docs/modules/concelier/README.md` and `docs/modules/concelier/architecture.md`) ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `../implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/TASKS.md b/docs/TASKS.md index fb827527c..147448336 100644 --- a/docs/TASKS.md +++ b/docs/TASKS.md @@ -33,7 +33,7 @@ | DOCS-SCANNER-BENCH-62-004 | TODO | Docs Guild, Java Analyzer Guild | DOCS-SCANNER-BENCH-62-003 | Document Java lockfile ingestion plan and associated policy templates per `scanning-gaps-stella-misses-from-competitors.md`. | Draft guidance published; policy examples reviewed. | | DOCS-SCANNER-BENCH-62-005 | TODO | Docs Guild, Go Analyzer Guild | DOCS-SCANNER-BENCH-62-004 | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Docs updated with inferred module policy patterns. | | DOCS-SCANNER-BENCH-62-006 | TODO | Docs Guild, Rust Analyzer Guild | DOCS-SCANNER-BENCH-62-005 | Document Rust fingerprint enrichment guidance and policy examples. | Docs cover heuristic vs authoritative crate handling. | -| DOCS-SCANNER-BENCH-62-007 | DOING (2025-11-02) | Docs Guild, Security Guild | DOCS-SCANNER-BENCH-62-006 | Produce secret leak detection documentation (rules, policy templates) once implementation lands. | Docs include rule bundle guidance and policy patterns. | +| DOCS-SCANNER-BENCH-62-007 | DONE (2025-11-05) | Docs Guild, Security Guild | DOCS-SCANNER-BENCH-62-006 | Produce secret leak detection documentation (rules, policy templates) once implementation lands. | `modules/scanner/operations/secret-leak-detection.md` published; benchmarks doc updated; policy patterns documented. | | DOCS-SCANNER-BENCH-62-008 | TODO | Docs Guild, EntryTrace Guild | DOCS-SCANNER-BENCH-62-007 | Publish EntryTrace explain/heuristic maintenance guide per `scanning-gaps-stella-misses-from-competitors.md`. | Guide covers cadence, contribution workflow, and policy predicates. | | DOCS-SCANNER-BENCH-62-009 | DONE (2025-11-02) | Docs Guild, Ruby Analyzer Guild | DOCS-SCANNER-BENCH-62-008 | Extend Ruby ecosystem gap analysis in `scanning-gaps-stella-misses-from-competitors.md` with implementation notes, detection tables, and backlog mapping. | Ruby section updated with competitor techniques, task linkage, and scoring rationale. | | DOCS-SCANNER-BENCH-62-010 | DONE (2025-11-02) | Docs Guild, PHP Analyzer Guild | DOCS-SCANNER-BENCH-62-009 | Document PHP analyzer parity gaps with detection technique tables and policy hooks. | PHP section merged with plan references and backlog linkage. | diff --git a/docs/backlog/2025-10-cleanup.md b/docs/backlog/2025-10-cleanup.md index e99149fed..25e9d1d01 100644 --- a/docs/backlog/2025-10-cleanup.md +++ b/docs/backlog/2025-10-cleanup.md @@ -14,4 +14,4 @@ This note captures the Sprint backlog hygiene pass applied on 26 October 2025. T ## Follow-up - Update module task boards only under their active backlogs (`src/Notifier/StellaOps.Notifier`, Cartographer, Vuln Explorer). - Ensure future ingestion tasks reference AOC guardrails and avoid derived semantics. -- Cross-check `../implplan/SPRINTS.md` after adding new tasks to keep tables consistent with module `TASKS.md` files. +- Cross-check correspoding sprint file `../implplan/SPRINT_*.md` after adding new tasks to keep tables consistent with module `TASKS.md` files. diff --git a/docs/benchmarks/scanner/deep-dives/secrets.md b/docs/benchmarks/scanner/deep-dives/secrets.md index c11bd5ec8..8eeb0070c 100644 --- a/docs/benchmarks/scanner/deep-dives/secrets.md +++ b/docs/benchmarks/scanner/deep-dives/secrets.md @@ -1,11 +1,13 @@ -# Secret Handling +# Secret Handling & Leak Detection -## StellaOps approach -- Detailed Policy/Security briefing: `../../modules/policy/secret-leak-detection-readiness.md`. -- Secrets treated as operational inputs delivered through Surface.Secrets (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets` and documented in `docs/modules/scanner/design/surface-secrets.md`). -- Providers support Kubernetes Secrets, file-based bundles, and inline definitions; configuration resolved via Surface.Env with validation gates from Surface.Validation. -- Secret placeholders (`secret://type/name`) are resolved before analyzers execute, with results wrapped in secure handles and rotation metadata checked at startup. -- Scanner deliberately avoids scanning artefacts for secret disclosure to preserve deterministic SBOM pipelines and avoid exposing sensitive payloads. +## StellaOps approach (2025.11 release) +- Read the Policy/Security briefing: `../../modules/policy/secret-leak-detection-readiness.md`. +- Operational runbook: `../../modules/scanner/operations/secret-leak-detection.md`. +- Surface.Secrets continues to deliver operational credentials through secure handles (`docs/modules/scanner/design/surface-secrets.md`), with providers supporting Kubernetes Secrets, file bundles, and inline definitions validated by Surface.Validation. +- New `StellaOps.Scanner.Analyzers.Secrets` plug-in executes DSSE-signed rule bundles (`offline/rules/secrets//`) with deterministic regex/entropy detectors. Bundles load at worker start and emit masked findings. +- Findings flow into `ScanAnalysisStore` as `secret.leak` evidence, propagated to policy overlays, CLI/export artifacts, and Explain traces. Payloads remain masked (`AKIA****B7` format) and are never persisted in plaintext. +- Policy Engine introduces `secret.*` helpers so tenants can block, warn, or waive based on rule ID, severity, confidence, and bundle version. +- Offline parity remains intact: rule bundles, DSSE manifests, and optional Rekor proofs ship with the Offline Kit; deployments can operate fully air-gapped. ## Trivy approach - Secret scanning integrated as an analyzer under `pkg/fanal/secret`, applying regex-based detectors across plaintext files and certain bytecode (e.g., `.pyc`). @@ -23,15 +25,15 @@ - Operators must rely on external tooling for leak detection while Grype focuses exclusively on vulnerability matching.[g1] ## Key differences -- **Purpose**: StellaOps focuses on secure retrieval/validation of operational secrets; Trivy and Snyk Code detect leaked secrets, whereas Grype omits secret detection entirely. -- **Workflow**: StellaOps’ secret lifecycle is pre-scan configuration; Trivy and Snyk analyse content at scan time (Snyk requiring SaaS connectivity), and Grype requires external tooling for leak detection. -- **Determinism**: StellaOps avoids non-deterministic leak scans; Trivy and Snyk’s detectors may evolve with rule updates; Grype remains deterministic by not attempting secret discovery. +- **Purpose**: StellaOps now covers both operational secret retrieval *and* deterministic leak detection; Trivy and Snyk focus exclusively on leak detection while Grype omits it. +- **Workflow**: StellaOps performs leak detection in-line during scans with offline rule bundles and policy-aware outcomes; Trivy/Snyk rely on mutable rule packs or SaaS classifiers; Grype delegates to external tools. +- **Determinism**: StellaOps signs every bundle and records bundle IDs in explain traces; Trivy and Snyk update rules continuously (risking drift); Grype remains deterministic by not scanning. ### Detection technique comparison | Tool | Detection technique(s) | Merge / result handling | Notes | | --- | --- | --- | --- | -| **StellaOps (current)** | `Surface.Secrets` providers fetch credentials at runtime; no leak scanning today. | Secrets resolve to opaque handles stored in scan metadata; no SBOM entries emitted. | Deterministic and explainable; avoids exposing payloads. | -| **StellaOps (planned)** | `StellaOps.Scanner.Analyzers.Secrets` plug-in executing signed rule bundles. | Findings inserted into `ScanAnalysisStore` as `secret.leak` evidence; Policy Engine merges with component context and lattice scores. | Rules packaged offline; CLI/reporting masks payloads while surfacing rule IDs. | +| **StellaOps (≤ 2025.10)** | `Surface.Secrets` providers fetch credentials at runtime; no leak scanning. | Secrets resolve to opaque handles stored in scan metadata; no SBOM entries emitted. | Deterministic secret retrieval only (legacy behaviour). | +| **StellaOps (2025.11+)** | `StellaOps.Scanner.Analyzers.Secrets` plug-in executes DSSE-signed rule bundles. | Findings inserted into `ScanAnalysisStore` as `secret.leak` evidence; Policy Engine merges with component context and lattice scores; CLI/export mask payloads. | Rule bundles ship offline, signatures verified locally; see operations runbook for rollout. | | **Trivy** | Regex + entropy detectors under `pkg/fanal/secret` (configurable via `trivy-secret.yaml`). | Detectors aggregate per file; results exported alongside vulnerability findings without provenance binding. | Ships built-in rule sets; users can add allow/block lists. | | **Snyk** | Snyk Code SaaS classifiers invoked by CLI plugin (`src/lib/plugins/sast`). | Source uploaded to SaaS; issues returned with severity + remediation; no offline merge with SBOM data. | Requires authenticated cloud access; rules evolve server-side. | | **Grype** | None (focuses on vulnerability matching). | — | Operators must integrate separate tooling for leak detection. | @@ -40,3 +42,4 @@ - [s1] `/tmp/snyk-cli/src/lib/plugins/sast` - [s2] `/tmp/snyk-cli/README.md` - [g1] `/tmp/grype/README.md` +- StellaOps runbook: `../../modules/scanner/operations/secret-leak-detection.md` diff --git a/docs/dev/authority-plugin-di-coordination.md b/docs/dev/authority-plugin-di-coordination.md index b8364e33f..1c9ec6cb4 100644 --- a/docs/dev/authority-plugin-di-coordination.md +++ b/docs/dev/authority-plugin-di-coordination.md @@ -73,5 +73,5 @@ This document tracks preparation, agenda, and outcomes for the scoped-service wo | Confirm meeting time | Alicia Rivera | 2025-10-19 15:30 UTC | DONE | Calendar invite sent; all required attendees accepted | | Compile Authority plug-in DI entry points | Jasmin Patel | 2025-10-20 | DONE (2025-10-20) | Scoped-service touchpoints summarised in **Pre-work References** and **Preliminary Findings** ahead of the workshop. | | Outline scoped-session pattern for background jobs | Leah Chen | 2025-10-21 | DONE (2025-10-20) | Pattern agreed: bootstrap services must open transient scopes per execution via `IServiceScopeFactory`; document update to follow in PLUGIN-DI-08-002 patch. | -| Update PLUGIN-DI-08-002 implementation plan | Alicia Rivera | 2025-10-21 | DONE (2025-10-20) | Task board + SPRINTS updated with scoped-integration delivery notes and test references. | -| Sync Authority host backlog | Mohan Singh | 2025-10-21 | DONE (2025-10-20) | Authority/Plugin TASKS.md and SPRINTS entries reflect scoped-service completion. | +| Update PLUGIN-DI-08-002 implementation plan | Alicia Rivera | 2025-10-21 | DONE (2025-10-20) | Task board + correspoding sprint file `../implplan/SPRINT_*.md` updated with scoped-integration delivery notes and test references. | +| Sync Authority host backlog | Mohan Singh | 2025-10-21 | DONE (2025-10-20) | Authority/Plugin TASKS.md and correspoding sprint file `../implplan/SPRINT_*.md` entries reflect scoped-service completion. | diff --git a/docs/devops/contracts-and-rules.md b/docs/devops/contracts-and-rules.md index c425a73c1..c93f0876e 100644 --- a/docs/devops/contracts-and-rules.md +++ b/docs/devops/contracts-and-rules.md @@ -16,7 +16,7 @@ source-of-truth backlogs so that subsequent sprints do not re‑introduce confli ## Tracking & documentation -- ✅ Rules recorded in `docs/implplan/SPRINTS.md` (Sprint 33) and `ops/devops/TASKS.md`. +- ✅ Rules recorded in correspoding sprint file `/docs/implplan/SPRINT_*.md` (Sprint 33) and `/docs/ops/devops/TASKS.md`. - ✅ Repository-wide references to “Cartographer as active platform” updated (see backlog note amendment and doc banner). - ✅ Changelog entry (`docs/updates/2025-10-30-devops-governance.md`) captures reviewer acknowledgement. diff --git a/docs/implplan/SPRINTS.md b/docs/implplan/SPRINTS.md index 2184cf328..22c9b5b70 100644 --- a/docs/implplan/SPRINTS.md +++ b/docs/implplan/SPRINTS.md @@ -114,7 +114,8 @@ Follow the sprint files below in order. Update task status in both `SPRINTS` and > 2025-11-02: DOCS-SCANNER-BENCH-62-004 added (Docs Guild, Java Analyzer Guild) – documenting Java lockfile ingestion plan and policy templates. > 2025-11-02: DOCS-SCANNER-BENCH-62-005 added (Docs Guild, Go Analyzer Guild) – documenting Go stripped-binary fallback enrichment guidance. > 2025-11-02: DOCS-SCANNER-BENCH-62-006 added (Docs Guild, Rust Analyzer Guild) – documenting Rust fingerprint enrichment guidance. -> 2025-11-02: DOCS-SCANNER-BENCH-62-007 added (Docs Guild, Security Guild) – documenting secret leak detection guidance. +> 2025-11-02: DOCS-SCANNER-BENCH-62-007 added (Docs Guild, Security Guild) – documenting secret leak detection guidance. +> 2025-11-05: DOCS-SCANNER-BENCH-62-007 marked DONE (Docs Guild, Security Guild) – secret leak detection runbook, benchmark updates, and policy templates published. > 2025-11-02: DOCS-SCANNER-BENCH-62-008 added (Docs Guild, EntryTrace Guild) – documenting EntryTrace heuristic maintenance guidance. > 2025-11-02: DOCS-SCANNER-BENCH-62-009 added (Docs Guild, Ruby Analyzer Guild) – deepening Ruby gap analysis with detection tables; status set to DOING. > 2025-11-02: DOCS-SCANNER-BENCH-62-010 added (Docs Guild, PHP Analyzer Guild) – documenting PHP analyzer parity gaps; status set to DOING. diff --git a/docs/implplan/SPRINT_200_documentation_process.md b/docs/implplan/SPRINT_200_documentation_process.md index bebd813b8..f45f53df4 100644 --- a/docs/implplan/SPRINT_200_documentation_process.md +++ b/docs/implplan/SPRINT_200_documentation_process.md @@ -212,7 +212,7 @@ DOCS-SCANNER-BENCH-62-003 | TODO | Capture Python lockfile/editable install requ DOCS-SCANNER-BENCH-62-004 | TODO | Document Java lockfile ingestion guidance and policy templates. | Docs Guild, Java Analyzer Guild (docs/TASKS.md) DOCS-SCANNER-BENCH-62-005 | TODO | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Docs Guild, Go Analyzer Guild (docs/TASKS.md) DOCS-SCANNER-BENCH-62-006 | TODO | Document Rust fingerprint enrichment guidance and policy examples. | Docs Guild, Rust Analyzer Guild (docs/TASKS.md) -DOCS-SCANNER-BENCH-62-007 | DOING (2025-11-02) | Produce secret leak detection documentation (rules, policy templates). | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-SCANNER-BENCH-62-007 | DONE (2025-11-05) | Produce secret leak detection documentation (rules, policy templates). | Docs Guild, Security Guild (docs/TASKS.md) — Operations runbook + benchmarks update delivered. DOCS-SCANNER-BENCH-62-008 | TODO | Publish EntryTrace explain/heuristic maintenance guide. | Docs Guild, EntryTrace Guild (docs/TASKS.md) DOCS-SCANNER-BENCH-62-009 | TODO | Produce SAST integration documentation (connector framework, policy templates). | Docs Guild, Policy Guild (docs/TASKS.md) DOCS-TEN-47-001 | TODO | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs Guild, Authority Core (docs/TASKS.md) diff --git a/docs/modules/advisory-ai/AGENTS.md b/docs/modules/advisory-ai/AGENTS.md index ae84725ef..189323a19 100644 --- a/docs/modules/advisory-ai/AGENTS.md +++ b/docs/modules/advisory-ai/AGENTS.md @@ -11,7 +11,7 @@ Advisory AI is the retrieval-augmented assistant that synthesizes advisory and V ## How to get started 1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. +2. Open correspoding sprint file `/docs/implplan/SPRINT_*.md` and locate stories for this component. 3. Check ./TASKS.md and update status before/after work. 4. Read README/architecture for design context and update as the implementation evolves. @@ -28,7 +28,7 @@ Advisory AI is the retrieval-augmented assistant that synthesizes advisory and V - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/advisory-ai/implementation_plan.md b/docs/modules/advisory-ai/implementation_plan.md index 5dcf28d22..37b1558e5 100644 --- a/docs/modules/advisory-ai/implementation_plan.md +++ b/docs/modules/advisory-ai/implementation_plan.md @@ -15,5 +15,5 @@ ## Coordination - Review ./AGENTS.md before picking up work. -- Sync with owners listed in docs/implplan/SPRINTS.md. +- Sync with owners listed in sprint file `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/attestor/AGENTS.md b/docs/modules/attestor/AGENTS.md index 32c13087d..5e1393970 100644 --- a/docs/modules/attestor/AGENTS.md +++ b/docs/modules/attestor/AGENTS.md @@ -10,7 +10,7 @@ Attestor moves signed evidence through the trust chain by accepting DSSE bundles - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -28,7 +28,7 @@ Attestor moves signed evidence through the trust chain by accepting DSSE bundles - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/attestor/TASKS.md b/docs/modules/attestor/TASKS.md index e9c83a74a..2fd8aab05 100644 --- a/docs/modules/attestor/TASKS.md +++ b/docs/modules/attestor/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | ATTESTOR-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | ATTESTOR-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| ATTESTOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| ATTESTOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/authority/AGENTS.md b/docs/modules/authority/AGENTS.md index eaebf6137..0b609001b 100644 --- a/docs/modules/authority/AGENTS.md +++ b/docs/modules/authority/AGENTS.md @@ -10,7 +10,7 @@ Authority is the platform OIDC/OAuth2 control plane that mints short-lived, send - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Authority is the platform OIDC/OAuth2 control plane that mints short-lived, send - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/authority/TASKS.md b/docs/modules/authority/TASKS.md index 63f3c646a..6113aae78 100644 --- a/docs/modules/authority/TASKS.md +++ b/docs/modules/authority/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | AUTHORITY-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | AUTHORITY-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| AUTHORITY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| AUTHORITY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/authority/implementation_plan.md b/docs/modules/authority/implementation_plan.md index eaa6547d1..f90448c4d 100644 --- a/docs/modules/authority/implementation_plan.md +++ b/docs/modules/authority/implementation_plan.md @@ -18,5 +18,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/ci/AGENTS.md b/docs/modules/ci/AGENTS.md