stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-10 21:34:38 +02:00
parent 0ad4777259 2bd189387e
commit 92bc4d3a07
369 changed files with 11307 additions and 14219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/07_HIGH_LEVEL_ARCHITECTURE.md
View File

@@ -54,8 +54,7 @@
* **Fulcio** (Sigstore CA) — issues shortlived signing certs (keyless).
* **Rekor v2** (tilebacked transparency log).
* **RustFS** — offline-first object store with deterministic REST API (S3/MinIO fallback available for legacy installs).
* **PostgreSQL** (≥15) — control-plane storage with per-module schema isolation (auth, vuln, vex, scheduler, notify, policy). See [Database Architecture](#database-architecture-postgresql).
* **MongoDB** (≥7) — legacy catalog support; being phased out in favor of PostgreSQL for control-plane domains.
* **PostgreSQL** (≥16) — primary control-plane storage with per-module schema isolation (authority, vuln, vex, scheduler, notify, policy, concelier). See [Database Architecture](#database-architecture-postgresql).
* **Queue** — Redis Streams / NATS / RabbitMQ (pluggable).
* **OCI Registry** — must support **Referrers API** (discover SBOMs/signatures).
@@ -87,7 +86,7 @@ flowchart LR
UI[Web UI (Angular)]
Z[Zastava\n(Runtime Inspector/Enforcer)]
RFS[(RustFS object store)]
MGO[(MongoDB)]
PG[(PostgreSQL)]
QUE[(Queue/Streams)]
end
@@ -100,9 +99,9 @@ flowchart LR
SW -->|jobs| QUE
QUE --> WK
WK --> RFS
SW --> MGO
CONC --> MGO
EXC --> MGO
SW --> PG
CONC --> PG
EXC --> PG
UI --> SW
Z --> SW
@@ -200,7 +199,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
### 4.1 Concelier (advisories)
* Ingests vendor, distro, OSS feeds; normalizes & merges; persists canonical advisories in Mongo; exports **deterministic JSON** and **Trivy DB**.
* Ingests vendor, distro, OSS feeds; normalizes & merges; persists canonical advisories in PostgreSQL; exports **deterministic JSON** and **Trivy DB**.
* Offline kit bundles for airgapped sites.
### 4.2 Excititor (VEX)
@@ -296,6 +295,8 @@ StellaOps uses PostgreSQL for all control-plane data with **per-module schema is
**Detailed documentation:** See [`docs/db/`](db/README.md) for full specification, coding rules, and phase-by-phase conversion tasks.
**Operations guide:** See [`docs/operations/postgresql-guide.md`](operations/postgresql-guide.md) for performance tuning, monitoring, backup/restore, and scaling.
**Retention**
* RustFS applies retention via `X-RustFS-Retain-Seconds`; Scanner.WebService GC decrements `refCount` and deletes unreferenced metadata; S3/MinIO fallback retains native Object Lock when enabled.
@@ -448,11 +449,11 @@ services:
* **Binary prerequisites (offline-first):**
* Single curated NuGet location: `local-nugets/` holds the `.nupkg` feed (hashed in `manifest.json`) and the restore output (`local-nugets/packages`, configured via `NuGet.config`).
* NuGet packages restore from standard feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org) to the global NuGet cache. For air-gapped environments, use `dotnet restore --source <offline-feed-path>` pointing to a local `.nupkg` mirror.
* Non-NuGet binaries (plugins/CLIs/tools) are catalogued with SHA-256 in `vendor/manifest.json`; air-gap bundles are registered in `offline/feeds/manifest.json`.
* CI guard: `scripts/verify-binaries.sh` blocks binaries outside approved roots; offline restores use `dotnet restore --source local-nugets` with `OFFLINE=1` (override via `ALLOW_REMOTE=1`).
* CI guard: `scripts/verify-binaries.sh` blocks binaries outside approved roots; offline restores use `dotnet restore --source <offline-feed>` with `OFFLINE=1` (override via `ALLOW_REMOTE=1`).
* **Backups:** Mongo dumps; RustFS snapshots (or S3 versioning when fallback driver is used); Rekor v2 DB snapshots; JWKS/Fulcio/KMS key rotation.
* **Backups:** PostgreSQL dumps (pg_dump) and WAL archiving; RustFS snapshots (or S3 versioning when fallback driver is used); Rekor v2 DB snapshots; JWKS/Fulcio/KMS key rotation. See [`docs/operations/postgresql-guide.md`](operations/postgresql-guide.md).
* **Ops runbooks:** Scheduler catchup after Concelier/Excititor recovery; connector key rotation (Slack/Teams/SMTP).
* **SLOs & alerts:** lag between Concelier/Excititor export and first rescan verdict; delivery failure rates by channel.

2
docs/24_OFFLINE_KIT.md
View File

@@ -391,3 +391,5 @@ See the detailed rules in
* **Sovereign mode rationale:** `/sovereign/`
* **Security policy:** `/security/#reporting-a-vulnerability`
* **CERT-Bund snapshots:** `python src/Tools/certbund_offline_snapshot.py --help` (see `docs/modules/concelier/operations/connectors/certbund.md`)
* **PostgreSQL operations:** `docs/operations/postgresql-guide.md` - performance tuning, monitoring, backup/restore, and scaling
* **Database specification:** `docs/db/SPECIFICATION.md` - schema design, migration patterns, and module ownership