index dc321c7f4..6ba14de5f 100644 --- a/docs/modules/ci/AGENTS.md +++ b/docs/modules/ci/AGENTS.md @@ -10,7 +10,7 @@ CI module collects reproducible pipeline recipes for builds, tests, and release - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ CI module collects reproducible pipeline recipes for builds, tests, and release - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/ci/TASKS.md b/docs/modules/ci/TASKS.md index 9d9e87996..748148f04 100644 --- a/docs/modules/ci/TASKS.md +++ b/docs/modules/ci/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | CI RECIPES-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | CI RECIPES-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CI RECIPES-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| CI RECIPES-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/ci/implementation_plan.md b/docs/modules/ci/implementation_plan.md index 549370acb..f07d02eed 100644 --- a/docs/modules/ci/implementation_plan.md +++ b/docs/modules/ci/implementation_plan.md @@ -17,5 +17,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/cli/AGENTS.md b/docs/modules/cli/AGENTS.md index f2abd1d53..ab452831c 100644 --- a/docs/modules/cli/AGENTS.md +++ b/docs/modules/cli/AGENTS.md @@ -10,7 +10,7 @@ The `stella` CLI is the operator-facing Swiss army knife for scans, exports, pol - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ The `stella` CLI is the operator-facing Swiss army knife for scans, exports, pol - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/cli/TASKS.md b/docs/modules/cli/TASKS.md index 6f4020bfd..99585791e 100644 --- a/docs/modules/cli/TASKS.md +++ b/docs/modules/cli/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | CLI-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | CLI-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CLI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| CLI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/cli/guides/cli-reference.md b/docs/modules/cli/guides/cli-reference.md index 951e3f35d..578e769ef 100644 --- a/docs/modules/cli/guides/cli-reference.md +++ b/docs/modules/cli/guides/cli-reference.md @@ -1,298 +1,298 @@ -# CLI AOC Commands Reference - -> **Audience:** DevEx engineers, operators, and CI authors integrating the `stella` CLI with Aggregation-Only Contract (AOC) workflows. -> **Scope:** Command synopsis, options, exit codes, and offline considerations for `stella sources ingest --dry-run` and `stella aoc verify` as introduced in Sprint 19. - +# CLI AOC Commands Reference + +> **Audience:** DevEx engineers, operators, and CI authors integrating the `stella` CLI with Aggregation-Only Contract (AOC) workflows. +> **Scope:** Command synopsis, options, exit codes, and offline considerations for `stella sources ingest --dry-run` and `stella aoc verify` as introduced in Sprint 19. + Both commands are designed to enforce the AOC guardrails documented in the [aggregation-only reference](../../../ingestion/aggregation-only-contract.md) and the [architecture overview](../architecture.md). They consume Authority-issued tokens with tenant scopes and never mutate ingestion stores. - ---- - -## 1 · Prerequisites - -- CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled). -- Required scopes (DPoP-bound): - - `advisory:read` for Concelier sources. - - `vex:read` for Excititor sources (optional but required for VEX checks). - - `aoc:verify` to invoke guard verification endpoints. - - `tenant:select` if your deployment uses tenant switching. -- Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4). -- Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache. - ---- - -## 2 · `stella sources ingest --dry-run` - -### 2.1 Synopsis - -```bash -stella sources ingest --dry-run \ - --source \ - --input \ - [--tenant ] \ - [--format json|table] \ - [--no-color] \ - [--output ] -``` - -### 2.2 Description - -Previews an ingestion write without touching MongoDB. The command loads an upstream advisory or VEX document, computes the would-write payload, runs it through the `AOCWriteGuard`, and reports any forbidden fields, provenance gaps, or idempotency issues. Use it during connector development, CI validation, or while triaging incidents. - -### 2.3 Options - -| Option | Description | -|--------|-------------| -| `--source ` | Logical source name (`redhat`, `ubuntu`, `osv`, etc.). Mirrors connector configuration. | -| `--input ` | Path to local CSAF/OSV/VEX file or HTTPS URI. CLI normalises transport (gzip/base64) before guard evaluation. | -| `--tenant ` | Overrides default tenant for multi-tenant deployments. Mandatory when `STELLA_TENANT` is not set. | -| `--format json|table` | Output format. `table` (default) prints summary with highlighted violations; `json` emits machine-readable report (see below). | -| `--no-color` | Disables ANSI colour output for CI logs. | -| `--output ` | Writes the JSON report to file while still printing human-readable summary to stdout. | - -### 2.4 Output schema (JSON) - -```json -{ - "source": "redhat", - "tenant": "default", - "guardVersion": "1.0.0", - "status": "ok", - "document": { - "contentHash": "sha256:…", - "supersedes": null, - "provenance": { - "signature": { "format": "pgp", "present": true } - } - }, - "violations": [] -} -``` - -When violations exist, `status` becomes `error` and `violations` contains entries with `code` (`ERR_AOC_00x`), a short `message`, and JSON Pointer `path` values indicating offending fields. - -### 2.5 Exit codes - -| Exit code | Meaning | -|-----------|---------| -| `0` | Guard passed; would-write payload is AOC compliant. | -| `11` | `ERR_AOC_001` – Forbidden field (`severity`, `cvss`, etc.) detected. | -| `12` | `ERR_AOC_002` – Merge attempt (multiple upstream sources fused). | -| `13` | `ERR_AOC_003` – Idempotency violation (duplicate without supersedes). | -| `14` | `ERR_AOC_004` – Missing provenance fields. | -| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | -| `16` | `ERR_AOC_006` – Effective findings present (Policy-only data). | -| `17` | `ERR_AOC_007` – Unknown top-level fields / schema violation. | -| `70` | Transport error (network, auth, malformed input). | - -> Exit codes map directly to the `ERR_AOC_00x` table for scripting consistency. Multiple violations yield the highest-priority code (e.g., 11 takes precedence over 14). - -### 2.6 Examples - -Dry-run a local CSAF file: - -```bash -stella sources ingest --dry-run \ - --source redhat \ - --input ./fixtures/redhat/RHSA-2025-1234.json -``` - -Stream from HTTPS and emit JSON for CI: - -```bash -stella sources ingest --dry-run \ - --source osv \ - --input https://osv.dev/vulnerability/GHSA-aaaa-bbbb \ - --format json \ - --output artifacts/osv-dry-run.json - -cat artifacts/osv-dry-run.json | jq '.violations' -``` - -### 2.7 Offline notes - -When operating in sealed/offline mode: - -- Use `--input` paths pointing to Offline Kit snapshots (`offline-kit/advisories/*.json`). -- Provide `--tenant` explicitly if the offline bundle contains multiple tenants. -- The command does not attempt network access when given a file path. -- Store reports with `--output` to include in transfer packages for policy review. - ---- - -## 3 · `stella aoc verify` - -### 3.1 Synopsis - -```bash -stella aoc verify \ - [--since ] \ - [--limit ] \ - [--sources ] \ - [--codes ] \ - [--format table|json] \ - [--export ] \ - [--tenant ] \ - [--no-color] -``` - -### 3.2 Description - -Replays the AOC guard against stored raw documents. By default it checks all advisories and VEX statements ingested in the last 24 hours for the active tenant, reporting totals, top violation codes, and sample documents. Use it in CI pipelines, scheduled verifications, or during incident response. - -### 3.3 Options - -| Option | Description | -|--------|-------------| -| `--since ` | Verification window. Accepts ISO 8601 timestamp (`2025-10-25T12:00:00Z`) or duration (`48h`, `7d`). Defaults to `24h`. | -| `--limit ` | Maximum number of violations to display (per code). `0` means show all. Defaults to `20`. | -| `--sources ` | Comma-separated list of sources (`redhat,ubuntu,osv`). Filters both advisories and VEX entries. | -| `--codes ` | Restricts output to specific `ERR_AOC_00x` codes. Useful for regression tracking. | -| `--format table|json` | `table` (default) prints summary plus top violations; `json` outputs machine-readable report identical to the `/aoc/verify` API. | -| `--export ` | Writes the JSON report to disk (useful for audits/offline uploads). | -| `--tenant ` | Overrides tenant context. Required for cross-tenant verifications when run by platform operators. | -| `--no-color` | Disables ANSI colours. | - -`table` mode prints a summary showing the active tenant, evaluated window, counts of checked advisories/VEX statements, the active limit, total writes/violations, and whether the page was truncated. Status is colour-coded as `ok`, `violations`, or `truncated`. When violations exist the detail table lists the code, total occurrences, first sample document (`source` + `documentId` + `contentHash`), and JSON pointer path. - -### 3.4 Report structure (JSON) - -```json -{ - "tenant": "default", - "window": { - "from": "2025-10-25T12:00:00Z", - "to": "2025-10-26T12:00:00Z" - }, - "checked": { - "advisories": 482, - "vex": 75 - }, - "violations": [ - { - "code": "ERR_AOC_001", - "count": 2, - "examples": [ - { - "source": "redhat", - "documentId": "advisory_raw:redhat:RHSA-2025:1", - "contentHash": "sha256:…", - "path": "/content/raw/cvss" - } - ] - } - ], - "metrics": { - "ingestion_write_total": 557, - "aoc_violation_total": 2 - }, - "truncated": false -} -``` - -### 3.5 Exit codes - -| Exit code | Meaning | -|-----------|---------| -| `0` | Verification succeeded with zero violations. | -| `11…17` | Same mapping as § 2.5 when violations are detected. Highest-priority code returned. | -| `18` | Verification ran but results truncated (limit reached) – treat as warning; rerun with higher `--limit`. | -| `70` | Transport/authentication error. | -| `71` | CLI misconfiguration (missing tenant, invalid `--since`, etc.). | - -### 3.6 Examples - -Daily verification across all sources: - -```bash -stella aoc verify --since 24h --format table -``` - -CI pipeline focusing on errant sources and exporting evidence: - -```bash -stella aoc verify \ - --sources redhat,ubuntu \ - --codes ERR_AOC_001,ERR_AOC_004 \ - --format json \ - --limit 100 \ - --export artifacts/aoc-verify.json - -jq '.violations[] | {code, count}' artifacts/aoc-verify.json -``` - -Air-gapped verification using Offline Kit snapshot (example script): - -```bash -stella aoc verify \ - --since 7d \ - --format json \ - --export /mnt/offline/aoc-verify-$(date +%F).json - -sha256sum /mnt/offline/aoc-verify-*.json > /mnt/offline/checksums.txt -``` - -### 3.7 Automation tips - -- Schedule with `cron` or platform scheduler and fail the job when exit code ≥ 11. -- Pair with `stella sources ingest --dry-run` for pre-flight validation before re-enabling a paused source. -- Push JSON exports to observability pipelines for historical tracking of violation counts. - -### 3.8 Offline notes - -- Works against Offline Kit Mongo snapshots when CLI is pointed at the local API gateway included in the bundle. -- When fully disconnected, run against exported `aoc verify` reports generated on production and replay them using `--format json --export` (automation recipe above). -- Include verification output in compliance packages alongside Offline Kit manifests. - ---- - -## 4 · Global exit-code reference - -| Code | Summary | -|------|---------| -| `0` | Success / no violations. | -| `11` | `ERR_AOC_001` – Forbidden field present. | -| `12` | `ERR_AOC_002` – Merge attempt detected. | -| `13` | `ERR_AOC_003` – Idempotency violation. | -| `14` | `ERR_AOC_004` – Missing provenance/signature metadata. | -| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | -| `16` | `ERR_AOC_006` – Effective findings in ingestion payload. | -| `17` | `ERR_AOC_007` – Schema violation / unknown fields. | -| `18` | Partial verification (limit reached). | -| `70` | Transport or HTTP failure. | -| `71` | CLI usage error (invalid arguments, missing tenant). | - -Use these codes in CI to map outcomes to build statuses or alert severities. - ---- - -## 4 · `stella vuln observations` (Overlay paging) - -`stella vuln observations` lists raw advisory observations for downstream overlays (Graph Explorer, Policy simulations, Console). Large tenants can now page through results deterministically. - -| Option | Description | -|--------|-------------| -| `--limit ` | Caps the number of observations returned in a single call. Defaults to `200`; values above `500` are clamped server-side. | -| `--cursor ` | Opaque continuation token produced by the previous page (`nextCursor` in JSON output). Pass it back to resume iteration. | - -Additional notes: - -- Table mode prints a hint when `hasMore` is `true`: - `[yellow]More observations available. Continue with --cursor [/]`. -- JSON mode returns `nextCursor` and `hasMore` alongside the observation list so automation can loop until `hasMore` is `false`. -- Supplying a non-positive limit falls back to the default (`200`). Invalid/expired cursors yield `400 Bad Request`; restart without `--cursor` to begin a fresh iteration. - ---- - -## 5 · Related references - + +--- + +## 1 · Prerequisites + +- CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled). +- Required scopes (DPoP-bound): + - `advisory:read` for Concelier sources. + - `vex:read` for Excititor sources (optional but required for VEX checks). + - `aoc:verify` to invoke guard verification endpoints. + - `tenant:select` if your deployment uses tenant switching. +- Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4). +- Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache. + +--- + +## 2 · `stella sources ingest --dry-run` + +### 2.1 Synopsis + +```bash +stella sources ingest --dry-run \ + --source \ + --input \ + [--tenant ] \ + [--format json|table] \ + [--no-color] \ + [--output ] +``` + +### 2.2 Description + +Previews an ingestion write without touching MongoDB. The command loads an upstream advisory or VEX document, computes the would-write payload, runs it through the `AOCWriteGuard`, and reports any forbidden fields, provenance gaps, or idempotency issues. Use it during connector development, CI validation, or while triaging incidents. + +### 2.3 Options + +| Option | Description | +|--------|-------------| +| `--source ` | Logical source name (`redhat`, `ubuntu`, `osv`, etc.). Mirrors connector configuration. | +| `--input ` | Path to local CSAF/OSV/VEX file or HTTPS URI. CLI normalises transport (gzip/base64) before guard evaluation. | +| `--tenant ` | Overrides default tenant for multi-tenant deployments. Mandatory when `STELLA_TENANT` is not set. | +| `--format json|table` | Output format. `table` (default) prints summary with highlighted violations; `json` emits machine-readable report (see below). | +| `--no-color` | Disables ANSI colour output for CI logs. | +| `--output ` | Writes the JSON report to file while still printing human-readable summary to stdout. | + +### 2.4 Output schema (JSON) + +```json +{ + "source": "redhat", + "tenant": "default", + "guardVersion": "1.0.0", + "status": "ok", + "document": { + "contentHash": "sha256:…", + "supersedes": null, + "provenance": { + "signature": { "format": "pgp", "present": true } + } + }, + "violations": [] +} +``` + +When violations exist, `status` becomes `error` and `violations` contains entries with `code` (`ERR_AOC_00x`), a short `message`, and JSON Pointer `path` values indicating offending fields. + +### 2.5 Exit codes + +| Exit code | Meaning | +|-----------|---------| +| `0` | Guard passed; would-write payload is AOC compliant. | +| `11` | `ERR_AOC_001` – Forbidden field (`severity`, `cvss`, etc.) detected. | +| `12` | `ERR_AOC_002` – Merge attempt (multiple upstream sources fused). | +| `13` | `ERR_AOC_003` – Idempotency violation (duplicate without supersedes). | +| `14` | `ERR_AOC_004` – Missing provenance fields. | +| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | +| `16` | `ERR_AOC_006` – Effective findings present (Policy-only data). | +| `17` | `ERR_AOC_007` – Unknown top-level fields / schema violation. | +| `70` | Transport error (network, auth, malformed input). | + +> Exit codes map directly to the `ERR_AOC_00x` table for scripting consistency. Multiple violations yield the highest-priority code (e.g., 11 takes precedence over 14). + +### 2.6 Examples + +Dry-run a local CSAF file: + +```bash +stella sources ingest --dry-run \ + --source redhat \ + --input ./fixtures/redhat/RHSA-2025-1234.json +``` + +Stream from HTTPS and emit JSON for CI: + +```bash +stella sources ingest --dry-run \ + --source osv \ + --input https://osv.dev/vulnerability/GHSA-aaaa-bbbb \ + --format json \ + --output artifacts/osv-dry-run.json + +cat artifacts/osv-dry-run.json | jq '.violations' +``` + +### 2.7 Offline notes + +When operating in sealed/offline mode: + +- Use `--input` paths pointing to Offline Kit snapshots (`offline-kit/advisories/*.json`). +- Provide `--tenant` explicitly if the offline bundle contains multiple tenants. +- The command does not attempt network access when given a file path. +- Store reports with `--output` to include in transfer packages for policy review. + +--- + +## 3 · `stella aoc verify` + +### 3.1 Synopsis + +```bash +stella aoc verify \ + [--since ] \ + [--limit ] \ + [--sources ] \ + [--codes ] \ + [--format table|json] \ + [--export ] \ + [--tenant ] \ + [--no-color] +``` + +### 3.2 Description + +Replays the AOC guard against stored raw documents. By default it checks all advisories and VEX statements ingested in the last 24 hours for the active tenant, reporting totals, top violation codes, and sample documents. Use it in CI pipelines, scheduled verifications, or during incident response. + +### 3.3 Options + +| Option | Description | +|--------|-------------| +| `--since ` | Verification window. Accepts ISO 8601 timestamp (`2025-10-25T12:00:00Z`) or duration (`48h`, `7d`). Defaults to `24h`. | +| `--limit ` | Maximum number of violations to display (per code). `0` means show all. Defaults to `20`. | +| `--sources ` | Comma-separated list of sources (`redhat,ubuntu,osv`). Filters both advisories