51
docs/advisory-ai/guardrails-and-evidence.md
View File

@@ -1,6 +1,6 @@
# Advisory AI Guardrails & Evidence Intake
_Updated: 2025-11-24 · Owner: Advisory AI Docs Guild · Status: Published (Sprint 0111)_
_Updated: 2025-12-09 | Owner: Advisory AI Docs Guild | Status: Ready to publish (Sprint 0111 / AIAI-DOCS-31-001)_
This note captures the guardrail behaviors and evidence intake boundaries required by Sprint 0111 tasks (`AIAI-DOCS-31-001`, `AIAI-RAG-31-003`). It binds Advisory AI guardrails to upstream evidence sources and clarifies how Link-Not-Merge (LNM) documents flow into Retrieval-Augmented Generation (RAG) payloads.
@@ -8,15 +8,18 @@ This note captures the guardrail behaviors and evidence intake boundaries requir
**Upstream readiness gates (now satisfied)**
- CLI guardrail artefacts landed on 2025-11-19: `out/console/guardrails/cli-vuln-29-001/` (`sample-vuln-output.ndjson`, `sample-sbom-context.json`) and `out/console/guardrails/cli-vex-30-001/` (`sample-vex-output.ndjson`). Hashes are recorded in `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` and must be copied into Offline Kits.
- Policy hash must be pinned (`policyVersion`, see `docs/policy/assistant-parameters.md`) before enabling non-default profiles.
- LNM linksets stay the single source of truth; Advisory AI refuses ad-hoc advisory payloads even if upstream artefacts drift.
- CLI guardrail artefacts (2025-11-19) are sealed at `out/console/guardrails/cli-vuln-29-001/` and `out/console/guardrails/cli-vex-30-001/`; hashes live in `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md`.
- Policy pin: set `policyVersion=2025.11.19` per `docs/policy/assistant-parameters.md` before enabling non-default profiles.
- SBOM context service is live: the 2025-12-08 smoke against `/sbom/context` produced `sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d` with evidence in `evidence-locker/sbom-context/2025-12-08-response.json` and offline mirror `offline-kit/advisory-ai/fixtures/sbom-context/2025-12-08/`.
- DEVOPS-AIAI-31-001 landed: deterministic CI harness at `ops/devops/advisoryai-ci-runner/run-advisoryai-ci.sh` emits binlog/TRX/hashes for Advisory AI.
- **Advisory observations (LNM)** — Consume immutable `advisory_observations` and `advisory_linksets` produced per `docs/modules/concelier/link-not-merge-schema.md` (frozen v1, 2025-11-17).
- **VEX statements** — Excititor + VEX Lens linksets with trust weights; treated as structured chunks with `source_id` and `confidence`.
- **SBOM context** — `SBOM-AIAI-31-001` contract: timelines and dependency paths retrieved via `ISbomContextRetriever` (`AddSbomContextHttpClient`), default clamps 500 timeline entries / 200 paths.
- **Policy explain traces** — Policy Engine digests referenced by `policyVersion`; cache keys include policy hash to keep outputs replayable.
- **Runtime posture (optional)** — Zastava signals (`exposure`, `admissionStatus`) when provided by Link-Not-Merge-enabled tenants; optional chunks tagged `runtime`.
**Evidence feeds**
- Advisory observations (LNM) - consume immutable `advisory_observations` and `advisory_linksets` produced per `docs/modules/concelier/link-not-merge-schema.md` (frozen v1, 2025-11-17).
- VEX statements - Excititor + VEX Lens linksets with trust weights; treated as structured chunks with `source_id` and `confidence`.
- SBOM context - `SBOM-AIAI-31-001` contract: timelines and dependency paths retrieved via `ISbomContextRetriever` (`AddSbomContextHttpClient`), default clamps 500 timeline entries / 200 paths.
- Policy explain traces - Policy Engine digests referenced by `policyVersion`; cache keys include policy hash to keep outputs replayable.
- Runtime posture (optional) - Zastava signals (`exposure`, `admissionStatus`) when provided by Link-Not-Merge-enabled tenants; optional chunks tagged `runtime`.
All evidence items must carry `content_hash` + `source_id`; Advisory AI never mutates or merges upstream facts (Aggregation-Only Contract).
@@ -24,13 +27,13 @@ All evidence items must carry `content_hash` + `source_id`; Advisory AI never mu
1. **Pre-flight sanitization**
- Redact secrets (AWS-style keys, PEM blobs, generic tokens).
- Strip prompt-injection phrases; enforce max input payload 16kB (configurable, default).
- Strip prompt-injection phrases; enforce max input payload 16kB (configurable, default).
- Reject requests missing `advisoryKey` or linkset-backed evidence (LNM guard).
2. **Prompt assembly**
- Deterministic section order: advisory excerpts VEX statements SBOM deltas policy traces runtime hints.
- Vector previews capped at 600 chars + ellipsis; section budgets fixed per profile (`default`, `fips-local`, `gost-local`, `cloud-openai`); budgets live in `profiles.catalog.json` and are hashed into DSSE provenance.
- Deterministic section order: advisory excerpts -> VEX statements -> SBOM deltas -> policy traces -> runtime hints.
- Vector previews capped at 600 chars + ellipsis; section budgets fixed per profile (`default`, `fips-local`, `gost-local`, `cloud-openai`) in `profiles.catalog.json` and hashed into DSSE provenance.
3. **LLM invocation (local/remote)**
- Profiles selected via `profile` field; remote profiles require Authority tenant consent and `advisory-ai:operate` + `aoc:verify`.
- Profiles selected via `profile` field; remote profiles require Authority tenant consent plus `advisory-ai:operate` and `aoc:verify`.
4. **Validation & citation enforcement**
- Every emitted fact must map to an input chunk (`source_id` + `content_hash`); citations serialized as `[n]` in Markdown.
- Block outputs lacking citations, exceeding section budgets, or including unredacted PII.
@@ -53,17 +56,21 @@ Metrics: `advisory_ai_guardrail_blocks_total`, `advisory_ai_outputs_stored_total
See `docs/advisory-ai/evidence-payloads.md` for full JSON examples and alignment rules.
## 4) Compliance with upstream artefacts
## 4) Compliance with upstream artefacts and verification
- References: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `DEVOPS-AIAI-31-001`.
- Guardrails must remain compatible with `docs/policy/assistant-parameters.md`; configuration knobs documented there are authoritative for env vars and defaults.
- References: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `DEVOPS-AIAI-31-001`, `SBOM-AIAI-31-001`.
- CLI fixtures: expected hashes `421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18` (sample SBOM context) and `e5aecfba5cee8d412408fb449f12fa4d5bf0a7cb7e5b316b99da3b9019897186` / `2b11b1e2043c2ec1b0cb832c29577ad1c5cbc3fbd0b379b0ca0dee46c1bc32f6` (sample vuln/vex outputs). Verify with `sha256sum --check docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md`.
- SBOM context: fixture hash `sha256:421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18`; live SbomService smoke (2025-12-08) hash `sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d` stored in `evidence-locker/sbom-context/2025-12-08-response.json` and mirrored under `offline-kit/advisory-ai/fixtures/sbom-context/2025-12-08/`.
- CI harness: `ops/devops/advisoryai-ci-runner/run-advisoryai-ci.sh` emits `ops/devops/artifacts/advisoryai-ci/<UTC>/build.binlog`, `tests/advisoryai.trx`, and `summary.json` with SHA256s; include the latest run when shipping Offline Kits.
- Policy compatibility: guardrails must remain compatible with `docs/policy/assistant-parameters.md`; configuration knobs documented there are authoritative for env vars and defaults.
- Packaging tasks (AIAI-PACKAGING-31-002) must include this guardrail summary in DSSE metadata to keep Offline Kit parity.
## 5) Operator checklist
- [ ] LNM feed enabled and Concelier schemas at v1 (2025-11-17).
- [ ] SBOM retriever configured or `NullSbomContextClient` left as safe default.
- [ ] Policy hash pinned via `policyVersion` when reproducibility is required.
- [ ] CLI guardrail artefact hashes verified against `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` and mirrored into Offline Kits.
- [ ] Remote profiles only after Authority consent and profile allowlist are set.
- [ ] Cache directories shared between web + worker hosts for DSSE sealing.
- LNM feed enabled and Concelier schemas at v1 (2025-11-17).
- SBOM retriever configured or `NullSbomContextClient` left as safe default; verify latest context hash (`sha256:0c705259f...d600d`) or fixture hash (`sha256:421af53f9...9d18`) before enabling remediation tasks.
- Policy hash pinned via `policyVersion` when reproducibility is required.
- CLI guardrail artefact hashes verified against `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` and mirrored into Offline Kits.
- CI harness run captured from `ops/devops/advisoryai-ci-runner/run-advisoryai-ci.sh`; store `summary.json` alongside doc promotion.
- Remote profiles only after Authority consent and profile allowlist are set.
- Cache directories shared between web + worker hosts for DSSE sealing.

46
docs/db/local-postgres.md
View File

@@ -1,6 +1,6 @@
# Local PostgreSQL for StellaOps (Scheduler focus)
# Local PostgreSQL for StellaOps
This doc describes how to bring up a local PostgreSQL 17 instance for Scheduler development and tests.
This doc describes how to bring up a local PostgreSQL 17 instance for development and tests.
## Quick start (Docker)
@@ -15,10 +15,17 @@ Defaults:
- Password: `stella`
- Database: `stella`
Features enabled:
- `pg_stat_statements` for query performance analysis
- Pre-created schemas: authority, vuln, vex, scheduler, notify, policy, concelier, audit
- Extensions: pg_trgm, btree_gin, pgcrypto
Verify:
```bash
docker ps --filter name=stella-postgres
docker exec -it stella-postgres psql -U stella -d stella -c 'select version();'
docker exec -it stella-postgres psql -U stella -d stella -c 'SELECT version();'
docker exec -it stella-postgres psql -U stella -d stella -c '\dn' # List schemas
docker exec -it stella-postgres psql -U stella -d stella -c '\dx' # List extensions
```
Stop/cleanup:
@@ -39,37 +46,16 @@ docker volume rm stella-postgres-data
- `PGPASSWORD=stella`
- `PGDATABASE=stella`
## Using with Scheduler Postgres storage
- Scheduler Postgres repositories connect via `SchedulerDataSource` using tenant-aware connections; for local work set your appsettings or environment to the connection string above.
- Integration tests currently rely on Testcontainers; if Docker is available the tests will spin up their own isolated container. When Docker is unavailable, run against this local instance by exporting the variables above and disabling Testcontainers in your local run configuration if supported.
## Using with module storage
- Module repositories connect via their respective DataSource types using tenant-aware connections; for local work set your appsettings or environment to the connection string above.
- Integration tests rely on Testcontainers; if Docker is available the tests will spin up their own isolated container. When Docker is unavailable, run against this local instance by exporting the environment variables above.
## Notes
- Image: `postgres:17` (latest GA at time of writing).
- Healthcheck is built into the compose service; wait for `healthy` before running tests.
- Keep volumes deterministic: the compose file names the volume `stella-postgres-data`.
- Schemas are pre-created via init scripts in `ops/devops/local-postgres/init/`.
## Scheduler Mongo → Postgres backfill
## Operations guide
Use the new `Scheduler.Backfill` tool to copy Scheduler data from MongoDB into the Postgres schema.
```bash
dotnet run \
--project src/Scheduler/Tools/Scheduler.Backfill/Scheduler.Backfill.csproj \
--mongo "${MONGO_CONNECTION_STRING:-mongodb://localhost:27017}" \
--mongo-db "${MONGO_DATABASE:-stellaops_scheduler}" \
--pg "Host=localhost;Port=5432;Username=stella;Password=stella;Database=stella" \
--batch 500
```
Flags:
- `--dry-run` to validate without writing.
- `--batch` to tune insert batch size (defaults to 500).
What it does:
- Reads `schedules` and `runs` collections.
- Serialises documents with `CanonicalJsonSerializer` for deterministic JSON.
- Upserts into `scheduler.schedules` and `scheduler.runs` tables (created by migration `001_initial_schema.sql`).
Verification tips:
- Compare counts after backfill: `select count(*) from scheduler.schedules;` and `...runs;`.
- Spot-check next-fire timing by comparing `cron_expression` and `timezone` with the Mongo source; deterministic ordering is preserved via canonical JSON.
For production deployment, performance tuning, monitoring, and backup/restore procedures, see [`docs/operations/postgresql-guide.md`](../operations/postgresql-guide.md).

1985
docs/implplan/BLOCKED_DEPENDENCY_TREE.md
View File

File diff suppressed because it is too large Load Diff

195
docs/implplan/BLOCKED_DEPENDENCY_TREE_PART2.md
View File

@@ -1,195 +0,0 @@
# Analysis: BLOCKED Tasks in SPRINT Files
## Executive Summary
Found **57 BLOCKED tasks** across 10 sprint files. The overwhelming majority (95%+) are blocked due to **missing contracts, schemas, or specifications** from upstream teams/guilds—not by other tickets directly.
---
## Common Themes (Ranked by Frequency)
### 1. Missing Contract/Schema Dependencies (38 tasks, 67%)
The single largest blocker category. Tasks are waiting for upstream teams to publish:
| Missing Contract Type | Example Tasks | Blocking Guild/Team |
|-----------------------|---------------|---------------------|
| `advisory_key` schema/canonicalization | EXCITITOR-POLICY-20-001, EXCITITOR-VULN-29-001 | Policy Engine, Vuln Explorer |
| Risk scoring contract (66-002) | LEDGER-RISK-67-001, POLICY-RISK-67-003 | Risk/Export Center |
| VerificationPolicy schema | POLICY-ATTEST-73-001, POLICY-ATTEST-73-002 | Attestor guild |
| Policy Studio API contract | CONCELIER-RISK-68-001, POLICY-RISK-68-001 | Policy Studio |
| Mirror bundle/registration schema | POLICY-AIRGAP-56-001, EXCITITOR-AIRGAP-56-001 | Mirror/Evidence Locker |
| ICryptoProviderRegistry contract | EXCITITOR-CRYPTO-90-001 | Security guild |
| Export bundle/scheduler spec | EXPORT-CONSOLE-23-001 | Export Center |
| RLS + partition design approval | LEDGER-TEN-48-001-DEV | Platform/DB guild |
**Root Cause:** Cross-team coordination gaps. Contracts are not being published before dependent work is scheduled.
---
### 2. Cascading/Domino Blockers (16 tasks, 28%)
Tasks blocked because their immediate upstream task is also blocked:
```
67-001 (blocked) → 68-001 (blocked) → 68-002 (blocked) → 69-001 (blocked)
```
Examples:
- EXCITITOR-VULN-29-002 → blocked on 29-001 canonicalization contract
- POLICY-ATTEST-74-002 → blocked on 74-001 → blocked on 73-002 → blocked on 73-001
**Root Cause:** Dependency chains where the root blocker propagates downstream. Unblocking the root would cascade-unblock 3-5 dependent tasks.
---
### 3. Air-Gap/Offline Operation Blockers (8 tasks, 14%)
Concentrated pattern around air-gapped/sealed-mode features:
| Task Pattern | Missing Spec |
|--------------|--------------|
| AIRGAP-56-* | Mirror registration + bundle schema |
| AIRGAP-57-* | Sealed-mode contract, staleness/fallback data |
| AIRGAP-58-* | Notification schema for staleness signals |
| AIRGAP-TIME-57-001 | Time-anchor + TUF trust policy |
**Root Cause:** Air-gap feature design is incomplete. The "sealed mode" and "time travel" contracts are not finalized.
---
### 4. VEX Lens / VEX-First Decisioning (4 tasks)
Multiple tasks waiting on VEX Lens specifications:
- CONCELIER-VEXLENS-30-001
- EXCITITOR-VEXLENS-30-001
**Root Cause:** VEX Lens field list and examples not delivered.
---
### 5. Attestation Pipeline (4 tasks)
Blocked waiting for:
- DSSE-signed locker manifests
- VerificationPolicy schema/persistence
- Attestor pipeline contract
**Root Cause:** Attestation verification design is incomplete.
---
### 6. Authority Integration (3 tasks)
Tasks blocked on:
- `effective:write` contract from Authority
- Authority attachment/scoping rules
**Root Cause:** Authority team has not published integration contracts.
---
## Key Blocking Guilds/Teams (Not Tickets)
| Guild/Team | # Tasks Blocked | Key Missing Deliverable |
|------------|-----------------|-------------------------|
| Policy Engine | 12 | `advisory_key` schema, Policy Studio API |
| Risk/Export Center | 10 | Risk scoring contract (66-002), export specs |
| Mirror/Evidence Locker | 8 | Mirror bundle schema, registration contract |
| Attestor | 6 | VerificationPolicy, DSSE signing profile |
| Platform/DB | 3 | RLS + partition design approval |
| VEX Lens | 2 | Field list, examples |
| Security | 1 | ICryptoProviderRegistry contract |
---
## Recommendations
### Immediate Actions (High Impact)
1. **Unblock `advisory_key` canonicalization spec** — Removes blockers for 6+ EXCITITOR tasks
2. **Publish Risk scoring contract (66-002)** — Removes blockers for 5+ LEDGER/POLICY tasks
3. **Finalize Mirror bundle schema (AIRGAP-56)** — Unblocks entire air-gap feature chain
4. **Publish VerificationPolicy schema** — Unblocks attestation pipeline
### Process Improvements
1. **Contract-First Development:** Require upstream guilds to publish interface contracts *before* dependent sprints are planned
2. **Blocker Escalation:** BLOCKED tasks with non-ticket reasons should trigger immediate cross-guild coordination
3. **Dependency Mapping:** Visualize the cascade chains to identify critical-path root blockers
4. **Sprint Planning Gate:** Do not schedule tasks until all required contracts are published
---
## Appendix: All Blocked Tasks by Sprint
### SPRINT_0115_0001_0004_concelier_iv.md (4 tasks)
- CONCELIER-RISK-68-001 — Policy Studio integration contract
- CONCELIER-SIG-26-001 — Signals guild symbol data contract
- CONCELIER-STORE-AOC-19-005-DEV — Staging dataset hash + rollback rehearsal
- CONCELIER-VEXLENS-30-001 — VEX Lens field list
### SPRINT_0119_0001_0004_excititor_iv.md (3 tasks)
- EXCITITOR-POLICY-20-001 — advisory_key schema not published
- EXCITITOR-POLICY-20-002 — Cascade on 20-001
- EXCITITOR-RISK-66-001 — Risk feed envelope spec
### SPRINT_0119_0001_0005_excititor_v.md (6 tasks)
- EXCITITOR-VEXLENS-30-001 — VEX Lens field list
- EXCITITOR-VULN-29-001 — advisory_key canonicalization spec
- EXCITITOR-VULN-29-002 — Cascade on 29-001
- EXCITITOR-VULN-29-004 — Cascade on 29-002
- EXCITITOR-AIRGAP-56-001 — Mirror registration contract
- EXCITITOR-AIRGAP-58-001 — Cascade on 56-001
### SPRINT_0119_0001_0006_excititor_vi.md (2 tasks)
- EXCITITOR-WEB-OBS-54-001 — DSSE-signed locker manifests
- EXCITITOR-CRYPTO-90-001 — ICryptoProviderRegistry contract
### SPRINT_0121_0001_0002_policy_reasoning_blockers.md (7 tasks)
- LEDGER-ATTEST-73-002 — Verification pipeline delivery
- LEDGER-OAS-61-001-DEV — OAS baseline not defined
- LEDGER-OAS-61-002-DEV — Cascade on 61-001
- LEDGER-OAS-62-001-DEV — SDK generation pending
- LEDGER-OAS-63-001-DEV — SDK validation pending
- LEDGER-OBS-55-001 — Attestation telemetry contract
- LEDGER-PACKS-42-001-DEV — Snapshot time-travel contract
### SPRINT_0122_0001_0001_policy_reasoning.md (6 tasks)
- LEDGER-RISK-67-001 — Risk scoring + Export Center specs
- LEDGER-RISK-68-001 — Cascade on 67-001
- LEDGER-RISK-69-001 — Cascade on 67+68
- LEDGER-TEN-48-001-DEV — Platform/DB approval for RLS
- DEVOPS-LEDGER-TEN-48-001-REL — DevOps cascade
### SPRINT_0123_0001_0001_policy_reasoning.md (14 tasks)
- EXPORT-CONSOLE-23-001 — Export bundle schema
- POLICY-AIRGAP-56-001 — Mirror bundle schema
- POLICY-AIRGAP-56-002 — DSSE signing profile
- POLICY-AIRGAP-57-001 — Sealed-mode contract
- POLICY-AIRGAP-57-002 — Staleness/fallback data
- POLICY-AIRGAP-58-001 — Notification schema
- POLICY-AOC-19-001 — Linting targets spec
- POLICY-AOC-19-002 — Authority `effective:write` contract
- POLICY-AOC-19-003/004 — Cascades
- POLICY-ATTEST-73-001 — VerificationPolicy schema
- POLICY-ATTEST-73-002 — Cascade
- POLICY-ATTEST-74-001 — Attestor pipeline contract
- POLICY-ATTEST-74-002 — Console report schema
### SPRINT_0125_0001_0001_mirror.md (2 tasks)
- AIRGAP-TIME-57-001 — Time-anchor + TUF schema
- CLI-AIRGAP-56-001 — Mirror signing + CLI contract
### SPRINT_0128_0001_0001_policy_reasoning.md (7 tasks)
- POLICY-RISK-67-003 — Risk profile contract
- POLICY-RISK-68-001 — Policy Studio API
- POLICY-RISK-68-002 — Overrides audit fields
- POLICY-RISK-69-001 — Notifications contract
- POLICY-RISK-70-001 — Air-gap packaging rules
---
## Summary
**The blockers are systemic, not individual.** 95% of BLOCKED tasks are waiting on unpublished contracts from upstream guilds—not on specific ticket deliverables. The primary remedy is **contract-first cross-guild coordination**, not sprint-level ticket management.