and VEX entries. | +| `--codes ` | Restricts output to specific `ERR_AOC_00x` codes. Useful for regression tracking. | +| `--format table|json` | `table` (default) prints summary plus top violations; `json` outputs machine-readable report identical to the `/aoc/verify` API. | +| `--export ` | Writes the JSON report to disk (useful for audits/offline uploads). | +| `--tenant ` | Overrides tenant context. Required for cross-tenant verifications when run by platform operators. | +| `--no-color` | Disables ANSI colours. | + +`table` mode prints a summary showing the active tenant, evaluated window, counts of checked advisories/VEX statements, the active limit, total writes/violations, and whether the page was truncated. Status is colour-coded as `ok`, `violations`, or `truncated`. When violations exist the detail table lists the code, total occurrences, first sample document (`source` + `documentId` + `contentHash`), and JSON pointer path. + +### 3.4 Report structure (JSON) + +```json +{ + "tenant": "default", + "window": { + "from": "2025-10-25T12:00:00Z", + "to": "2025-10-26T12:00:00Z" + }, + "checked": { + "advisories": 482, + "vex": 75 + }, + "violations": [ + { + "code": "ERR_AOC_001", + "count": 2, + "examples": [ + { + "source": "redhat", + "documentId": "advisory_raw:redhat:RHSA-2025:1", + "contentHash": "sha256:…", + "path": "/content/raw/cvss" + } + ] + } + ], + "metrics": { + "ingestion_write_total": 557, + "aoc_violation_total": 2 + }, + "truncated": false +} +``` + +### 3.5 Exit codes + +| Exit code | Meaning | +|-----------|---------| +| `0` | Verification succeeded with zero violations. | +| `11…17` | Same mapping as § 2.5 when violations are detected. Highest-priority code returned. | +| `18` | Verification ran but results truncated (limit reached) – treat as warning; rerun with higher `--limit`. | +| `70` | Transport/authentication error. | +| `71` | CLI misconfiguration (missing tenant, invalid `--since`, etc.). | + +### 3.6 Examples + +Daily verification across all sources: + +```bash +stella aoc verify --since 24h --format table +``` + +CI pipeline focusing on errant sources and exporting evidence: + +```bash +stella aoc verify \ + --sources redhat,ubuntu \ + --codes ERR_AOC_001,ERR_AOC_004 \ + --format json \ + --limit 100 \ + --export artifacts/aoc-verify.json + +jq '.violations[] | {code, count}' artifacts/aoc-verify.json +``` + +Air-gapped verification using Offline Kit snapshot (example script): + +```bash +stella aoc verify \ + --since 7d \ + --format json \ + --export /mnt/offline/aoc-verify-$(date +%F).json + +sha256sum /mnt/offline/aoc-verify-*.json > /mnt/offline/checksums.txt +``` + +### 3.7 Automation tips + +- Schedule with `cron` or platform scheduler and fail the job when exit code ≥ 11. +- Pair with `stella sources ingest --dry-run` for pre-flight validation before re-enabling a paused source. +- Push JSON exports to observability pipelines for historical tracking of violation counts. + +### 3.8 Offline notes + +- Works against Offline Kit Mongo snapshots when CLI is pointed at the local API gateway included in the bundle. +- When fully disconnected, run against exported `aoc verify` reports generated on production and replay them using `--format json --export` (automation recipe above). +- Include verification output in compliance packages alongside Offline Kit manifests. + +--- + +## 4 · Global exit-code reference + +| Code | Summary | +|------|---------| +| `0` | Success / no violations. | +| `11` | `ERR_AOC_001` – Forbidden field present. | +| `12` | `ERR_AOC_002` – Merge attempt detected. | +| `13` | `ERR_AOC_003` – Idempotency violation. | +| `14` | `ERR_AOC_004` – Missing provenance/signature metadata. | +| `15` | `ERR_AOC_005` – Signature/checksum mismatch. | +| `16` | `ERR_AOC_006` – Effective findings in ingestion payload. | +| `17` | `ERR_AOC_007` – Schema violation / unknown fields. | +| `18` | Partial verification (limit reached). | +| `70` | Transport or HTTP failure. | +| `71` | CLI usage error (invalid arguments, missing tenant). | + +Use these codes in CI to map outcomes to build statuses or alert severities. + +--- + +## 4 · `stella vuln observations` (Overlay paging) + +`stella vuln observations` lists raw advisory observations for downstream overlays (Graph Explorer, Policy simulations, Console). Large tenants can now page through results deterministically. + +| Option | Description | +|--------|-------------| +| `--limit ` | Caps the number of observations returned in a single call. Defaults to `200`; values above `500` are clamped server-side. | +| `--cursor ` | Opaque continuation token produced by the previous page (`nextCursor` in JSON output). Pass it back to resume iteration. | + +Additional notes: + +- Table mode prints a hint when `hasMore` is `true`: + `[yellow]More observations available. Continue with --cursor [/]`. +- JSON mode returns `nextCursor` and `hasMore` alongside the observation list so automation can loop until `hasMore` is `false`. +- Supplying a non-positive limit falls back to the default (`200`). Invalid/expired cursors yield `400 Bad Request`; restart without `--cursor` to begin a fresh iteration. + +--- + +## 5 · Related references + - [Aggregation-Only Contract reference](../../../ingestion/aggregation-only-contract.md) - [Architecture overview](../../platform/architecture-overview.md) - [Console AOC dashboard](../../../ui/console.md) - [Authority scopes](../../authority/architecture.md) - [Task Pack CLI profiles](./packs-profiles.md) - ---- - + +--- + ## 6 · Compliance checklist - [ ] Usage documented for both table and JSON formats. @@ -317,10 +317,8 @@ All publish/promote operations require interactive identities with `policy:publi --- -*Last updated: 2025-11-03 (Sprint 100).* - ## 13. Authority configuration quick reference - + | Setting | Purpose | How to set | |---------|---------|------------| | `StellaOps:Authority:OperatorReason` | Incident/change description recorded with `orch:operate` tokens. | CLI flag `--Authority:OperatorReason=...` or env `STELLAOPS_ORCH_REASON`. | @@ -332,4 +330,61 @@ All publish/promote operations require interactive identities with `policy:publi | `StellaOps:Authority:Scope` | Default scope string requested during `stella auth login`. | CLI flag `--Authority:Scope=\"packs.read packs.run\"` or env `STELLAOPS_AUTHORITY_SCOPE`; see `docs/modules/cli/guides/packs-profiles.md` for common Task Pack profiles. | > Tokens requesting `orch:operate` fail with `invalid_request` unless both operator values are present. `orch:quota` tokens require `quota_reason` (≤256 chars) and accept an optional `quota_ticket` (≤128 chars). `orch:backfill` tokens require both `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars). Avoid embedding secrets in any value. - + +--- + +## 14 · `stella excititor verify` + +### 14.1 Synopsis + +```bash +stella excititor verify \ + [--export-id ] \ + [--digest ] \ + [--attestation ] \ + [--verbose] +``` + +At least one of `--export-id`, `--digest`, or `--attestation` must be supplied. + +### 14.2 Description + +Submits an artifact, digest, or attestation bundle to the Attestor service for verification. The command is available once the non-core plugin pack is installed (default in production CLI builds). It validates DSSE envelopes, Rekor proofs, and export digests without requiring operators to call Attestor APIs directly. + +### 14.3 Options + +| Option | Description | +|--------|-------------| +| `--export-id ` | Verify a previously issued Excititor export by identifier. | +| `--digest ` | Expected SHA-256 digest of the artifact or attestation payload. Added to the verification payload for additional integrity checks. | +| `--attestation ` | Path to a DSSE or in-toto bundle. The CLI base64-encodes the file and streams it to Attestor for verification. | +| `--verbose` | Enables debug logging. | + +> **Behaviour:** When `--attestation` is used the CLI loads the file into memory, encodes it as base64, and delegates verification to Attestor. Verification fails fast if the file cannot be read. + +### 14.4 Secret rule bundle workflow + +To confirm the signed secret-leak rule bundle before enabling the analyzer: + +```bash +export STELLA_ATTESTOR_URL=https://attestor.internal.example # or Offline Kit mirror + +RULES_PATH=offline/rules/secrets/2025.11/secrets.ruleset.rules.jsonl +ATTESTATION_PATH=offline/rules/secrets/2025.11/secrets.ruleset.dsse.json + +stella excititor verify \ + --attestation "${ATTESTATION_PATH}" \ + --digest "$(sha256sum "${RULES_PATH}" | cut -d' ' -f1)" +``` + +The Attestor response prints verification status, Rekor UUID (when available), and whether the transparency proof was validated. + +### 14.5 Offline considerations + +- Point the CLI to the Offline Kit Attestor mirror via `STELLA_ATTESTOR_URL` (and `STELLA_AUTHORITY_URL` if using sealed Authority). +- Offline kits include the mirrored Rekor log bundle required by Attestor; the CLI does not need direct Rekor connectivity. +- Always pass `--digest` when verifying bundles copied through removable media so mismatched payloads are detected locally before Attestor validation. + +--- + +*Last updated: 2025-11-05 (Sprint 101).* diff --git a/docs/modules/cli/implementation_plan.md b/docs/modules/cli/implementation_plan.md index 14a67c7b9..5d2e77a36 100644 --- a/docs/modules/cli/implementation_plan.md +++ b/docs/modules/cli/implementation_plan.md @@ -19,5 +19,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/concelier/AGENTS.md b/docs/modules/concelier/AGENTS.md index 3ddabd265..015934743 100644 --- a/docs/modules/concelier/AGENTS.md +++ b/docs/modules/concelier/AGENTS.md @@ -10,7 +10,7 @@ Concelier ingests signed advisories from dozens of sources and converts them int - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Concelier ingests signed advisories from dozens of sources and converts them int - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/concelier/TASKS.md b/docs/modules/concelier/TASKS.md index 3014db17a..d08e7cc46 100644 --- a/docs/modules/concelier/TASKS.md +++ b/docs/modules/concelier/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | CONCELIER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | CONCELIER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CONCELIER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| CONCELIER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/devops/AGENTS.md b/docs/modules/devops/AGENTS.md index 22c3745bd..c1ee8175c 100644 --- a/docs/modules/devops/AGENTS.md +++ b/docs/modules/devops/AGENTS.md @@ -11,7 +11,7 @@ The DevOps module captures release, deployment, and migration playbooks that kee - [Task Runner simulation notes](./task-runner-simulation.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -28,7 +28,7 @@ The DevOps module captures release, deployment, and migration playbooks that kee - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/devops/TASKS.md b/docs/modules/devops/TASKS.md index 66c5da870..2e3bd9057 100644 --- a/docs/modules/devops/TASKS.md +++ b/docs/modules/devops/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | DEVOPS-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | DEVOPS-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| DEVOPS-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| DEVOPS-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/devops/implementation_plan.md b/docs/modules/devops/implementation_plan.md index 397b50170..a6fa0664b 100644 --- a/docs/modules/devops/implementation_plan.md +++ b/docs/modules/devops/implementation_plan.md @@ -18,5 +18,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/excititor/AGENTS.md b/docs/modules/excititor/AGENTS.md index e05226ed1..5f9423544 100644 --- a/docs/modules/excititor/AGENTS.md +++ b/docs/modules/excititor/AGENTS.md @@ -10,7 +10,7 @@ Excititor converts heterogeneous VEX feeds into raw observations and linksets th - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Excititor converts heterogeneous VEX feeds into raw observations and linksets th - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/excititor/TASKS.md b/docs/modules/excititor/TASKS.md index 8bd87c5de..8e814931c 100644 --- a/docs/modules/excititor/TASKS.md +++ b/docs/modules/excititor/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | EXCITITOR-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | EXCITITOR-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| EXCITITOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| EXCITITOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/excititor/implementation_plan.md b/docs/modules/excititor/implementation_plan.md index c0abb64e7..76560837e 100644 --- a/docs/modules/excititor/implementation_plan.md +++ b/docs/modules/excititor/implementation_plan.md @@ -17,5 +17,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/excitor/AGENTS.md b/docs/modules/excitor/AGENTS.md index 57826c5cf..f748b9d27 100644 --- a/docs/modules/excitor/AGENTS.md +++ b/docs/modules/excitor/AGENTS.md @@ -10,7 +10,7 @@ Excitor computes deterministic consensus across VEX claims, preserving conflicts - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Excitor computes deterministic consensus across VEX claims, preserving conflicts - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/excitor/TASKS.md b/docs/modules/excitor/TASKS.md index bf5d02554..d13c519fa 100644 --- a/docs/modules/excitor/TASKS.md +++ b/docs/modules/excitor/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | EXCITOR-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | EXCITOR-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| EXCITOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| EXCITOR-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/export-center/AGENTS.md b/docs/modules/export-center/AGENTS.md index da3364a98..4cf89732a 100644 --- a/docs/modules/export-center/AGENTS.md +++ b/docs/modules/export-center/AGENTS.md @@ -10,7 +10,7 @@ Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) wi - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) wi - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/export-center/TASKS.md b/docs/modules/export-center/TASKS.md index f54bce5b2..44184563e 100644 --- a/docs/modules/export-center/TASKS.md +++ b/docs/modules/export-center/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | EXPORT CENTER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | EXPORT CENTER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| EXPORT CENTER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| EXPORT CENTER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/graph/AGENTS.md b/docs/modules/graph/AGENTS.md index 7ced63ed2..077464f31 100644 --- a/docs/modules/graph/AGENTS.md +++ b/docs/modules/graph/AGENTS.md @@ -10,7 +10,7 @@ Graph module (upcoming) will power graph-indexed queries for SBOM relationships, - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Graph module (upcoming) will power graph-indexed queries for SBOM relationships, - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/graph/TASKS.md b/docs/modules/graph/TASKS.md index 34906197c..3ea4b4a9b 100644 --- a/docs/modules/graph/TASKS.md +++ b/docs/modules/graph/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | GRAPH-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | GRAPH-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| GRAPH-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| GRAPH-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/notify/AGENTS.md b/docs/modules/notify/AGENTS.md index f98759ec1..e2d81edd3 100644 --- a/docs/modules/notify/AGENTS.md +++ b/docs/modules/notify/AGENTS.md @@ -10,7 +10,7 @@ Notify evaluates operator-defined rules against platform events and dispatches c - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Notify evaluates operator-defined rules against platform events and dispatches c - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/notify/TASKS.md b/docs/modules/notify/TASKS.md index dc3bc987f..f476559fa 100644 --- a/docs/modules/notify/TASKS.md +++ b/docs/modules/notify/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | NOTIFY-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | NOTIFY-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| NOTIFY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| NOTIFY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/orchestrator/AGENTS.md b/docs/modules/orchestrator/AGENTS.md index 87574d25a..76e615c48 100644 --- a/docs/modules/orchestrator/AGENTS.md +++ b/docs/modules/orchestrator/AGENTS.md @@ -11,7 +11,7 @@ The Orchestrator schedules, observes, and recovers ingestion and analysis jobs a ## How to get started 1. Read the design summaries in ./architecture.md (quota governance, job lifecycle, dashboard feeds). -2. Open ../../implplan/SPRINTS.md and locate stories for this component. +2. Open sprint file `/docs/implplan/SPRINT_*.md` and locate stories for this component. 3. Check ./TASKS.md and update status before/after work. 4. Review ./README.md for responsibilities and ensure changes maintain determinism and offline parity. @@ -27,7 +27,7 @@ The Orchestrator schedules, observes, and recovers ingestion and analysis jobs a - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/platform/AGENTS.md b/docs/modules/platform/AGENTS.md index 0fec5084e..d6947cf19 100644 --- a/docs/modules/platform/AGENTS.md +++ b/docs/modules/platform/AGENTS.md @@ -10,7 +10,7 @@ Platform module describes cross-cutting architecture, contracts, and guardrails - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Platform module describes cross-cutting architecture, contracts, and guardrails - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/platform/TASKS.md b/docs/modules/platform/TASKS.md index bf427d850..ef4055301 100644 --- a/docs/modules/platform/TASKS.md +++ b/docs/modules/platform/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | PLATFORM-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | PLATFORM-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| PLATFORM-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| PLATFORM-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/platform/implementation_plan.md b/docs/modules/platform/implementation_plan.md index 7ad7dc024..50dbae215 100644 --- a/docs/modules/platform/implementation_plan.md +++ b/docs/modules/platform/implementation_plan.md @@ -18,5 +18,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/policy/AGENTS.md b/docs/modules/policy/AGENTS.md index e996a28d9..942f4bfea 100644 --- a/docs/modules/policy/AGENTS.md +++ b/docs/modules/policy/AGENTS.md @@ -12,7 +12,7 @@ Policy Engine compiles and evaluates Stella DSL policies deterministically, prod - [Windows package readiness](../policy/windows-package-readiness.