143
docs/implplan/CLI_AUTH_MIGRATION_PLAN.md
View File

@@ -1,143 +0,0 @@
# CLI Auth.Client Migration Plan
> **Created:** 2025-12-04
> **Status:** COMPLETED
> **Completed:** 2025-12-04
## Problem Statement
The CLI services used an older `IStellaOpsTokenClient` API that no longer exists. This document outlines the migration strategy and tracks completion.
## Summary of Changes
### Files Created
- `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` - Compatibility shim methods
### Files Modified
#### Service Files (Auth.Client API Migration)
1. `OrchestratorClient.cs` - Updated scope references
2. `VexObservationsClient.cs` - Updated to use `GetAccessTokenAsync(string)` extension, removed `IsSuccess` check
3. `SbomerClient.cs` - Fixed `GetTokenAsync` to use `AccessToken` property
4. `ExceptionClient.cs` - Updated token acquisition pattern
5. `NotifyClient.cs` - Updated token acquisition pattern
6. `ObservabilityClient.cs` - Updated token acquisition pattern
7. `PackClient.cs` - Updated token acquisition pattern
8. `SbomClient.cs` - Updated token acquisition pattern
#### Command Handlers (Signature Fixes)
9. `CommandHandlers.cs`:
- Fixed `CreateLogger<CommandHandlers>()` static type error (line 80)
- Fixed PolicyDsl diagnostic rendering (removed Line/Column/Suggestion, added Path)
10. `CommandFactory.cs`:
- Fixed `HandleExceptionsListAsync` argument order and count
- Fixed `HandleExceptionsCreateAsync` argument order, expiration type conversion
- Fixed `HandleExceptionsPromoteAsync` argument order
- Fixed `HandleExceptionsExportAsync` argument order and count
- Fixed `HandleExceptionsImportAsync` argument order
#### Model Updates
11. `PolicyWorkspaceModels.cs` - Updated `PolicyDiagnostic` class (replaced Line/Column/Span/Suggestion with Path)
## Old API (Removed)
```csharp
// Methods that no longer exist
Task<StellaOpsTokenResult> GetTokenAsync(StellaOpsTokenRequest request, CancellationToken ct);
Task<StellaOpsTokenResult> GetAccessTokenAsync(string[] scopes, CancellationToken ct);
// Types that no longer exist
class StellaOpsTokenRequest { string[] Scopes; }
static class StellaOpsScope { const string OrchRead = "orch:read"; }
// Properties removed from StellaOpsTokenResult
bool IsSuccess;
```
## New API (Current)
```csharp
interface IStellaOpsTokenClient
{
Task<StellaOpsTokenResult> RequestClientCredentialsTokenAsync(
string? scope = null,
IReadOnlyDictionary<string, string>? additionalParameters = null,
CancellationToken cancellationToken = default);
ValueTask<StellaOpsTokenCacheEntry?> GetCachedTokenAsync(string key, CancellationToken ct);
ValueTask CacheTokenAsync(string key, StellaOpsTokenCacheEntry entry, CancellationToken ct);
}
// StellaOpsTokenResult record properties:
// - AccessToken (string)
// - TokenType (string)
// - ExpiresAtUtc (DateTimeOffset)
// - Scopes (IReadOnlyList<string>)
```
## Migration Approach
### Extension Methods Created
```csharp
public static class StellaOpsTokenClientExtensions
{
// Single scope version
public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
this IStellaOpsTokenClient client,
string scope,
CancellationToken cancellationToken = default);
// Multi-scope version
public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
this IStellaOpsTokenClient client,
IEnumerable<string> scopes,
CancellationToken cancellationToken = default);
// Cached token version
public static async Task<StellaOpsTokenCacheEntry> GetCachedAccessTokenAsync(
this IStellaOpsTokenClient client,
string scope,
CancellationToken cancellationToken = default);
// Parameterless version
public static async Task<StellaOpsTokenResult> GetTokenAsync(
this IStellaOpsTokenClient client,
CancellationToken cancellationToken = default);
}
```
### Scope Constants
Used `StellaOpsScopes` from `StellaOps.Auth.Abstractions` namespace (e.g., `StellaOpsScopes.OrchRead`, `StellaOpsScopes.VexRead`).
## Build Results
**Build succeeded with 0 errors, 6 warnings:**
- 3x CS8629 nullable warnings in OutputRenderer.cs
- 1x CS0618 obsolete warning (VulnRead → VulnView)
- 1x SYSLIB0057 obsolete X509Certificate2 constructor
- 1x CS0219 unused variable warning
## Implementation Checklist
- [x] Create `StellaOpsTokenClientExtensions.cs`
- [x] Verify `StellaOpsScopes` exists in Auth.Abstractions
- [x] Update OrchestratorClient.cs
- [x] Update VexObservationsClient.cs
- [x] Update SbomerClient.cs
- [x] Update ExceptionClient.cs
- [x] Update NotifyClient.cs
- [x] Update ObservabilityClient.cs
- [x] Update PackClient.cs
- [x] Update SbomClient.cs
- [x] Fix CommandHandlers static type error
- [x] Fix PolicyDsl API changes (PolicyIssue properties)
- [x] Fix HandleExceptionsListAsync signature
- [x] Fix HandleExceptionsCreateAsync signature
- [x] Fix HandleExceptionsPromoteAsync signature
- [x] Fix HandleExceptionsExportAsync signature
- [x] Fix HandleExceptionsImportAsync signature
- [x] Update PolicyDiagnostic model
- [x] Build verification passed

367
docs/implplan/DEPENDENCY_DAG.md
View File

@@ -1,367 +0,0 @@
# Blocked Tasks Dependency DAG
> **Last Updated:** 2025-12-06
> **Total Blocked Tasks:** 399 across 61 sprint files
> **Root Blockers:** 42 unique blockers
> **Cross-Reference:** See [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for detailed task inventory
---
## Executive Summary
**95% of blocked tasks are caused by missing contracts/specifications from upstream guilds** — not by individual ticket dependencies. This is a systemic process failure in cross-team coordination.
| Metric | Value |
|--------|-------|
| Total BLOCKED tasks | 399 |
| Sprint files with blocks | 61 |
| Unique root blockers | 42+ |
| Longest dependency chain | 10 tasks (Registry API) |
| Tasks unblocked since 2025-12-04 | 84+ |
| Remaining blocked | ~315 |
---
## Master Dependency Graph
```mermaid
flowchart TB
subgraph ROOT_BLOCKERS["ROOT BLOCKERS (42 total)"]
RB1["SIGNALS CAS Promotion<br/>PREP-SIGNALS-24-002"]
RB2["Risk Scoring Contract<br/>66-002"]
RB3["VerificationPolicy Schema"]
RB4["advisory_key Schema"]
RB5["Policy Studio API"]
RB6["Authority effective:write"]
RB7["GRAP0101 Vuln Explorer"]
RB8["Sealed Mode Contract"]
RB9["Time-Anchor/TUF Trust"]
RB10["PGMI0101 Staffing"]
end
subgraph SIGNALS_CHAIN["SIGNALS CHAIN (15+ tasks)"]
S1["24-002 Cache"]
S2["24-003 Runtime Facts"]
S3["24-004 Authority Scopes"]
S4["24-005 Scoring"]
S5["GRAPH-28-007"]
S6["GRAPH-28-008"]
S7["GRAPH-28-009"]
S8["GRAPH-28-010"]
end
subgraph VEX_CHAIN["VEX LENS CHAIN (11 tasks)"]
V1["30-001 Base"]
V2["30-002"]
V3["30-003 Issuer Dir"]
V4["30-004 Policy"]
V5["30-005"]
V6["30-006 Ledger"]
V7["30-007"]
V8["30-008 Policy"]
V9["30-009 Observability"]
V10["30-010 QA"]
V11["30-011 DevOps"]
end
subgraph REGISTRY_CHAIN["REGISTRY API CHAIN (10 tasks)"]
R1["27-001 OpenAPI Spec"]
R2["27-002 Workspace"]
R3["27-003 Compile"]
R4["27-004 Simulation"]
R5["27-005 Batch"]
R6["27-006 Review"]
R7["27-007 Publish"]
R8["27-008 Promotion"]
R9["27-009 Metrics"]
R10["27-010 Tests"]
end
subgraph EXPORT_CHAIN["EXPORT CENTER CHAIN (8 tasks)"]
E1["OAS-63-001 Deprecation"]
E2["OBS-50-001 Telemetry"]
E3["OBS-51-001 Metrics"]
E4["OBS-52-001 Timeline"]
E5["OBS-53-001 Evidence"]
E6["OBS-54-001 DSSE"]
E7["OBS-54-002 Promotion"]
E8["OBS-55-001 Incident"]
end
subgraph AIRGAP_CHAIN["AIRGAP ECOSYSTEM (17+ tasks)"]
A1["CTL-57-001 Diagnostics"]
A2["CTL-57-002 Telemetry"]
A3["CTL-58-001 Time Anchor"]
A4["IMP-57-002 Loader"]
A5["IMP-58-001 API/CLI"]
A6["IMP-58-002 Timeline"]
A7["CLI-56-001 mirror create"]
A8["CLI-56-002 sealed mode"]
A9["CLI-57-001 airgap import"]
A10["CLI-57-002 airgap seal"]
A11["CLI-58-001 airgap export"]
end
subgraph ATTESTOR_CHAIN["ATTESTATION CHAIN (6 tasks)"]
AT1["73-001 VerificationPolicy"]
AT2["73-002 Verify Pipeline"]
AT3["74-001 Attestor Pipeline"]
AT4["74-002 Console Report"]
AT5["CLI-73-001 stella attest sign"]
AT6["CLI-73-002 stella attest verify"]
end
subgraph RISK_CHAIN["RISK/POLICY CHAIN (10+ tasks)"]
RI1["67-001 Risk Metadata"]
RI2["68-001 Policy Studio"]
RI3["68-002 Overrides"]
RI4["69-001 Notifications"]
RI5["70-001 AirGap Rules"]
end
subgraph VULN_DOCS["VULN EXPLORER DOCS (13 tasks)"]
VD1["29-001 Overview"]
VD2["29-002 Console"]
VD3["29-003 API"]
VD4["29-004 CLI"]
VD5["29-005 Ledger"]
VD6["..."]
VD7["29-013 Install"]
end
%% Root blocker connections
RB1 --> S1
S1 --> S2 --> S3 --> S4
S1 --> S5 --> S6 --> S7 --> S8
RB2 --> RI1 --> RI2 --> RI3 --> RI4 --> RI5
RB2 --> E1
RB3 --> AT1 --> AT2 --> AT3 --> AT4
RB3 --> AT5 --> AT6
RB4 --> V1 --> V2 --> V3 --> V4 --> V5 --> V6 --> V7 --> V8 --> V9 --> V10 --> V11
RB5 --> R1 --> R2 --> R3 --> R4 --> R5 --> R6 --> R7 --> R8 --> R9 --> R10
RB6 --> AT1
RB7 --> VD1 --> VD2 --> VD3 --> VD4 --> VD5 --> VD6 --> VD7
RB8 --> A1 --> A2 --> A3
RB8 --> A7 --> A8 --> A9 --> A10 --> A11
RB9 --> A3
RB9 --> A4 --> A5 --> A6
E1 --> E2 --> E3 --> E4 --> E5 --> E6 --> E7 --> E8
%% Styling
classDef rootBlocker fill:#ff6b6b,stroke:#333,stroke-width:2px,color:#fff
classDef blocked fill:#ffd93d,stroke:#333,stroke-width:1px
classDef resolved fill:#6bcb77,stroke:#333,stroke-width:1px
class RB1,RB2,RB3,RB4,RB5,RB6,RB7,RB8,RB9,RB10 rootBlocker
```
---
## Cascade Impact Analysis
```
+---------------------------------------------------------------------------------+
| ROOT BLOCKER -> DOWNSTREAM IMPACT |
+---------------------------------------------------------------------------------+
| |
| SIGNALS CAS (RB1) -----+---> 24-002 ---> 24-003 ---> 24-004 ---> 24-005 |
| Impact: 15+ tasks | |
| +---> GRAPH-28-007 ---> 28-008 ---> 28-009 ---> 28-010 |
| |
+---------------------------------------------------------------------------------+
| |
| VEX/advisory_key (RB4) ---> 30-001 ---> 30-002 ---> 30-003 ---> 30-004 ---> ...|
| Impact: 11 tasks +---> 30-011 |
| |
+---------------------------------------------------------------------------------+
| |
| Risk Contract (RB2) ---+---> 67-001 ---> 68-001 ---> 68-002 ---> 69-001 --> ...|
| Impact: 10+ tasks | |
| +---> EXPORT OAS-63-001 ---> OBS-50-001 ---> ... --> ...|
| |
+---------------------------------------------------------------------------------+
| |
| Policy Studio (RB5) -----> 27-001 ---> 27-002 ---> 27-003 ---> ... ---> 27-010 |
| Impact: 10 tasks |
| |
+---------------------------------------------------------------------------------+
| |
| Sealed Mode (RB8) -----+---> CTL-57-001 ---> CTL-57-002 ---> CTL-58-001 |
| Impact: 17+ tasks | |
| +---> IMP-57-002 ---> IMP-58-001 ---> IMP-58-002 |
| | |
| +---> CLI-56-001 ---> CLI-56-002 ---> CLI-57-001 ---> ...|
| +---> CLI-58-001 |
| |
+---------------------------------------------------------------------------------+
| |
| GRAP0101 Vuln (RB7) -----> 29-001 ---> 29-002 ---> 29-003 ---> ... ---> 29-013 |
| Impact: 13 tasks |