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -29,7 +29,7 @@ Policy Engine compiles and evaluates Stella DSL policies deterministically, prod - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/policy/TASKS.md b/docs/modules/policy/TASKS.md index 7e60d4fb8..c28275d36 100644 --- a/docs/modules/policy/TASKS.md +++ b/docs/modules/policy/TASKS.md @@ -6,6 +6,7 @@ |----|--------|----------|-------------|-------| | POLICY ENGINE-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | POLICY ENGINE-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| POLICY ENGINE-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| POLICY ENGINE-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | | POLICY-READINESS-0001 | DOING (2025-11-03) | Policy Guild, Security Guild | Resolve open questions in `../policy/secret-leak-detection-readiness.md` ahead of SCANNER-ENG-0007. | Decision workshop 2025-11-10 (Northwind demo); cover masking depth, telemetry retention, bundle defaults, tenant overrides. | +> 2025-11-05: DSL reference updated with `secret.*` helper documentation; awaiting workshop decisions on masking depth/telemetry retention before closing. | POLICY-READINESS-0002 | DOING (2025-11-03) | Policy Guild, Security Guild, Offline Kit Guild | Review `../policy/windows-package-readiness.md`, set signature verification locus, feed mirroring scopes, and legacy installer posture. | FinSecure PCI blocker; deliver Authenticode/feed decision by 2025-11-07 before analyzer spike kickoff. | diff --git a/docs/modules/registry/AGENTS.md b/docs/modules/registry/AGENTS.md index 35756b65e..0851e6f31 100644 --- a/docs/modules/registry/AGENTS.md +++ b/docs/modules/registry/AGENTS.md @@ -10,7 +10,7 @@ The registry module issues scoped pull tokens for mirrored container registries - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ The registry module issues scoped pull tokens for mirrored container registries - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/registry/TASKS.md b/docs/modules/registry/TASKS.md index 9edda55e2..ff3900ac7 100644 --- a/docs/modules/registry/TASKS.md +++ b/docs/modules/registry/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | REGISTRY TOKEN SERVICE-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | REGISTRY TOKEN SERVICE-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| REGISTRY TOKEN SERVICE-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| REGISTRY TOKEN SERVICE-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/registry/implementation_plan.md b/docs/modules/registry/implementation_plan.md index 88cc85377..84bb92663 100644 --- a/docs/modules/registry/implementation_plan.md +++ b/docs/modules/registry/implementation_plan.md @@ -16,5 +16,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/scanner/AGENTS.md b/docs/modules/scanner/AGENTS.md index db610e548..eabecbcab 100644 --- a/docs/modules/scanner/AGENTS.md +++ b/docs/modules/scanner/AGENTS.md @@ -16,7 +16,7 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f - [Benchmarks overview](../../benchmarks/scanner/README.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -33,7 +33,7 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/scanner/README.md b/docs/modules/scanner/README.md index df0339b8d..8c4236cea 100644 --- a/docs/modules/scanner/README.md +++ b/docs/modules/scanner/README.md @@ -28,6 +28,7 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f - ./operations/analyzers-grafana-dashboard.json - ./operations/rustfs-migration.md - ./operations/entrypoint.md +- ./operations/secret-leak-detection.md - ./design/macos-analyzer.md - ./design/windows-analyzer.md - ../benchmarks/scanner/deep-dives/macos.md diff --git a/docs/modules/scanner/TASKS.md b/docs/modules/scanner/TASKS.md index 021de0a7f..9cda2f75c 100644 --- a/docs/modules/scanner/TASKS.md +++ b/docs/modules/scanner/TASKS.md @@ -37,4 +37,4 @@ | SCANNER-ENG-0026 | TODO | Scanner Guild (Windows Packages Squad) | Implement Chocolatey & registry collectors per `design/windows-analyzer.md` §3.3–3.4. | Harvest nuspec metadata and registry uninstall/service evidence; merge with filesystem artefacts; align with feed decisions from POLICY-READINESS-0002. | | SCANNER-ENG-0027 | TODO | Scanner Guild, Policy Guild, Offline Kit Guild | Deliver Windows policy/offline integration per `design/windows-analyzer.md` §5–6. | Define predicates, CLI/Offline docs, and packaging for feeds/certs; start after POLICY-READINESS-0002 sign-off. | | SCANNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/scanner/operations/secret-leak-detection.md b/docs/modules/scanner/operations/secret-leak-detection.md new file mode 100644 index 000000000..07deb0cb0 --- /dev/null +++ b/docs/modules/scanner/operations/secret-leak-detection.md @@ -0,0 +1,170 @@ +# Secret Leak Detection (Scanner Operations) + +> **Status:** Preview (Sprint 132). Requires `SCANNER-ENG-0007`/`POLICY-READINESS-0001` release bundle and the experimental flag `secret-leak-detection`. +> +> **Audience:** Scanner operators, Security Guild, Docs Guild, Offline Kit maintainers. + +## 1. Scope & goals + +- Introduce the **`StellaOps.Scanner.Analyzers.Secrets`** plug-in, which executes deterministic rule bundles against layer content during scans. +- Ensure every finding is reproducible: rule bundles are DSSE-signed, versioned, and shipped with the Offline Kit. +- Surface policy-ready evidence (`secret.leak`) so tenants can enforce block/warn flows using `stella-dsl@1` predicates. +- Preserve sovereignty: rule bundles install locally, no outbound telemetry, masking is enforced before data leaves the worker. + +## 2. Prerequisites + +| Requirement | Notes | +| --- | --- | +| Analyzer binaries | Deploy `StellaOps.Scanner.Analyzers.Secrets` alongside Scanner Worker (packaged with the standard container images). | +| Surface libraries | `Surface.Secrets`, `Surface.Validation`, and `Surface.Env` must already be configured (see `surface-secrets.md`). | +| Experimental flag | Enable `scanner.features.experimental["secret-leak-detection"] = true` on both WebService and Worker. | +| Policy readiness | Import predicates from `docs/modules/policy/secret-leak-detection-readiness.md` into tenant policy packs. | +| Offline Kit | Update to an Offline Kit that includes `offline/rules/secrets//` before enabling production scans. | + +## 3. Rule bundle lifecycle + +Rule bundles ship in the Export Center / Offline Kit under `offline/rules/secrets//`. + +| File | Purpose | Notes | +| --- | --- | --- | +| `secrets.ruleset.manifest.json` | Lists rule IDs, versions, severity defaults, and hash digests. | Consume during policy drift audits. | +| `secrets.ruleset.rules.jsonl` | Newline-delimited definitions (regex/entropy metadata, masking hints). | Loaded by the analyzer at startup. | +| `secrets.ruleset.dsse.json` | DSSE envelope (Signer certificate chain + Attestor proof). | Verify before distributing bundles. | + +Verification checklist (`stella excititor verify` talks to the configured Attestor service): + +``` +stella excititor verify \ + --attestation offline/rules/secrets/2025.11/secrets.ruleset.dsse.json \ + --digest $(sha256sum offline/rules/secrets/2025.11/secrets.ruleset.rules.jsonl | cut -d' ' -f1) +``` + +For air-gapped environments point the CLI at the Offline Kit Attestor mirror (for example `STELLA_ATTESTOR_URL=http://attestor.offline.local`) before running the command. The Attestor instance validates the DSSE envelope against the mirrored Rekor log and embedded certificate chain; no public network access is required. + +Once verified, copy the manifest + rules to the worker: + +``` +/opt/stellaops/plugins/scanner/analyzers/secrets/ + ├── secrets.ruleset.manifest.json + ├── secrets.ruleset.rules.jsonl + └── secrets.ruleset.dsse.json +``` + +Restart the worker so the analyzer reloads the updated bundle. Bundles are immutable; upgrading requires replacing all three files and restarting. + +## 4. Enabling the analyzer + +1. **Toggle the feature flag** (WebService + Worker): + + ```yaml + scanner: + features: + experimental: + secret-leak-detection: true + ``` + + (Environment alternative: `SCANNER__FEATURES__EXPERIMENTAL__secret-leak-detection=true`.) + +2. **Configure retention** (WebService): + + ```yaml + scanner: + storage: + migrations: + - Scanner.Analysis.SecretFindingsTtl + ``` + + The migration adds `secretFindings` documents to `ScanAnalysisStore` with the standard TTL (default 90 days). Adjust Mongo TTL via the deployment overlay if longer retention is required. + +3. **Activate policy ingestion** (WebService): + + ```yaml + scanner: + runtime: + enableSecretFindings: true + ``` + + (Experimental builds gate secret evidence behind this toggle to avoid surprising downstream consumers.) + +4. **Roll scanner hosts**. Apply the configuration, roll WebService first, then Workers. Verify the startup logs contain `SecretsAnalyzerHost` and `SecretLeakDetection: Enabled`. + +## 5. Policy patterns + +The analyzer emits `secret.leak` evidence with the shape: + +```json +{ + "ruleId": "stellaops.secrets.aws-access-key", + "ruleVersion": "2025.11.0", + "severity": "high", + "confidence": "high", + "file": "/app/config.yml", + "line": 42, + "mask": "AKIA********B7", + "bundleId": "secrets.ruleset", + "bundleVersion": "2025.11" +} +``` + +Policy DSL helpers introduced with this release: + +| Helper | Description | +| --- | --- | +| `secret.hasFinding(ruleId?, severity?, confidence?)` | Returns true if any finding matches the filter. | +| `secret.bundle.version(requiredVersion)` | Ensures the active bundle meets or exceeds a version. | +| `secret.match.count(ruleId?)` | Returns the number of findings (useful for thresholds). | + +Sample policy (`policies/secret-blocker.stella`): + +```dsl +policy "Secret Leak Guard" syntax "stella-dsl@1" { + metadata { + description = "Block high-confidence secret leaks" + tags = ["secrets","compliance"] + } + + rule block_high_confidence priority 10 { + when secret.hasFinding(severity: "high", confidence: "high") + then escalate to "block"; + because "High severity secret leak detected"; + } + + rule require_current_bundle priority 5 { + when not secret.bundle.version("2025.11") + then warn message "Secret leak bundle out of date"; + } +} +``` + +Tenants that prefer staged rollout can downgrade low-confidence findings: + +```dsl +rule low_confidence_warn priority 20 { + when secret.hasFinding(confidence: "low") + then annotate decision.notes := "Investigate masked payload"; + else ignore; +} +``` + +## 6. Observability & reporting + +- **Metrics:** `scanner.secret.finding_total{tenant,ruleId,severity,confidence}` increments per finding. Add Prometheus alerts for spikes. +- **Logs:** `SecretsAnalyzerHost` logs bundle version on load and emits warnings when masking fails (payload never leaves memory). +- **Traces:** Each analyzer run adds a `scanner.secrets.scan` span with rule counts and wall-clock timing. +- **Reports / CLI:** Scan reports include a `secretFindings` array; CLI diff/export surfaces render masked snippets plus remediation guidance. + +## 7. Troubleshooting + +| Symptom | Resolution | +| --- | --- | +| Analyzer disabled at startup | Confirm feature flag and bundle files exist; check `plugins/scanner/analyzers/secrets` permissions (`640`). | +| No findings despite seeded secrets | Ensure bundle hash matches manifest. Run worker with `--secrets-trace` (debug build) to log matched rules locally. | +| Policy marks findings as unknown | Upgrade tenant policies to include `secret.*` helpers; older policies silently drop the namespace. | +| Air-gapped verification fails | Ensure `STELLA_ATTESTOR_URL` points to the Offline Kit Attestor mirror and rerun `stella excititor verify --attestation --digest `. | + +## 8. References + +- `docs/modules/policy/secret-leak-detection-readiness.md` +- `docs/benchmarks/scanner/deep-dives/secrets.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/07_HIGH_LEVEL_ARCHITECTURE.md` §1.1 Runtime inventory (Scanner) diff --git a/docs/modules/scheduler/AGENTS.md b/docs/modules/scheduler/AGENTS.md index 4af5aceae..ef63cb796 100644 --- a/docs/modules/scheduler/AGENTS.md +++ b/docs/modules/scheduler/AGENTS.md @@ -10,7 +10,7 @@ Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/scheduler/TASKS.md b/docs/modules/scheduler/TASKS.md index 33a56fac5..cd50c85eb 100644 --- a/docs/modules/scheduler/TASKS.md +++ b/docs/modules/scheduler/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | SCHEDULER-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | SCHEDULER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| SCHEDULER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| SCHEDULER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/scheduler/implementation_plan.md b/docs/modules/scheduler/implementation_plan.md index 6ed06faea..c655e0eac 100644 --- a/docs/modules/scheduler/implementation_plan.md +++ b/docs/modules/scheduler/implementation_plan.md @@ -17,5 +17,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/signer/AGENTS.md b/docs/modules/signer/AGENTS.md index d547d2c8d..1cbd3dea8 100644 --- a/docs/modules/signer/AGENTS.md +++ b/docs/modules/signer/AGENTS.md @@ -10,7 +10,7 @@ Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSS - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -28,7 +28,7 @@ Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSS - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/signer/TASKS.md b/docs/modules/signer/TASKS.md index 8054bfe8f..ffbad4365 100644 --- a/docs/modules/signer/TASKS.md +++ b/docs/modules/signer/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | SIGNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | SIGNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| SIGNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| SIGNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/telemetry/AGENTS.md b/docs/modules/telemetry/AGENTS.md index 846577477..af732c22e 100644 --- a/docs/modules/telemetry/AGENTS.md +++ b/docs/modules/telemetry/AGENTS.md @@ -10,7 +10,7 @@ Telemetry module captures deployment and operations guidance for the shared obse - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Telemetry module captures deployment and operations guidance for the shared obse - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/telemetry/TASKS.md b/docs/modules/telemetry/TASKS.md index 2b540bcfc..243fe7d4f 100644 --- a/docs/modules/telemetry/TASKS.md +++ b/docs/modules/telemetry/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | TELEMETRY-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | TELEMETRY-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| TELEMETRY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| TELEMETRY-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/ui/AGENTS.md b/docs/modules/ui/AGENTS.md index 5dd9d5402..3fa15164e 100644 --- a/docs/modules/ui/AGENTS.md +++ b/docs/modules/ui/AGENTS.md @@ -10,7 +10,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/ui/TASKS.md b/docs/modules/ui/TASKS.md index 3f06d541f..88cf05865 100644 --- a/docs/modules/ui/TASKS.md +++ b/docs/modules/ui/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | CONSOLE UI-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | CONSOLE UI-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| CONSOLE UI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| CONSOLE UI-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/ui/implementation_plan.md b/docs/modules/ui/implementation_plan.md index f0d881a2a..5996f8177 100644 --- a/docs/modules/ui/implementation_plan.md +++ b/docs/modules/ui/implementation_plan.md @@ -21,5 +21,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/modules/vex-lens/AGENTS.md b/docs/modules/vex-lens/AGENTS.md index 138ad307e..06dafcaae 100644 --- a/docs/modules/vex-lens/AGENTS.md +++ b/docs/modules/vex-lens/AGENTS.md @@ -11,7 +11,7 @@ VEX Lens computes deterministic consensus across conflicting VEX statements whil ## How to get started 1. Review ./architecture.md for consensus algorithm, trust model, and export contracts. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. +2. Open sprint file `/docs/implplan/SPRINT_*.md` and locate stories for this component. 3. Check ./TASKS.md and update status before/after work. 4. Read README/architecture for design context and update as the implementation evolves. @@ -28,7 +28,7 @@ VEX Lens computes deterministic consensus across conflicting VEX statements whil - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/vuln-explorer/AGENTS.md b/docs/modules/vuln-explorer/AGENTS.md index 6b8c5dc56..364e9bd98 100644 --- a/docs/modules/vuln-explorer/AGENTS.md +++ b/docs/modules/vuln-explorer/AGENTS.md @@ -11,7 +11,7 @@ Vulnerability Explorer delivers policy-aware triage, investigation, and reportin ## How to get started 1. Review ./architecture.md for ledger schema, workflow states, and export requirements. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. +2. Open sprint file `/docs/implplan/SPRINT_*.md` and locate stories for this component. 3. Check ./TASKS.md and update status before/after work. 4. Read README/architecture for design context and update as the implementation evolves. @@ -28,7 +28,7 @@ Vulnerability Explorer delivers policy-aware triage, investigation, and reportin - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/zastava/AGENTS.md b/docs/modules/zastava/AGENTS.md index 1f8411ada..abdfb3366 100644 --- a/docs/modules/zastava/AGENTS.md +++ b/docs/modules/zastava/AGENTS.md @@ -10,7 +10,7 @@ Zastava monitors running workloads, verifies supply chain posture, and enforces - [Task board](./TASKS.md) ## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module. 2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). 3. Read the architecture and README for domain context before editing code or docs. 