| |
+---------------------------------------------------------------------------------+
| |
| VerificationPolicy (RB3) +---> 73-001 ---> 73-002 ---> 74-001 ---> 74-002 |
| Impact: 6 tasks | |
| +---> CLI-73-001 ---> CLI-73-002 |
| |
+---------------------------------------------------------------------------------+
```
---
## Critical Path Timeline
```
2025-12-06 2025-12-09 2025-12-11 2025-12-13
| | | |
SIGNALS CAS -------------*=====================================================-->
(15+ tasks) | Checkpoint | | |
| Platform | | |
| Storage | | |
| Approval | | |
| | |
RISK CONTRACT ---------------------------*===========================================>
(10+ tasks) | Due | |
| | |
DOCS Md.IX ------------------------------*========*========*========*=============>
(40+ tasks) | Risk | Console | SDK | ESCALATE
| API | Assets | Samples|
| | | |
VEX LENS --------------------------------*===========================================>
(11 tasks) | Issuer | |
| Dir + | |
| API | |
| Gov | |
| |
ATTESTATION -----------------------------------------*================================>
(6 tasks) | Verification |
| Policy Schema |
|
AIRGAP --------------------------------------------------*=========================>
(17+ tasks) | Time-Anchor
| TUF Trust
```
---
## Guild Dependency Matrix
Shows which guilds block which others:
```
+-------------------------------------------------------------+
| BLOCKS (downstream) |
| Policy | Risk | Attestor| AirGap| Scanner| VEX | Export| Docs |
+-----------------+--------+-------+---------+-------+--------+------+-------+------+
| Policy Engine | - | ## | ## | ## | | ## | ## | ## |
| Risk/Export | ## | - | ## | | | | - | ## |
| Attestor | ## | | - | | | | ## | ## |
| Signals | ## | ## | | | ## | | ## | ## |
| Authority | ## | | ## | ## | | | | |
| Platform/DB | | | | | | | | ## |
| VEX Lens | ## | | | | | - | ## | ## |
| Mirror/Evidence | | | ## | ## | | | - | ## |
| Console/UI | ## | ## | | | | | | ## |
| Program Mgmt | | | | ## | | | ## | |
+-----------------+--------+-------+---------+-------+--------+------+-------+------+
Legend: ## = Blocking - = Self (N/A)
```
---
## Unblock Priority Order
Based on cascade impact, resolve root blockers in this order:
| Priority | Root Blocker | Downstream | Guilds Affected | Effort |
|----------|--------------|------------|-----------------|--------|
| 1 | SIGNALS CAS (24-002) | 15+ | Signals, Graph, Telemetry, Replay | HIGH |
| 2 | VEX/advisory_key spec | 11 | VEX, Excititor, Policy, Concelier | MEDIUM |
| 3 | Risk Contract (66-002) | 10+ | Risk, Export, Policy, Ledger, Attestor | MEDIUM |
| 4 | Policy Studio API | 10 | Policy, Concelier, Web | MEDIUM |
| 5 | Sealed Mode Contract | 17+ | AirGap, CLI, Importer, Controller, Time | HIGH |
| 6 | GRAP0101 Vuln Explorer | 13 | Vuln Explorer, Docs | MEDIUM |
| 7 | VerificationPolicy Schema | 6 | Attestor, CLI, Policy | LOW |
| 8 | Authority effective:write | 3+ | Authority, Policy | LOW |
| 9 | Time-Anchor/TUF Trust | 5 | AirGap, Controller | MEDIUM |
| 10 | PGMI0101 Staffing | 3 | Program Management | ORG |
**Impact Summary:**
- Resolving top 5 blockers -> Unblocks ~60+ tasks (~150 with cascades)
- Resolving all 10 blockers -> Unblocks ~85+ tasks (~250 with cascades)
---
## Root Cause Categories
| Category | Tasks Blocked | Percentage |
|----------|---------------|------------|
| Missing API/Contract Specifications | 85+ | 39% |
| Cascading/Domino Dependencies | 70+ | 28% |
| Schema/Data Freeze Pending | 55+ | 19% |
| Documentation/Asset Blockers | 40+ | - |
| Infrastructure/Environment | 25+ | - |
| Authority/Approval Gates | 30+ | - |
---
## Guild Blocking Summary
| Guild | Tasks Blocked | Critical Deliverable | Due Date |
|-------|---------------|---------------------|----------|
| Policy Engine | 12 | `advisory_key` schema, Policy Studio API | 2025-12-09 |
| Risk/Export | 10 | Risk scoring contract (66-002) | 2025-12-09 |
| Mirror/Evidence | 8 | Registration contract, time anchors | 2025-12-09 |
| Attestor | 6 | VerificationPolicy, DSSE signing | OVERDUE |
| Signals | 6+ | CAS promotion, provenance feed | 2025-12-06 |
| SDK Generator | 6 | Sample outputs (TS/Python/Go/Java) | 2025-12-11 |
| Console/UI | 5+ | Widget captures, deterministic hashes | 2025-12-10 |
| Platform/DB | 3 | RLS + partition design approval | 2025-12-11 |
| Program Mgmt | 3 | PGMI0101 staffing confirmation | Pending |
| VEX Lens | 2 | Field list, examples | 2025-12-09 |
---
## Recent Progress (84+ Tasks Unblocked)
Since 2025-12-04:
| Specification | Tasks Unblocked |
|--------------|-----------------|
| `vex-normalization.schema.json` | 11 |
| `timeline-event.schema.json` | 10+ |
| `mirror-bundle.schema.json` | 8 |
| `VERSION_MATRIX.md` | 7 |
| `provenance-feed.schema.json` | 6 |
| `api-baseline.schema.json` | 6 |
| `ledger-airgap-staleness.schema.json` | 5 |
| `attestor-transport.schema.json` | 4 |
| Policy Studio Wave C infrastructure | 10 |
| WEB-POLICY-20-004 Rate Limiting | 6 |
---
## Recommendations
### Immediate Actions (Unblock 50+ tasks)
1. **Escalate Md.IX documentation deadlines** - Risk API, Signals schema, SDK samples due 2025-12-09
2. **Publish release artifacts** to `deploy/releases/2025.09-stable.yaml` - Orchestrator, Policy, VEX Lens, Findings Ledger
3. **Complete Advisory Key spec** - Unblocks 6+ Excititor/Policy tasks
4. **Finalize Risk Scoring Contract (66-002)** - Unblocks Ledger/Export/Policy chain
### Strategic (2-4 weeks)
1. **Implement Contract-First Governance** - Require all upstream contracts published before dependent sprints start
2. **Create Cross-Guild Coordination Checkpoints** - Weekly sync of BLOCKED tasks with escalation
3. **Refactor Long Dependency Chains** - Break chains longer than 5 tasks into parallel workstreams