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. @@ -27,7 +27,7 @@ Zastava monitors running workloads, verifies supply chain posture, and enforces - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/docs/modules/zastava/TASKS.md b/docs/modules/zastava/TASKS.md index 22fd845e3..234d108b1 100644 --- a/docs/modules/zastava/TASKS.md +++ b/docs/modules/zastava/TASKS.md @@ -6,4 +6,4 @@ |----|--------|----------|-------------|-------| | ZASTAVA-DOCS-0001 | TODO | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md | | ZASTAVA-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md | -| ZASTAVA-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow | +| ZASTAVA-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow | diff --git a/docs/modules/zastava/implementation_plan.md b/docs/modules/zastava/implementation_plan.md index 1fa434d70..ae87c4c51 100644 --- a/docs/modules/zastava/implementation_plan.md +++ b/docs/modules/zastava/implementation_plan.md @@ -15,5 +15,5 @@ ## Coordination - Review ./AGENTS.md before picking up new work. -- Sync with cross-cutting teams noted in ../../implplan/SPRINTS.md. +- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`. - Update this plan whenever scope, dependencies, or guardrails change. diff --git a/docs/policy/dsl.md b/docs/policy/dsl.md index 0cde9e5e9..49a82b04c 100644 --- a/docs/policy/dsl.md +++ b/docs/policy/dsl.md @@ -136,17 +136,20 @@ Notes: Within predicates and actions you may reference the following namespaces: -| Namespace | Fields | Description | -|-----------|--------|-------------| -| `sbom` | `purl`, `name`, `version`, `licenses`, `layerDigest`, `tags`, `usedByEntrypoint` | Component metadata from Scanner. | -| `advisory` | `id`, `source`, `aliases`, `severity`, `cvss`, `publishedAt`, `modifiedAt`, `content.raw` | Canonical Concelier advisory view. | -| `vex` | `status`, `justification`, `statementId`, `timestamp`, `scope` | Current VEX statement when iterating; aggregator helpers available. | -| `vex.any(...)`, `vex.all(...)`, `vex.count(...)` | Functions operating over all matching statements. | -| `run` | `policyId`, `policyVersion`, `tenant`, `timestamp` | Metadata for explain annotations. | -| `env` | Arbitrary key/value pairs injected per run (e.g., `environment`, `runtime`). | -| `telemetry` | Optional reachability signals; missing fields evaluate to `unknown`. | -| `profile.` | Values computed inside profile blocks (maps, scalars). | - +| Namespace | Fields | Description | +|-----------|--------|-------------| +| `sbom` | `purl`, `name`, `version`, `licenses`, `layerDigest`, `tags`, `usedByEntrypoint` | Component metadata from Scanner. | +| `advisory` | `id`, `source`, `aliases`, `severity`, `cvss`, `publishedAt`, `modifiedAt`, `content.raw` | Canonical Concelier advisory view. | +| `vex` | `status`, `justification`, `statementId`, `timestamp`, `scope` | Current VEX statement when iterating; aggregator helpers available. | +| `vex.any(...)`, `vex.all(...)`, `vex.count(...)` | Functions operating over all matching statements. | +| `run` | `policyId`, `policyVersion`, `tenant`, `timestamp` | Metadata for explain annotations. | +| `env` | Arbitrary key/value pairs injected per run (e.g., `environment`, `runtime`). | +| `telemetry` | Optional reachability signals; missing fields evaluate to `unknown`. | +| `secret` | `findings`, `bundle`, helper predicates | Populated when the Secrets Analyzer runs. Exposes masked leak findings and bundle metadata for policy decisions. | +| `profile.` | Values computed inside profile blocks (maps, scalars). | + +> **Secrets namespace.** When `StellaOps.Scanner.Analyzers.Secrets` is enabled the Policy Engine receives masked findings (`secret.findings[*]`) plus bundle metadata (`secret.bundle.id`, `secret.bundle.version`). Policies should rely on the helper predicates listed below rather than reading raw arrays to preserve determinism and future compatibility. + Missing fields evaluate to `null`, which is falsey in boolean context and propagates through comparisons unless explicitly checked. --- @@ -166,12 +169,17 @@ Missing fields evaluate to `null`, which is falsey in boolean context and propag | `advisory.matches(pattern)` | `string → bool` | Glob match against advisory identifiers. | | `sbom.has_tag(tag)` | `string → bool` | Uses SBOM inventory tags (usage vs inventory). | | `exists(expression)` | `→ bool` | `true` when value is non-null/empty. | -| `coalesce(a, b, ...)` | `→ value` | First non-null argument. | -| `days_between(dateA, dateB)` | `→ int` | Absolute day difference (UTC). | -| `percent_of(part, whole)` | `→ double` | Fractions for scoring adjustments. | -| `lowercase(text)` | `string → string` | Normalises casing deterministically (InvariantCulture). | - -All built-ins are pure; if inputs are null the result is null unless otherwise noted. +| `coalesce(a, b, ...)` | `→ value` | First non-null argument. | +| `days_between(dateA, dateB)` | `→ int` | Absolute day difference (UTC). | +| `percent_of(part, whole)` | `→ double` | Fractions for scoring adjustments. | +| `lowercase(text)` | `string → string` | Normalises casing deterministically (InvariantCulture). | +| `secret.hasFinding(ruleId?, severity?, confidence?)` | `→ bool` | True if any secret leak finding matches optional filters. | +| `secret.match.count(ruleId?)` | `→ int` | Count of findings, optionally scoped to a rule ID. | +| `secret.bundle.version(required)` | `string → bool` | Ensures the active secret rule bundle version ≥ required (semantic compare). | +| `secret.mask.applied` | `→ bool` | Indicates whether masking succeeded for all surfaced payloads. | +| `secret.path.allowlist(patterns)` | `list → bool` | True when all findings fall within allowed path patterns (useful for waivers). | + +All built-ins are pure; if inputs are null the result is null unless otherwise noted. --- @@ -291,4 +299,4 @@ rule catch_all { --- -*Last updated: 2025-10-26 (Sprint 20).* +*Last updated: 2025-11-05 (Sprint 21).* diff --git a/docs/technical/process/README.md b/docs/technical/process/README.md index fb84328ff..c2473bffa 100644 --- a/docs/technical/process/README.md +++ b/docs/technical/process/README.md @@ -8,7 +8,7 @@ Use these artefacts to understand team ownership, active workstreams, and histor ## Work Tracking - [../TASKS.md](../../TASKS.md) – Docs Guild task board. -- Sprint plans and historical boards: [../implplan/SPRINTS.md](../../implplan/SPRINTS.md), [../implplan/SPRINTS_PRIOR_20251028.md](../../implplan/SPRINTS_PRIOR_20251028.md), [../implplan/SPRINTS_PRIOR_20251027.md](../../implplan/SPRINTS_PRIOR_20251027.md), [../implplan/SPRINTS_PRIOR_20251025.md](../../implplan/SPRINTS_PRIOR_20251025.md), [../implplan/SPRINTS_PRIOR_20251021.md](../../implplan/SPRINTS_PRIOR_20251021.md), [../implplan/SPRINTS_PRIOR_20251019.md](../../implplan/SPRINTS_PRIOR_20251019.md). +- Sprint plans and historical boards: [../implplan/SPRINTS.md](`/docs/implplan/SPRINT_*.md`), [../implplan/SPRINTS_PRIOR_20251028.md](../../implplan/SPRINTS_PRIOR_20251028.md), [../implplan/SPRINTS_PRIOR_20251027.md](../../implplan/SPRINTS_PRIOR_20251027.md), [../implplan/SPRINTS_PRIOR_20251025.md](../../implplan/SPRINTS_PRIOR_20251025.md), [../implplan/SPRINTS_PRIOR_20251021.md](../../implplan/SPRINTS_PRIOR_20251021.md), [../implplan/SPRINTS_PRIOR_20251019.md](../../implplan/SPRINTS_PRIOR_20251019.md). - Backlog hygiene and consolidation notes: [../backlog/](../../backlog/). - Task packs and reusable templates: [../task-packs/](../../task-packs/). diff --git a/docs/updates/2025-10-27-console-security-signoff.md b/docs/updates/2025-10-27-console-security-signoff.md index 6c684a1fa..5750ad000 100644 --- a/docs/updates/2025-10-27-console-security-signoff.md +++ b/docs/updates/2025-10-27-console-security-signoff.md @@ -44,5 +44,5 @@ ## Sign-off - Reviewed by **Security Guild** (lead: `@sec-lfox`). -- Sign-off recorded in Sprint 23 tracker (`../implplan/SPRINTS.md`, `DOCS-CONSOLE-23-018`). +- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`). diff --git a/docs/updates/2025-10-28-docs-guild.md b/docs/updates/2025-10-28-docs-guild.md index cf4733ede..5d4954b19 100644 --- a/docs/updates/2025-10-28-docs-guild.md +++ b/docs/updates/2025-10-28-docs-guild.md @@ -21,6 +21,6 @@ Artifacts: - Doc: `/docs/security/console-security.md` - Doc: `/docs/cli-vs-ui-parity.md` - Doc: `/docs/accessibility.md` -- Sprint tracker: `../implplan/SPRINTS.md` (DOCS-CONSOLE-23-012 now DONE) +- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE) cc: `@authority-core`, `@security-guild`, `@docs-guild` diff --git a/docs/updates/2025-10-30-devops-governance.md b/docs/updates/2025-10-30-devops-governance.md index 62af9eaf8..bf79bb548 100644 --- a/docs/updates/2025-10-30-devops-governance.md +++ b/docs/updates/2025-10-30-devops-governance.md @@ -7,7 +7,7 @@ 2. AOC ingestion persists upstream truth only (no merge/deduplicate logic). 3. Graph platform standardised on Graph Indexer + Graph API (Cartographer retired). - Updated backlog hygiene note (`docs/backlog/2025-10-cleanup.md`) and archived the Cartographer handshake plan to point at the new graph platform. -- Logged the rules in `ops/devops/TASKS.md` and `docs/implplan/SPRINTS.md`, removing duplicate references to Cartographer as an active service. +- Logged the rules in `ops/devops/TASKS.md` and corresponding sprint file `docs/implplan/SPRINT_*.md`, removing duplicate references to Cartographer as an active service. **Reviewers / acknowledgements** diff --git a/ops/deployment/AGENTS.md b/ops/deployment/AGENTS.md index db3beb1c2..51835db62 100644 --- a/ops/deployment/AGENTS.md +++ b/ops/deployment/AGENTS.md @@ -8,7 +8,7 @@ Maintain deployment/upgrade/rollback workflows (Helm/Compose) per `docs/modules/ - `docs/modules/airgap/airgap-mode.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/ops/devops/AGENTS.md b/ops/devops/AGENTS.md index ba3087e09..36cf9bd5e 100644 --- a/ops/devops/AGENTS.md +++ b/ops/devops/AGENTS.md @@ -15,7 +15,7 @@ Execute deterministic build/release pipeline per `docs/modules/devops/ARCHITECTU - `docs/modules/airgap/airgap-mode.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/ops/licensing/AGENTS.md b/ops/licensing/AGENTS.md index 0ad0cffb9..a7bde5d8a 100644 --- a/ops/licensing/AGENTS.md +++ b/ops/licensing/AGENTS.md @@ -8,7 +8,7 @@ Implement licensing token service and registry access workflows described in `do - `docs/modules/airgap/airgap-mode.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/ops/offline-kit/AGENTS.md b/ops/offline-kit/AGENTS.md index 404724cec..d5e048f2c 100644 --- a/ops/offline-kit/AGENTS.md +++ b/ops/offline-kit/AGENTS.md @@ -8,7 +8,7 @@ Package Offline Update Kit per `docs/modules/devops/ARCHITECTURE.md` and `docs/2 - `docs/modules/airgap/airgap-mode.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/samples/AGENTS.md b/samples/AGENTS.md index 863afa2c8..fa4029fa9 100644 --- a/samples/AGENTS.md +++ b/samples/AGENTS.md @@ -22,7 +22,7 @@ Curate and maintain deterministic sample assets (configs, fixtures, walkthrough - `docs/modules/telemetry/architecture.md` (for observability-focused samples) ## Working Agreement -1. **Before starting a task** update its status to `DOING` in both `docs/implplan/SPRINTS.md` and `samples/TASKS.md`. Revert to `TODO` if you pause, or `DONE` when complete. +1. **Before starting a task** update its status to `DOING` in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `samples/TASKS.md`. Revert to `TODO` if you pause, or `DONE` when complete. 2. **Review this charter & required docs** to confirm conventions (deterministic outputs, offline readiness, security posture) before coding. 3. **Preserve determinism**: scripts must pin versions, normalise timestamps, and avoid network calls beyond documented mirrors. 4. **Documentation parity**: every change to a sample must include README/guide updates explaining execution steps and expected results. diff --git a/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md b/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md index 946b5731d..6b8dbf119 100644 --- a/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md +++ b/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md @@ -26,7 +26,7 @@ Deliver the Advisory AI assistant service that synthesizes advisory/VEX evidence - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md b/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md index bad732b67..196e76540 100644 --- a/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md @@ -20,7 +20,7 @@ Own the sealing state machine, status APIs, and enforcement hooks that keep Stel - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md b/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md index 3036a895d..357e8ebc9 100644 --- a/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md @@ -20,7 +20,7 @@ Deliver offline bundle verification and ingestion tooling for sealed environment - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md b/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md index 7fe56f709..d7afec5b2 100644 --- a/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md @@ -20,7 +20,7 @@ Provide the shared enforcement layer (`EgressPolicy`, job plan validators, seale - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/AirGap/StellaOps.AirGap.Time/AGENTS.md b/src/AirGap/StellaOps.AirGap.Time/AGENTS.md index f010a814f..554a4a900 100644 --- a/src/AirGap/StellaOps.AirGap.Time/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Time/AGENTS.md @@ -20,7 +20,7 @@ Manage trusted time anchors and staleness budgets for sealed environments, ensur - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Api/StellaOps.Api.Governance/AGENTS.md b/src/Api/StellaOps.Api.Governance/AGENTS.md index 51d8ac398..305de1f21 100644 --- a/src/Api/StellaOps.Api.Governance/AGENTS.md +++ b/src/Api/StellaOps.Api.Governance/AGENTS.md @@ -19,7 +19,7 @@ Enforce API contract quality through linting, compatibility checks, version poli - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Api/StellaOps.Api.OpenApi/AGENTS.md b/src/Api/StellaOps.Api.OpenApi/AGENTS.md index 8dd8deaf1..c2587927c 100644 --- a/src/Api/StellaOps.Api.OpenApi/AGENTS.md +++ b/src/Api/StellaOps.Api.OpenApi/AGENTS.md @@ -19,7 +19,7 @@ Maintain OpenAPI 3.1 specifications for every StellaOps service, compose the agg - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md b/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md index 66ece1535..027ee09f2 100644 --- a/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md @@ -19,7 +19,7 @@ Provide deterministic DSSE envelope handling with multi-signature support, canon - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Attestor/StellaOps.Attestor.Types/AGENTS.md b/src/Attestor/StellaOps.Attestor.Types/AGENTS.md index dcba43a02..ef82753bd 100644 --- a/src/Attestor/StellaOps.Attestor.Types/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Types/AGENTS.md @@ -18,7 +18,7 @@ Define strongly typed, versioned schemas for all attestation payloads and provid - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md b/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md index 595f27736..bab743520 100644 --- a/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md @@ -18,7 +18,7 @@ Implement the verification engine that enforces attestation policies, issuer tru - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Attestor/StellaOps.Attestor/AGENTS.md b/src/Attestor/StellaOps.Attestor/AGENTS.md index 2b0878770..9c45820ab 100644 --- a/src/Attestor/StellaOps.Attestor/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor/AGENTS.md @@ -43,7 +43,7 @@ Deliver the API, workers, and storage that power signing, verification, and life - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Authority/StellaOps.Authority/AGENTS.md b/src/Authority/StellaOps.Authority/AGENTS.md index ac8866571..76fde15cd 100644 --- a/src/Authority/StellaOps.Authority/AGENTS.md +++ b/src/Authority/StellaOps.Authority/AGENTS.md @@ -24,7 +24,7 @@ Own the StellaOps Authority host service: ASP.NET minimal API, OpenIddict flows, - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md b/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md index be0d3fbe7..d676a93a4 100644 --- a/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md @@ -24,7 +24,7 @@ Own the Mongo-backed Standard identity provider plug-in and shared Authority plu - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Bench/StellaOps.Bench/AGENTS.md b/src/Bench/StellaOps.Bench/AGENTS.md index 8a4f8dddb..d790b5bc4 100644 --- a/src/Bench/StellaOps.Bench/AGENTS.md +++ b/src/Bench/StellaOps.Bench/AGENTS.md @@ -19,7 +19,7 @@ Design and maintain deterministic benchmark suites that measure StellaOps perfor - Existing benchmark notes in `docs/dev/perf/` (if present) and any sprint-specific design docs referenced by TASKS. ## Working Agreement -1. **State sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `src/Bench/StellaOps.Bench/TASKS.md` before/after work. +1. **State sync**: mark tasks `DOING`/`DONE` in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `src/Bench/StellaOps.Bench/TASKS.md` before/after work. 2. **Baseline references**: link commits/results for baseline metrics; update docs when targets shift. 3. **Deterministic harnesses**: avoid random seeds without explicit seeding; ensure benchmarks run offline with local fixtures. 