39
docs/implplan/SPRINT_0120_0001_0002_excititor_ii.md
View File

@@ -17,26 +17,25 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-CONSOLE-23-001/002/003 | DONE (2025-11-23) | Dependent APIs live | Excititor Guild + Docs Guild | Console VEX endpoints (grouped statements, counts, search) with provenance + RBAC; metrics for policy explain. |
| 2 | EXCITITOR-CONN-SUSE-01-003 | **DONE** (2025-12-07) | Integrated ConnectorSignerMetadataEnricher in provenance | Connector Guild (SUSE) | Emit trust config (signer fingerprints, trust tier) in provenance; aggregation-only. |
| 3 | EXCITITOR-CONN-UBUNTU-01-003 | **DONE** (2025-12-07) | Verified enricher integration, fixed Logger reference | Connector Guild (Ubuntu) | Emit Ubuntu signing metadata in provenance; aggregation-only. |
| 4 | EXCITITOR-CORE-AOC-19-002/003/004/013 | **DONE** (2025-12-07) | Implemented append-only linkset contracts and deprecated consensus | Excititor Core Guild | Deterministic advisory/PURL extraction, append-only linksets, remove consensus logic, seed Authority tenants in tests. |
| 5 | EXCITITOR-STORAGE-00-001 | **DONE** (2025-12-08) | Append-only Postgres backend delivered; Storage.Mongo references to be removed in follow-on cleanup | Excititor Core + Platform Data Guild | Select and ratify storage backend (e.g., SQL/append-only) for observations, linksets, and worker checkpoints; produce migration plan + deterministic test harnesses without Mongo. |
| 6 | EXCITITOR-GRAPH-21-001..005 | TODO/BLOCKED | EXCITITOR-STORAGE-00-001 + Link-Not-Merge schema + overlay contract | Excititor Core + UI Guild | Batched VEX fetches, overlay metadata, indexes/materialized views for graph inspector on the non-Mongo store. |
| 7 | EXCITITOR-OBS-52/53/54 | TODO/BLOCKED | Evidence Locker DSSE + provenance schema | Excititor Core + Evidence Locker + Provenance Guilds | Timeline events + Merkle locker payloads + DSSE attestations for evidence batches. |
| 8 | EXCITITOR-ORCH-32/33 | PARTIAL (2025-12-06) | EXCITITOR-STORAGE-00-001 for checkpoints + orchestrator SDK | Excititor Worker Guild | Adopt orchestrator worker SDK; honor pause/throttle/retry with deterministic checkpoints on the selected non-Mongo store. |
| 9 | EXCITITOR-POLICY-20-001/002 | TODO | EXCITITOR-AOC-20-004; graph overlays | WebService + Core Guilds | VEX lookup APIs for Policy (tenant filters, scope resolution) and enriched linksets (scope/version metadata). |
| 10 | EXCITITOR-RISK-66-001 | TODO | EXCITITOR-POLICY-20-002 | Core + Risk Engine Guild | Risk-ready feeds (status/justification/provenance) with zero derived severity. |
| 2 | EXCITITOR-CONN-SUSE-01-003 | DONE (2025-12-07) | Integrated ConnectorSignerMetadataEnricher in provenance | Connector Guild (SUSE) | Emit trust config (signer fingerprints, trust tier) in provenance; aggregation-only. |
| 3 | EXCITITOR-CONN-UBUNTU-01-003 | DONE (2025-12-07) | Verified enricher integration, fixed Logger reference | Connector Guild (Ubuntu) | Emit Ubuntu signing metadata in provenance; aggregation-only. |
| 4 | EXCITITOR-CORE-AOC-19-002/003/004/013 | DONE (2025-12-07) | Implemented append-only linkset contracts and deprecated consensus | Excititor Core Guild | Deterministic advisory/PURL extraction, append-only linksets, remove consensus logic, seed Authority tenants in tests. |
| 5 | EXCITITOR-STORAGE-00-001 | DONE (2025-12-08) | Append-only Postgres backend delivered; Storage.Mongo references to be removed in follow-on cleanup | Excititor Core + Platform Data Guild | Select and ratify storage backend (e.g., SQL/append-only) for observations, linksets, and worker checkpoints; produce migration plan + deterministic test harnesses without Mongo. |
| 6 | EXCITITOR-GRAPH-21-001..005 | DONE (2025-12-11) | Overlay schema v1.0.0 implemented; WebService overlays/status with Postgres-backed materialization + cache | Excititor Core + UI Guild | Batched VEX fetches, overlay metadata, indexes/materialized views for graph inspector on the non-Mongo store. |
| 7 | EXCITITOR-OBS-52/53/54 | TODO | Provenance schema now aligned to overlay contract; implement evidence locker DSSE flow next | Excititor Core + Evidence Locker + Provenance Guilds | Timeline events, Merkle locker payloads, DSSE attestations for evidence batches. |
| 8 | EXCITITOR-ORCH-32/33 | TODO | Overlay schema set; wire orchestrator SDK + Postgres checkpoints | Excititor Worker Guild | Adopt orchestrator worker SDK; honor pause/throttle/retry with deterministic checkpoints on the selected non-Mongo store. |
| 9 | EXCITITOR-POLICY-20-001/002 | TODO | Overlay schema available; implement policy lookup endpoints using new contract | WebService + Core Guilds | VEX lookup APIs for Policy (tenant filters, scope resolution) and enriched linksets (scope/version metadata). |
| 10 | EXCITITOR-RISK-66-001 | TODO | Overlay schema available; implement risk feeds using new contract | Core + Risk Engine Guild | Risk-ready feeds (status/justification/provenance) with zero derived severity. |
## Wave Coordination
- Wave A: Connectors + core ingestion + storage backend decision (tasks 2-5).
- Wave B: Graph overlays + Console/Policy/Risk APIs (tasks 1,6,9,10) — Console endpoints delivered; overlays pending.
- Wave C: Observability/attestations + orchestrator integration (tasks 7-8) after Wave A artifacts land.
- Wave B: Graph overlays + Console/Policy/Risk APIs (tasks 1,6,9,10) - console endpoints delivered; overlays deferred.
- Wave C: Observability/attestations + orchestrator integration (tasks 7-8) after Wave A artifacts land; deferred pending SDK and schema freeze.
## Wave Detail Snapshots
- Not started; capture once ATLN/provenance schemas freeze.
@@ -51,12 +50,16 @@
| Action | Due (UTC) | Owner(s) | Notes |
| --- | --- | --- | --- |
| Pick non-Mongo append-only store and publish contract update | 2025-12-10 | Excititor Core + Platform Data Guild | DONE 2025-12-08: Postgres append-only linkset store + migration/tests landed; follow-up removal of Storage.Mongo code paths. |
| Capture ATLN schema freeze + provenance hashes; update tasks 2-7 statuses | 2025-12-12 | Excititor Core + Docs Guild | Required to unblock ingestion/locker/graph work. |
| Confirm orchestrator SDK version for Excititor worker adoption | 2025-12-12 | Excititor Worker Guild | Needed before task 8 starts. |
| Capture ATLN schema freeze + provenance hashes; update tasks 2-7 statuses | 2025-12-12 | Excititor Core + Docs Guild | DONE 2025-12-10: overlay contract frozen at `docs/modules/excititor/schemas/vex_overlay.schema.json` (schemaVersion 1.0.0) with sample payload; tasks 6-10 unblocked. |
| Confirm orchestrator SDK version for Excititor worker adoption | 2025-12-12 | Excititor Worker Guild | BLOCKED: defer to next sprint alongside task 8. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-11 | Materialized graph overlays in WebService: added overlay cache abstraction, Postgres-backed store (vex.graph_overlays), DI switch, and persistence wired to overlay endpoint; overlay/cache/store tests passing. | Implementer |