4. **Safety**: guard against resource exhaustion—cap concurrency, add cleanup/finalizers, ensure containerised runs have limits. diff --git a/src/Cartographer/StellaOps.Cartographer/AGENTS.md b/src/Cartographer/StellaOps.Cartographer/AGENTS.md index c3e718d04..e3d172cc7 100644 --- a/src/Cartographer/StellaOps.Cartographer/AGENTS.md +++ b/src/Cartographer/StellaOps.Cartographer/AGENTS.md @@ -13,7 +13,7 @@ Build and operate the Cartographer service that materializes immutable SBOM prop ## Expectations - Keep builds deterministic; snapshots are write-once and content-addressed. - Tenancy and scope enforcement must match Authority policies (`graph:*`, `sbom:read`, `findings:read`). -- Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` when status changes. +- Update `TASKS.md`, `/docs/implplan/SPRINT_*.md` when status changes. - Provide fixtures and documentation so UI/CLI teams can simulate graphs offline. - Authority integration derives scope names from `StellaOps.Auth.Abstractions.StellaOpsScopes`; avoid hard-coded `graph:*` literals. @@ -21,7 +21,7 @@ Build and operate the Cartographer service that materializes immutable SBOM prop - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md b/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md index d93ff9ea8..ecb1af772 100644 --- a/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md +++ b/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md @@ -38,7 +38,7 @@ Out: business logic of jobs, HTML UI, authn/z (future). - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md index e26341344..25ed5bc17 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md @@ -44,7 +44,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md index bfa05f4da..0a55490b5 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md @@ -44,7 +44,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md index bc5f48ff4..c2e6c516a 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md @@ -44,7 +44,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md index cbf77b741..637f3f2e6 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md @@ -42,7 +42,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md index a5cdc81d4..20ee5f80e 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md @@ -31,7 +31,7 @@ Out: OVAL or package-level authority. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md index cfb80e8b3..f1b7e7e05 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md @@ -32,7 +32,7 @@ Out: package range authority; scraping behind auth walls. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md index 1c2e88390..71320e632 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md @@ -35,7 +35,7 @@ Out: connector-specific schemas/mapping rules, merge precedence. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md index 2b07a1475..4b75ef846 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md @@ -42,7 +42,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md index 2d50cd128..a87779067 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md @@ -31,7 +31,7 @@ Out: building RPM artifacts; cross-distro reconciliation beyond Red Hat. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md index f26909cf4..4a3937361 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md @@ -17,7 +17,7 @@ Implement and maintain the Ubuntu security advisory connector that ingests CVE/U - Ubuntu advisory format references linked from sprint notes (tasks should include source URLs). ## Working Agreement -1. **Status sync**: switch task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `TASKS.md` before/after work. +1. **Status sync**: switch task state to `DOING`/`DONE` in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `TASKS.md` before/after work. 2. **AOC adherence**: never derive severity or merge fields; store raw documents with provenance (`source`, `upstream`, `content`, `linkset`, `supersedes`). 3. **Deterministic parsing**: normalise timestamps to UTC ISO-8601, sort arrays, stabilise JSON output. 4. **Offline readiness**: ensure mirroring path works (no live network unless configured), document bundle usage. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md index a2642568b..8b0afbccf 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md @@ -43,7 +43,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md index 41dde7feb..cb49a041b 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md @@ -43,7 +43,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md index adcfb42f2..56d746e7b 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md @@ -32,7 +32,7 @@ Out: firmware downloads; reverse-engineering artifacts. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md index 18c6a4d3d..aca2defec 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md @@ -33,7 +33,7 @@ Out: overriding distro or PSIRT ranges without concrete evidence; scraping unoff - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md index 6e1552094..aef03536b 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md @@ -48,7 +48,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md index 2b6cca1ce..44b71a512 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md @@ -42,7 +42,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md index 6373a2870..9af05e038 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md @@ -30,7 +30,7 @@ Out: authoritative distro package ranges; vendor patch states. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md index 622804db4..75b5edd86 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md @@ -30,7 +30,7 @@ Out: vendor PSIRT and distro OVAL specifics. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md index de7172d85..e9b8938cc 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md @@ -42,7 +42,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md index 70c217e4e..f19ae908a 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md @@ -42,7 +42,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md index 77c053b42..03a9c3707 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md @@ -17,7 +17,7 @@ Provide the connector that ingests advisory mirror bundles produced by Export Ce - `docs/modules/airgap/airgap-mode.md` ## Working Agreement -1. **State updates**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `TASKS.md` when work begins/ends. +1. **State updates**: mark tasks `DOING`/`DONE` in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `TASKS.md` when work begins/ends. 2. **Provenance first**: record bundle identifiers (`bundle_id`, digests, time anchors) alongside every observation/linkset; never mutate raw documents. 3. **Deterministic replay**: implement cursor storage and re-run safety (same bundle yields identical outputs). 4. **Offline integrity**: validate signatures/hashes before ingest; emit actionable errors for stale/invalid bundles. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md index 0a00144d7..66a1e7547 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md @@ -32,7 +32,7 @@ Out: signing, package artifact downloads, non-Adobe product truth. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md index f651faa2c..99f959a6c 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md @@ -43,7 +43,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md index cd83f388d..8c1eb4199 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md @@ -32,7 +32,7 @@ Out: OS distro packaging semantics; bug bounty details beyond references. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md index 1ee0b6d0f..bbe3b58fc 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md @@ -34,7 +34,7 @@ Out of scope: Non-security Cisco release notes. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md index 9c4fff83e..4a725d30a 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md @@ -34,7 +34,7 @@ Out of scope: Non-security Microsoft release notes. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md index 3800fdfb1..2d2e55802 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md @@ -31,7 +31,7 @@ Out: signing or patch artifact downloads. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md index fb6bc51ce..92190808f 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md @@ -32,7 +32,7 @@ Out: customer portal authentication flows beyond public advisories; downloading - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md index 8dd14239a..483303f92 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md @@ -36,7 +36,7 @@ Out: business logic of connectors/exporters, HTTP handlers (owned by WebService) - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md index 50f704326..fcd4771ff 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md @@ -32,7 +32,7 @@ Out: ORAS push and Trivy DB BoltDB writing (owned by Trivy exporter). - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md index 04d849112..6add63f61 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md @@ -33,7 +33,7 @@ Out: signing (external pipeline), scanner behavior. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md index 069f3b9d5..f2b39b15d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md @@ -37,7 +37,7 @@ Out: fetching/parsing, exporter packaging, signing. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md index ba5edb959..fcdd9c695 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md @@ -34,7 +34,7 @@ Out: fetching/parsing external schemas, storage, HTTP. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md index 9c5a7a1b5..69403c45d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md @@ -17,11 +17,11 @@ Maintain helper utilities that normalise upstream advisory payloads into Conceli - `docs/modules/concelier/design/` materials if referenced by tasks. ## Working Agreement -1. **Synchronise status** in both `docs/implplan/SPRINTS.md` and `TASKS.md` when starting/finishing tasks. +1. **Synchronise status** in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `TASKS.md` when starting/finishing tasks. 2. **AOC compliance**: avoid adding severity, consensus, fix hints, or other derived fields—output raw upstream data plus provenance. 3. **Deterministic outputs**: enforce stable ordering (sorted arrays/objects), UTC timestamps, lowercase enum values as documented. 4. **Shared API stability**: version helpers when breaking changes are needed; communicate with connector guilds. 5. **Testing**: extend golden fixtures & property tests to catch regressions; ensure CI covers multi-source scenarios. 6. **Documentation**: update developer notes (add/refresh doc under `docs/modules/concelier`) when normalization contracts change. -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md index 2352c558d..c23bc04de 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md @@ -33,7 +33,7 @@ Out: business mapping logic, HTTP, packaging. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md b/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md index 83fe855bd..f2618cae9 100644 --- a/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md +++ b/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md @@ -19,7 +19,7 @@ Deliver the StellaOps developer portal with interactive API reference, SDK docum - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md b/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md index cd33014c5..93c36742a 100644 --- a/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md +++ b/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md @@ -32,7 +32,7 @@ Implement the append-only, tenant-scoped evidence locker detailed in Epic 15. Pr - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md b/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md index 6d6cda825..8d238f971 100644 --- a/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md +++ b/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md @@ -17,7 +17,7 @@ Ingest StellaOps VEX mirror bundles into Excititor, converting them into immutab - `docs/modules/concelier/operations/mirror.md` (shared mirror concepts) ## Working Agreement -1. **Status updates**: set tasks to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when work starts/finishes. +1. **Status updates**: set tasks to `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when work starts/finishes. 2. **Provenance preservation**: record bundle IDs, digests, and time anchors in stored observations; avoid derived fields. 3. **Deterministic replay**: ensure repeated imports of the same bundle produce identical documents; handle supersedes and delta bundles gracefully. 4. **Offline readiness**: no external network calls; provide clear errors for invalid or stale bundles. diff --git a/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md b/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md index e370fcf99..e39d7d846 100644 --- a/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md +++ b/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md @@ -29,7 +29,7 @@ Out: long-running ingestion loops (Worker), export rendering (Export module), co - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md b/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md index a9a6d2a3c..dc25793cf 100644 --- a/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md +++ b/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md @@ -27,7 +27,7 @@ Out: HTTP endpoint definitions, domain modeling, connector-specific parsing logi - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md index e97cb7efe..b08c1f8b2 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md @@ -27,7 +27,7 @@ Out: export artifact generation, storage persistence, CLI interaction layers. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md index 7c9fde126..42ac0bb7d 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md @@ -26,7 +26,7 @@ Out: provider-specific logic (implemented in individual connector modules), stor - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md index dcb4ccbfd..9baaa2e8d 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization/export, attestation, Mongo wiring (handled in other modules). - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md index 1f075579d..ac509d5b9 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization/export, attestation, storage implementations (handled elsewhe - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md index 9e321d725..76b21781a 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization/export, policy evaluation, storage implementation. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md index 6f2a9e37d..cb188cc59 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization, storage internals, export/attestation flows. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md index 35291837a..5260d1c88 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md @@ -29,7 +29,7 @@ Out: normalization, storage internals, attestation, general connector abstractio - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md index 6ebeeba3b..60c734965 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization/export tasks, storage layer implementation, attestation. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md index 28cdc546d..9007c7b21 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md @@ -27,7 +27,7 @@ Out: normalization/export, storage internals, attestation. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md index 66933408d..d9c8e3c8e 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md @@ -30,7 +30,7 @@ Out: Mongo persistence implementations, HTTP endpoints, background scheduling, c - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md index 476090d09..3a7bfbccf 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md @@ -27,7 +27,7 @@ Out: format-specific serialization (lives in Formats.*), policy evaluation (Poli - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md index 7a74c5e15..d520954b3 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md @@ -27,7 +27,7 @@ Out: HTTP fetching (connectors), storage persistence, attestation logic. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md index b1669a7ee..b3d456781 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md @@ -26,7 +26,7 @@ Out: Connector transport, storage, attestation; these rely on other modules. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md index f89a88343..779d9ff43 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md @@ -25,7 +25,7 @@ Out: OCI registry access, policy evaluation, attestation signing (handled by oth - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md index 2253a486e..b6a8afa24 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md @@ -27,7 +27,7 @@ Out: persistence/migrations, HTTP exposure, connector-specific trust logic (live - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md index dd74adbf3..e8e46172e 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md @@ -28,7 +28,7 @@ Out: domain modeling (Core), policy evaluation (Policy), HTTP surfaces (WebServi - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md index f69bef06e..1eeda0b05 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md @@ -18,7 +18,7 @@ Enable offline transfer and verification of attestations by building signed bund - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md index 0bdbd5c74..c2fa5f49c 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md @@ -18,7 +18,7 @@ Package developer portal assets, OpenAPI specs, and SDK binaries into reproducib - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md index 6d31c98a2..405a46b65 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md @@ -18,7 +18,7 @@ Produce offline-ready bundles of risk scoring factor datasets and provider metad - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md index 486268956..b1865c985 100644 --- a/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md @@ -22,7 +22,7 @@ Deliver the Export Center service described in Epic 10. Provide reproducible, - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Findings/StellaOps.Findings.Ledger/AGENTS.md b/src/Findings/StellaOps.Findings.Ledger/AGENTS.md index 97308d6a6..e47f07edd 100644 --- a/src/Findings/StellaOps.Findings.Ledger/AGENTS.md +++ b/src/Findings/StellaOps.Findings.Ledger/AGENTS.md @@ -17,7 +17,7 @@ Operate the append-only Findings Ledger and projection pipeline powering the Vul 5. **Auditability** – Provide verifiable hashes, Merkle roots, and replay tooling for auditors. ## Collaboration -- Keep `src/Findings/StellaOps.Findings.Ledger/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. +- Keep `src/Findings/StellaOps.Findings.Ledger/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized. - Publish schema docs, migrators, and replay scripts; coordinate with Vuln Explorer API on projection contracts. - Notify DevOps/Docs when Merkle root anchoring cadence or format changes. @@ -37,7 +37,7 @@ Operate the append-only Findings Ledger and projection pipeline powering the Vul - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Graph/StellaOps.Graph.Api/AGENTS.md b/src/Graph/StellaOps.Graph.Api/AGENTS.md index 031572173..e45d779c0 100644 --- a/src/Graph/StellaOps.Graph.Api/AGENTS.md +++ b/src/Graph/StellaOps.Graph.Api/AGENTS.md @@ -17,7 +17,7 @@ Provide tenant-scoped Graph Explorer APIs for search, query, paths, diffs, overl 5. **Observability** – Every query logs cost, latency, truncation, caching; metrics + traces integrated. ## Collaboration -- Maintain `src/Graph/StellaOps.Graph.Api/TASKS.md`, `../../docs/implplan/SPRINTS.md` alignment. +- Maintain `src/Graph/StellaOps.Graph.Api/TASKS.md`, `/docs/implplan/SPRINT_*.md` alignment. - Coordinate with Graph Indexer (storage contracts), Web Gateway, Console, CLI, Policy Engine, DevOps, and Docs teams. - Publish OpenAPI + JSON schema for queries and streaming tiles. @@ -37,7 +37,7 @@ Provide tenant-scoped Graph Explorer APIs for search, query, paths, diffs, overl - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Graph/StellaOps.Graph.Indexer/AGENTS.md b/src/Graph/StellaOps.Graph.Indexer/AGENTS.md index 3b78fa2f1..7a69bdb33 100644 --- a/src/Graph/StellaOps.Graph.Indexer/AGENTS.md +++ b/src/Graph/StellaOps.Graph.Indexer/AGENTS.md @@ -17,7 +17,7 @@ Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped proper 5. **Performance & telemetry** – Every job emits metrics (latency, node/edge counts, queue lag) and structured logs. ## Collaboration -- Keep `src/Graph/StellaOps.Graph.Indexer/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. +- Keep `src/Graph/StellaOps.Graph.Indexer/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized. - Coordinate with SBOM Service, Policy Engine, Conseiller, Excitor, Scheduler, Web Gateway, and Console teams. - Publish schema docs and fixtures for clients; share cost/identity conventions across services. @@ -37,7 +37,7 @@ Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped proper - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md b/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md index 10d2cc39e..87b56cf2d 100644 --- a/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md +++ b/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md @@ -24,7 +24,7 @@ Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Le - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md b/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md index 1d5abbb6e..a4f932ddd 100644 --- a/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md +++ b/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md @@ -18,7 +18,7 @@ Deliver connected-environment tooling that assembles signed Mirror Bundles for a - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notifier/StellaOps.Notifier/AGENTS.md b/src/Notifier/StellaOps.Notifier/AGENTS.md index a30048d21..d56241dce 100644 --- a/src/Notifier/StellaOps.Notifier/AGENTS.md +++ b/src/Notifier/StellaOps.Notifier/AGENTS.md @@ -21,7 +21,7 @@ Build Notifications Studio (Epic 11) so StellaOps delivers policy-aware, expla - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/StellaOps.Notify.WebService/AGENTS.md b/src/Notify/StellaOps.Notify.WebService/AGENTS.md index 639cc5636..68bc07d4a 100644 --- a/src/Notify/StellaOps.Notify.WebService/AGENTS.md +++ b/src/Notify/StellaOps.Notify.WebService/AGENTS.md @@ -8,7 +8,7 @@ Implement Notify control plane per `docs/modules/notify/ARCHITECTURE.md`. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/StellaOps.Notify.Worker/AGENTS.md b/src/Notify/StellaOps.Notify.Worker/AGENTS.md index fe24a29c9..40b83bfde 100644 --- a/src/Notify/StellaOps.Notify.Worker/AGENTS.md +++ b/src/Notify/StellaOps.Notify.Worker/AGENTS.md @@ -8,7 +8,7 @@ Consume events, evaluate rules, and dispatch deliveries per `docs/modules/notify - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md index 4f475be59..a8c9e542c 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md @@ -8,7 +8,7 @@ Implement SMTP connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md index 8c081b518..c953fca05 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md @@ -8,7 +8,7 @@ Deliver Slack connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md index 9e5157764..0c8e0eff2 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md @@ -8,7 +8,7 @@ Implement Microsoft Teams connector plug-in per `docs/modules/notify/ARCHITECTUR - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md index a1820abe1..54827091a 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md @@ -8,7 +8,7 @@ Implement generic webhook connector plug-in per `docs/modules/notify/ARCHITECTUR - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md index a91af908d..ae6a0fd71 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md @@ -8,7 +8,7 @@ Deliver rule evaluation, digest, and rendering logic per `docs/modules/notify/AR - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md index 38556b6cd..ae524bbc0 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md @@ -8,7 +8,7 @@ Define Notify DTOs and contracts per `docs/modules/notify/ARCHITECTURE.md`. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md index 1aa11feab..e4f176a65 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md @@ -8,7 +8,7 @@ Provide event & delivery queues for Notify per `docs/modules/notify/ARCHITECTURE - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md index f7bfbea6a..89ca2f109 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md @@ -8,7 +8,7 @@ Implement Mongo persistence (rules, channels, deliveries, digests, locks, audit) - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md index e354e973f..f5b102ab7 100644 --- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md @@ -14,7 +14,7 @@ Provide the official Go SDK for StellaOps orchestrated workers. Implement claim/ - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md index 74791c036..ef5a661cc 100644 --- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md @@ -14,7 +14,7 @@ Publish the Python client library for StellaOps orchestrated workers. Provide as - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md index 9e77f99e0..1b50e5d68 100644 --- a/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md @@ -22,7 +22,7 @@ Build and operate the Source & Job Orchestrator control plane described in Epic - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md b/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md index a4f223903..3f05fa5db 100644 --- a/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md +++ b/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md @@ -21,7 +21,7 @@ Host signed Task Pack bundles with provenance and RBAC for Epic 12. Ensure pac - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Policy/StellaOps.Policy.Engine/AGENTS.md b/src/Policy/StellaOps.Policy.Engine/AGENTS.md index 60f4007a3..2125c4c60 100644 --- a/src/Policy/StellaOps.Policy.Engine/AGENTS.md +++ b/src/Policy/StellaOps.Policy.Engine/AGENTS.md @@ -14,7 +14,7 @@ Stand up the Policy Engine runtime host that evaluates organization policies aga - Keep endpoints deterministic, cancellation-aware, and tenant-scoped. - Only Policy Engine identity performs writes to effective findings. - Coordinate with Concelier/Excititor/Scheduler guilds for linkset joins and orchestration inputs. -- Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` when status changes. +- Update `TASKS.md`, `/docs/implplan/SPRINT_*.md` when status changes. - Maintain compliance checklists and schema docs alongside code updates. ## Required Reading @@ -22,7 +22,7 @@ Stand up the Policy Engine runtime host that evaluates organization policies aga - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Policy/StellaOps.Policy.Registry/AGENTS.md b/src/Policy/StellaOps.Policy.Registry/AGENTS.md index 6417b3d30..72cc0edb6 100644 --- a/src/Policy/StellaOps.Policy.Registry/AGENTS.md +++ b/src/Policy/StellaOps.Policy.Registry/AGENTS.md @@ -17,7 +17,7 @@ Stand up and operate the Policy Registry service defined in Epic 4. We own works 5. **Auditable** – Every transition emits structured events with actor, scope, digest, attestation IDs. ## Collaboration -- Keep `src/Policy/StellaOps.Policy.Registry/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. +- Keep `src/Policy/StellaOps.Policy.Registry/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized. - Coordinate API contracts with Policy Engine (`src/Policy/StellaOps.Policy.Engine`), Web Gateway (`src/Web/StellaOps.Web`), Console (`/console`), CLI (`src/Cli/StellaOps.Cli`), and Docs. - Publish or update OpenAPI specs under `src/Policy/StellaOps.Policy.Registry/openapi/` and hand them to client teams. @@ -38,7 +38,7 @@ Stand up and operate the Policy Registry service defined in Epic 4. We own works - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md b/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md index 4e752011b..f8a79d10a 100644 --- a/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md +++ b/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md @@ -19,7 +19,7 @@ Define and maintain the RiskProfile schema, validation rules, inheritance logic, - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md b/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md index 45abe7578..5ef48bb3d 100644 --- a/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md +++ b/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md @@ -16,7 +16,7 @@ Deliver the policy engine outlined in `docs/modules/scanner/ARCHITECTURE.md` and - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md b/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md index d3011e3ef..1de01cd38 100644 --- a/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md +++ b/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md @@ -24,7 +24,7 @@ Provide shared libraries and tooling for generating, signing, and verifying prov - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md b/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md index 0c869719c..d8f2077bf 100644 --- a/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md +++ b/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md @@ -26,7 +26,7 @@ Design, build, and operate the scoring runtime that computes Risk Scoring Profil - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/SbomService/StellaOps.SbomService/AGENTS.md b/src/SbomService/StellaOps.SbomService/AGENTS.md index 2dc8a4ef3..c1a27a046 100644 --- a/src/SbomService/StellaOps.SbomService/AGENTS.md +++ b/src/SbomService/StellaOps.SbomService/AGENTS.md @@ -18,7 +18,7 @@ Expose normalized SBOM projections (components, relationships, scopes, entrypoin - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md index cd31a55bb..69399ced0 100644 --- a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md @@ -19,7 +19,7 @@ Deliver deterministic Deno language analyzers that normalise project inputs, rec - Deno package/docs linked in sprint notes (ensure understanding of import maps, lockfiles, cache behaviour). ## Working Agreement -1. **State synchronisation**: update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when work starts/finishes. +1. **State synchronisation**: update task status to `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when work starts/finishes. 2. **Surface integration**: use shared Surface libraries for env detection, cache access, secret retrieval, and validation. 3. **Deterministic processing**: no network fetches; rely on cached artifacts; stabilise ordering and timestamps. 4. **SBOM contract**: populate component data (PURLs, versions, relationships) without deriving policy decisions. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md index 0653b50d7..255c5f14f 100644 --- a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md @@ -19,7 +19,7 @@ Build deterministic PHP analyzers that normalise composer-based projects, map de - Composer/autoload references noted in sprint tasks. ## Working Agreement -1. **Status updates**: reflect `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` before/after any change. +1. **Status updates**: reflect `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` before/after any change. 2. **Deterministic inputs**: avoid hitting remote composer registries; rely on local vendor/lockfiles; record config provenance. 3. **Surface compliance**: route env, cache, and secret lookups through shared Surface libraries; run Surface.Validation before analysis. 4. **SBOM integrity**: generate stable package identifiers, autoload edges, and bin scripts while abstaining from policy decisions. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md index 72bc2a43f..3979fc072 100644 --- a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md @@ -19,11 +19,11 @@ Provide deterministic Ruby analyzers that interpret bundler/gemspec ecosystems, - Bundler/gemspec references from sprint tasks. ## Working Agreement -1. **Synchronise task state** in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +1. **Synchronise task state** in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work. 2. **Offline guarantees**: rely on local gems cache/vendor directories; no network fetches; capture provenance for configs. 3. **Surface alignment**: route environment/cache/secret access via Surface libraries; run shared validators first. 4. **Deterministic outputs**: maintain stable ordering, normalised paths, and consistent hashing. 5. **Testing**: extend golden fixtures and determinism harness; cover edge cases (platform-specific gems, native extensions, Binstubs). 6. **Documentation**: update analyzer notes in implementation plan or add Ruby-focused design doc when behaviour evolves; coordinate with Docs if CLI/UI guides need updates. -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md index 454f8e230..8a7e3e316 100644 --- a/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md @@ -19,7 +19,7 @@ Deliver deterministic native binary analyzers that detect entrypoints, dependenc - Platform-specific loader references cited in sprint notes (e.g., ld.so, SafeDll search, dyld). ## Working Agreement -1. **Status sync** – set task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +1. **Status sync** – set task state to `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work. 2. **Surface usage** – run Surface.Validation, use Surface.Env for configuration, Surface.FS for cached artefacts, and Surface.Secrets for protected inputs. 3. **Determinism** – no host filesystem lookups; rely on virtual image roots; stabilise ordering and timestamps. 4. **AOC compliance** – emit observations/edges without severity or policy interpretation; include provenance and reason codes. diff --git a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md index e9e61b252..2cc5f4215 100644 --- a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md @@ -16,7 +16,7 @@ Implement the build-time SBOM generator described in `docs/modules/scanner/ARCHI - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md b/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md index d8a6695e0..92e09079e 100644 --- a/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md @@ -21,7 +21,7 @@ Operate the Scanner WebService API, orchestrating scan requests, queue interacti - `docs/modules/scheduler/architecture.md` (rescan interactions) ## Working Agreement -1. **Status updates**: change task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when you start/finish work. +1. **Status updates**: change task state to `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when you start/finish work. 2. **Contract-first changes**: update OpenAPI specs/test fixtures when APIs change; coordinate with CLI/UI consumers. 3. **Surface integration**: centralise cache/env/secret access via Surface libraries; run validators before executing handlers. 4. **Determinism**: queue IDs, report manifests, and export metadata must remain stable; avoid wall-clock usage in response payloads. diff --git a/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md b/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md index fbbdf87f6..b2979161b 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md @@ -30,7 +30,7 @@ Out of scope: queue provider implementations, analyzer business logic, Mongo/obj - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md index 086aca859..357e0f03a 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md @@ -33,7 +33,7 @@ Create the .NET analyzer plug-in that inspects `*.deps.json`, `runtimeconfig.jso - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md index c5ada5a1a..e06d2fd56 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md @@ -35,7 +35,7 @@ Build the Go analyzer plug-in that reads Go build info, module metadata, and DWA - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md index 3f78ed0a2..db2b57609 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md @@ -19,7 +19,7 @@ Implement deterministic Java analyzers that normalise JVM/Build ecosystem inputs - Build system references linked from sprint tasks (Maven, Gradle, shading). ## Working Agreement -1. **Status synchronisation**: set tasks to `DOING`/`DONE` in `docs/implplan/SPRINTS.md` and local `TASKS.md` as work progresses. +1. **Status synchronisation**: set tasks to `DOING`/`DONE` in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` as work progresses. 2. **Surface usage**: rely on shared Surface libraries for env detection, cached artifacts, secret access, and validation. 3. **Deterministic outputs**: stabilise classpath ordering, canonicalise PURLs, and avoid network fetches; rely on local caches. 4. **SBOM accuracy**: produce consistent component/relationship data; no policy/severity decisions. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md index d0c5132f7..bc3641a26 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md @@ -43,7 +43,7 @@ Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md index 018c9a913..3f4bf0553 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md @@ -36,7 +36,7 @@ Implement the Python analyzer plug-in that inspects installed distributions, REC - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md index d6d95dbd4..4c240efb1 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md @@ -33,7 +33,7 @@ Develop the Rust analyzer plug-in that resolves crates from metadata (`.fingerpr - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md index 262a420fc..0f41ce04a 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md @@ -37,7 +37,7 @@ Deliver deterministic language ecosystem analyzers that run inside Scanner Worke - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md index 921fbcb0f..0cc23152f 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md @@ -44,7 +44,7 @@ Out of scope: - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md index d518c55cb..aa56085c1 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md @@ -19,7 +19,7 @@ Provide deterministic, offline-friendly caching primitives for scanner layers an - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md index eb0599cc3..874aa5104 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md @@ -33,7 +33,7 @@ Out: queue implementations, analyzer logic, storage adapters, HTTP endpoints, UI - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md index cad47c96a..ab71bc2a5 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md @@ -24,7 +24,7 @@ Deliver deterministic image-to-image component diffs grouped by layer with prove - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md index 7b5b68a13..0c2c04942 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md @@ -24,7 +24,7 @@ Assemble deterministic SBOM artifacts (inventory, usage, BOM index) from analyze - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md index adb6a9249..c295310e2 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md @@ -36,7 +36,7 @@ Resolve container `ENTRYPOINT`/`CMD` chains into deterministic call graphs that - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md index 892b70de2..60216b5bc 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md @@ -19,7 +19,7 @@ Deliver the scanner job queue backbone defined in `docs/modules/scanner/ARCHITEC - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md index 7227baad3..00f11b365 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md @@ -32,7 +32,7 @@ Out: HTTP endpoints, queue processing, analyzer logic, SBOM composition, policy - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md index 4adea7c00..1d9d9f35a 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md @@ -19,7 +19,7 @@ Provide strongly-typed configuration helpers for Scanner/Zastava components, enc - Deployment guides (`deploy/README.md`, `ops/devops/TASKS.md`) referencing scanner env vars. ## Working Agreement -1. **State sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` before/after changes. +1. **State sync**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` before/after changes. 2. **Deterministic parsing**: validate inputs once, emit structured errors, avoid direct `Environment.GetEnvironmentVariable` calls elsewhere. 3. **Compatibility**: version new keys; provide migration helpers and deprecation warnings; update docs + Ops templates. 4. **Testing**: maintain unit tests for parsing, validation, and fallback behaviour; include edge cases (missing, malformed, default override). diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md index 1204dcb4b..83c298ac3 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md @@ -20,11 +20,11 @@ Define and maintain the shared surface filesystem abstraction used by Scanner, Z - Offline kit notes referencing cache bundles. ## Working Agreement -1. **Status updates**: adjust task state in `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +1. **Status updates**: adjust task state in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work. 2. **Determinism**: manifests must be stable (ordered keys, normalised timestamps); avoid non-deterministic metadata. 3. **Security & tenancy**: enforce namespace separation, hash validation, and capability checks; integrate with Surface.Secrets for protected stores. 4. **Concurrency**: design for multi-writer safety with leases or idempotent writes; document locking expectations. 5. **Testing**: cover unit/integration scenarios (write/read, corruption handling, retention policies) and regression tests in Scanner/Zastava. 6. **Documentation**: update `surface-fs.md` and downstream guides when schema or API contracts evolve; coordinate with Ops for deployment changes. -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md index 5be6c743d..3c9282e0e 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md @@ -20,11 +20,11 @@ Provide a unified secret access layer for Scanner, Zastava, and related services - Security guidance in `docs/security/redaction-and-privacy.md` ## Working Agreement -1. **Status synchronisation**: update task state in both `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever you start or complete work. +1. **Status synchronisation**: update task state in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` whenever you start or complete work. 2. **Security posture**: enforce least privilege, short cache TTLs, redaction in logs, and Authority scope checks where applicable. 3. **Deterministic behaviour**: deterministic secret selection & failure modes; avoid random jitter unless documented. 4. **Offline readiness**: support sealed-mode bundles; document required manifest formats and verification steps. 5. **Testing**: add unit/integration tests for each backend, rotation scenario, and failure path; include air-gap fixtures. 6. **Documentation**: keep `surface-secrets.md` current; collaborate with DevOps to update Helm/Compose/offline-kit instructions. -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md index 8cf3e8f98..fb01ca6dd 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md @@ -19,7 +19,7 @@ Deliver an extensible validation framework that enforces preconditions for Surfa - `docs/modules/scheduler/architecture.md` ## Working Agreement -1. **Status sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when you begin/finish work. +1. **Status sync**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when you begin/finish work. 2. **Extensibility**: design validators to be SOLID-compliant; document registration patterns; avoid hard-coded logic in consumers. 3. **Deterministic diagnostics**: produce stable error codes/messages; support localisation if required. 4. **Integration**: ensure all Surface libraries and consumers call validators before operation; add regression tests in downstream modules when new checks land. diff --git a/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md b/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md index e2d6d8946..fd0fbfce0 100644 --- a/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md +++ b/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md @@ -8,7 +8,7 @@ Implement Scheduler control plane per `docs/modules/scheduler/ARCHITECTURE.md`. - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md index 40eb8dcd1..9bc4b33ed 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md @@ -8,7 +8,7 @@ Build the global impact index per `docs/modules/scheduler/ARCHITECTURE.md` (roar - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md index 53a8f2e79..0b081bc6a 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md @@ -8,7 +8,7 @@ Define Scheduler DTOs (Schedule, Run, ImpactSet, Selector, DeltaSummary) per `do - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md index 4981de6ba..5ebaeb36c 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md @@ -8,7 +8,7 @@ Provide queue abstraction (Redis Streams / NATS JetStream) for planner inputs an - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md index ba77d6bef..896267e65 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md @@ -8,7 +8,7 @@ Implement Mongo persistence (schedules, runs, impact cursors, locks, audit) per - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md index a4d54083a..e576db8ad 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md @@ -8,7 +8,7 @@ Implement Scheduler planners/runners per `docs/modules/scheduler/ARCHITECTURE.md - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md b/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md index 86669190a..f7416eaec 100644 --- a/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md +++ b/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md @@ -19,7 +19,7 @@ Generate and maintain official StellaOps SDKs across supported languages using r - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Sdk/StellaOps.Sdk.Release/AGENTS.md b/src/Sdk/StellaOps.Sdk.Release/AGENTS.md index 813c91997..63910999f 100644 --- a/src/Sdk/StellaOps.Sdk.Release/AGENTS.md +++ b/src/Sdk/StellaOps.Sdk.Release/AGENTS.md @@ -19,7 +19,7 @@ Own packaging, signing, publishing, and changelog automation for official Stella - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Signals/StellaOps.Signals/AGENTS.md b/src/Signals/StellaOps.Signals/AGENTS.md index daabe8d3d..eca67231a 100644 --- a/src/Signals/StellaOps.Signals/AGENTS.md +++ b/src/Signals/StellaOps.Signals/AGENTS.md @@ -8,14 +8,14 @@ Provide language-agnostic collection, normalization, and scoring of reachability - Support incremental ingestion (per asset + snapshot) and expose caches for fast policy evaluation. - Coordinate with SBOM/Policy/Console guilds on schema changes and UI expectations. - Implement guardrails for large artifacts, authentication, and privacy (no PII). -- Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` as work progresses. +- Update `TASKS.md`, `/docs/implplan/SPRINT_*.md` as work progresses. ## Required Reading - `docs/modules/zastava/architecture.md` - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Signer/StellaOps.Signer/AGENTS.md b/src/Signer/StellaOps.Signer/AGENTS.md index 05b979d0e..76935b130 100644 --- a/src/Signer/StellaOps.Signer/AGENTS.md +++ b/src/Signer/StellaOps.Signer/AGENTS.md @@ -25,7 +25,7 @@ Operate the Stella Ops Signer service: authenticate trusted callers, enforce p - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md b/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md index 9e62b6555..30cdd8a08 100644 --- a/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md +++ b/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md @@ -21,7 +21,7 @@ Execute Task Packs safely and deterministically. Provide remote pack execution, - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md b/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md index b16d56870..596e58e36 100644 --- a/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md +++ b/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md @@ -25,7 +25,7 @@ Deliver shared observability primitives for every StellaOps service. Provide det - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md b/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md index 135530426..09334ac12 100644 --- a/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md +++ b/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md @@ -32,7 +32,7 @@ Build the tenant-scoped timeline ingestion and query service described in Epic 1 - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/UI/StellaOps.UI/AGENTS.md b/src/UI/StellaOps.UI/AGENTS.md index 745c04702..d647fa591 100644 --- a/src/UI/StellaOps.UI/AGENTS.md +++ b/src/UI/StellaOps.UI/AGENTS.md @@ -19,7 +19,7 @@ Deliver a performant, accessible Angular console that surfaces Scanner/Policy/Za - Component-specific design docs referenced in `src/UI/StellaOps.UI/TASKS.md` (e.g., Link-Not-Merge, AOC dashboards) ## Working Agreement -1. **State management**: update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `src/UI/StellaOps.UI/TASKS.md` before starting/after finishing work. +1. **State management**: update task status to `DOING`/`DONE` in both corresponding sprint file `docs/implplan/SPRINT_*.md` and `src/UI/StellaOps.UI/TASKS.md` before starting/after finishing work. 2. **Contract-first changes**: coordinate with API owners when modifying contracts; regenerate SDKs; update mocks and unit/e2e tests. 3. **Accessibility**: adhere to WCAG 2.1 AA—run axe tests, ensure keyboard navigation, contrast, and localisation readiness. 4. **Determinism**: stabilise timestamps/randomness in UI outputs so screenshots/tests remain reproducible; rely on fixture data. diff --git a/src/VexLens/StellaOps.VexLens/AGENTS.md b/src/VexLens/StellaOps.VexLens/AGENTS.md index 3548afd83..be41b3d7a 100644 --- a/src/VexLens/StellaOps.VexLens/AGENTS.md +++ b/src/VexLens/StellaOps.VexLens/AGENTS.md @@ -16,7 +16,7 @@ Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes de 5. **Secure & auditable** – signature verification, issuer metadata, logging of conflicts, support for compliance queries. ## Collaboration -- Keep `src/VexLens/StellaOps.VexLens/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. +- Keep `src/VexLens/StellaOps.VexLens/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized. - Share schemas/OpenAPI with Console & CLI; publish mapping docs and test fixtures. - Coordinate with Policy Engine on trust knobs and Vuln Explorer on UI integration. @@ -34,7 +34,7 @@ Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes de - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md b/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md index 6cbd123ca..4f3440d9f 100644 --- a/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md +++ b/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md @@ -16,7 +16,7 @@ Expose policy-aware vulnerability listing, detail, simulation, workflow, and exp 5. **Secure** – RBAC/ABAC enforced server-side; exports signed; attachments served via scoped URLs. ## Collaboration -- Keep `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. +- Keep `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized. - Coordinate schemas with Findings Ledger, Console, CLI, and Docs; publish OpenAPI + JSON schemas. - Work with DevOps/Observability for performance dashboards and SLOs. @@ -34,7 +34,7 @@ Expose policy-aware vulnerability listing, detail, simulation, workflow, and exp - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Web/StellaOps.Web/AGENTS.md b/src/Web/StellaOps.Web/AGENTS.md index e35427ddf..2bdaa9694 100644 --- a/src/Web/StellaOps.Web/AGENTS.md +++ b/src/Web/StellaOps.Web/AGENTS.md @@ -27,7 +27,7 @@ Design and build the StellaOps web user experience that surfaces backend capabil - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md b/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md index c7c251218..113ef0c23 100644 --- a/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md +++ b/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md @@ -20,7 +20,7 @@ Implement the node-level observer that monitors running workloads, detects drift - Any runtime-specific design notes referenced in `TASKS.md`. ## Working Agreement -1. **Status updates**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +1. **Status updates**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work. 2. **Surface compliance**: rely on Surface libraries for cache/env/secret handling; run validators before collecting evidence. 3. **Deterministic evidence**: normalise timestamps, hashes, and paths; ensure outputs remain stable for replay/audit. 4. **Security**: enforce Authority scopes (OpToks, mTLS/DPoP), redaction of sensitive fields, and namespace isolation. diff --git a/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md b/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md index 27804c0d6..635d4e7f9 100644 --- a/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md +++ b/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md @@ -21,7 +21,7 @@ Operate the Kubernetes admission webhook enforcing image/SBOM/attestation polici - `docs/modules/devops/runbooks/zastava-deployment.md` ## Working Agreement -1. **Task state**: update `docs/implplan/SPRINTS.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work. +1. **Task state**: update corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work. 2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies. 3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs. 4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions. diff --git a/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md b/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md index 1c8a77e7f..bbc698d75 100644 --- a/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md +++ b/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md @@ -20,7 +20,7 @@ Maintain shared domain models, policy evaluation helpers, and event contracts us - `docs/modules/devops/runbooks/zastava-deployment.md` ## Working Agreement -1. **Status alignment**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` at start/finish. +1. **Status alignment**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` at start/finish. 2. **Compatibility**: version event schemas/models; provide migration notes and ensure Observer/Webhook consumers stay in lock-step. 3. **Determinism**: avoid wall-clock or random values in shared models; normalise timestamps; maintain canonical ordering. 4. **Security & tenancy**: include tenant identifiers and audit fields where required; document contract changes for other guilds. diff --git a/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md b/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md index 83a7e34f9..22fc9577f 100644 --- a/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md +++ b/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md @@ -17,7 +17,7 @@ Provide key management abstractions and drivers (file, cloud KMS, HSM, FIDO2) fo - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/__Libraries/StellaOps.Cryptography/AGENTS.md b/src/__Libraries/StellaOps.Cryptography/AGENTS.md index 0fddd8519..1b3c2d88b 100644 --- a/src/__Libraries/StellaOps.Cryptography/AGENTS.md +++ b/src/__Libraries/StellaOps.Cryptography/AGENTS.md @@ -25,7 +25,7 @@ Team 8 owns the end-to-end security posture for StellaOps Authority and its cons - `docs/modules/platform/architecture-overview.md` ## Working Agreement -- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. diff --git a/src/__Libraries/StellaOps.Plugin/AGENTS.md b/src/__Libraries/StellaOps.Plugin/AGENTS.md index b957f62d8..819175014 100644 --- a/src/__Libraries/StellaOps.Plugin/AGENTS.md +++ b/src/__Libraries/StellaOps.Plugin/AGENTS.md @@ -17,7 +17,7 @@ Maintain the shared plugin infrastructure used across StellaOps services (Scanne - `docs/modules/excititor/architecture.md` ## Working Agreement -1. **Status sync**: update task state to `DOING`/`DONE` in `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever work begins/ends. +1. **Status sync**: update task state to `DOING`/`DONE` in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` whenever work begins/ends. 2. **Deterministic loading**: maintain ordered, reproducible plugin discovery; enforce hash verification/whitelists as documented. 3. **Security**: validate manifests, restrict assembly loading paths, and expose capability checks to hosts; document hardening guidance. 4. **Compatibility**: version public APIs carefully; provide migration guides when breaking changes occur.