| 2025-12-11 | Added graph overlay cache + store abstractions (in-memory default, Postgres-capable store stubbed) and wired overlay endpoint to persist/query materialized overlays per tenant/purl. | Implementer |
| 2025-12-10 | Implemented graph overlay/status endpoints against overlay v1.0.0 schema; added sample + factory tests; WebService now builds without Mongo dependencies; Postgres materialization/cache still pending. | Implementer |
| 2025-12-10 | Frozen Excititor graph overlay contract v1.0.0 (`docs/modules/excititor/schemas/vex_overlay.schema.json` + sample); unblocked tasks 6-10 (now TODO) pending implementation. | Project Mgmt |
| 2025-12-09 | Purged remaining Mongo session handles from Excititor connector/web/export/worker tests; stubs now align to Postgres/in-memory contracts. | Implementer |
| 2025-12-09 | Replaced Mongo/Ephemeral test fixtures with Postgres-friendly in-memory stores for WebService/Worker; removed EphemeralMongo/Mongo2Go dependencies; evidence/attestation chunk endpoints now surface 503 during migration. | Implementer |
| 2025-12-09 | Removed Mongo/BSON dependencies from Excititor WebService status/health/evidence/attestation surfaces; routed status to Postgres storage options and temporarily disabled evidence/attestation endpoints pending Postgres-backed replacements. | Implementer |
@@ -70,20 +73,21 @@
| 2025-12-08 | Began EXCITITOR-STORAGE-00-001: catalogued existing PostgreSQL stack (Infrastructure.Postgres, Excititor.Storage.Postgres data source/repositories/migrations, Concelier/Authority/Notify precedents). Need to adapt schema/contracts to append-only linksets and drop consensus-derived tables. | Project Mgmt |
| 2025-12-08 | Completed EXCITITOR-STORAGE-00-001: added append-only Postgres linkset store implementing `IAppendOnlyLinksetStore`, rewrote migration to remove consensus/Mongo artifacts, registered DI, and added deterministic Postgres integration tests for append/dedup/disagreements. | Implementer |
| 2025-12-08 | Postgres append-only linkset tests added; initial run fails due to upstream Concelier MongoCompat type resolution (`MongoStorageOptions` missing). Needs follow-up dependency fix before green test run. | Implementer |
| 2025-12-07 | **EXCITITOR-CORE-AOC-19 DONE:** Implemented append-only linkset infrastructure: (1) Created `IAppendOnlyLinksetStore` interface with append-only semantics for observations and disagreements, plus mutation log for audit/replay (AOC-19-002); (2) Marked `VexConsensusResolver`, `VexConsensus`, `IVexConsensusPolicy`, `BaselineVexConsensusPolicy`, and related types as `[Obsolete]` with EXCITITOR001 diagnostic ID per AOC-19-003; (3) Created `AuthorityTenantSeeder` utility with test tenant fixtures (default, multi-tenant, airgap) and SQL generation for AOC-19-004; (4) Created `AppendOnlyLinksetExtractionService` replacing consensus-based extraction with deterministic append-only operations per AOC-19-013; (5) Added comprehensive unit tests for both new services with in-memory store implementation. | Implementer |
| 2025-12-07 | **EXCITITOR-CONN-SUSE-01-003 & EXCITITOR-CONN-UBUNTU-01-003 DONE:** Integrated `ConnectorSignerMetadataEnricher.Enrich()` into both connectors' `AddProvenanceMetadata()` methods. This adds external signer metadata (fingerprints, issuer tier, bundle info) from `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH` environment variable to VEX document provenance. Fixed Ubuntu connector's `_logger` and `Logger` reference bug. | Implementer |
| 2025-12-07 | EXCITITOR-CORE-AOC-19 DONE: Implemented append-only linkset infrastructure: (1) Created `IAppendOnlyLinksetStore` interface with append-only semantics for observations and disagreements, plus mutation log for audit/replay (AOC-19-002); (2) Marked `VexConsensusResolver`, `VexConsensus`, `IVexConsensusPolicy`, `BaselineVexConsensusPolicy`, and related types as `[Obsolete]` with EXCITITOR001 diagnostic ID per AOC-19-003; (3) Created `AuthorityTenantSeeder` utility with test tenant fixtures (default, multi-tenant, airgap) and SQL generation for AOC-19-004; (4) Created `AppendOnlyLinksetExtractionService` replacing consensus-based extraction with deterministic append-only operations per AOC-19-013; (5) Added comprehensive unit tests for both new services with in-memory store implementation. | Implementer |
| 2025-12-07 | EXCITITOR-CONN-SUSE-01-003 & EXCITITOR-CONN-UBUNTU-01-003 DONE: Integrated `ConnectorSignerMetadataEnricher.Enrich()` into both connectors' `AddProvenanceMetadata()` methods. This adds external signer metadata (fingerprints, issuer tier, bundle info) from `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH` environment variable to VEX document provenance. Fixed Ubuntu connector's `_logger` and `Logger` reference bug. | Implementer |
| 2025-12-05 | Reconstituted sprint from `tasks-all.md`; prior redirect pointed to non-existent canonical. Added template and delivery tracker; tasks set per backlog. | Project Mgmt |
| 2025-11-23 | Console VEX endpoints (tasks 1) delivered. | Excititor Guild |
## Decisions & Risks
| Item | Type | Owner(s) | Due | Notes |
| --- | --- | --- | --- | --- |
| Schema freeze (ATLN/provenance) pending | Risk | Excititor Core + Docs Guild | 2025-12-12 | Blocks tasks 2-7. |
| Schema freeze (ATLN/provenance) pending | Risk | Excititor Core + Docs Guild | 2025-12-10 | Resolved: overlay contract frozen at v1.0.0; implementation now required. |
| Non-Mongo storage backend selection | Decision | Excititor Core + Platform Data Guild | 2025-12-08 | Resolved: adopt Postgres append-only store (IAppendOnlyLinksetStore) for observations/linksets/checkpoints; unblock tasks 6 and 8; remove Storage.Mongo artifacts next. |
| Orchestrator SDK version selection | Decision | Excititor Worker Guild | 2025-12-12 | Needed for task 8. |
| Excititor.Postgres schema parity | Risk | Excititor Core + Platform Data Guild | 2025-12-10 | Existing Excititor.Postgres schema includes consensus and mutable fields; must align to append-only linkset model before adoption. |
| Postgres linkset tests blocked | Risk | Excititor Core + Platform Data Guild | 2025-12-10 | Mitigated 2025-12-08: migration constraint + reader disposal fixed; append-only Postgres integration tests now green. |
| Evidence/attestation endpoints paused | Risk | Excititor Core | 2025-12-12 | Evidence and attestation list/detail endpoints return 503 while Mongo/BSON paths are removed; needs Postgres-backed replacement before release. |
| Overlay/Policy/Risk handoff | Risk | Excititor Core + UI + Policy/Risk Guilds | 2025-12-12 | Tasks 6-10 unblocked by schema freeze; still require implementation and orchestration SDK alignment. |
## Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
@@ -91,3 +95,4 @@
| 2025-12-10 | Storage backend decision | Finalize non-Mongo append-only store for Excititor persistence; unblock tasks 5/6/8. | Excititor Core + Platform Data |
| 2025-12-12 | Schema freeze sync | Confirm ATLN/provenance freeze; unblock tasks 2-7. | Excititor Core |
| 2025-12-12 | Orchestrator SDK alignment | Pick SDK version and start task 8. | Excititor Worker |
| 2025-12-13 | Sprint handoff | Move blocked tasks 6-10 to next sprint once schema freeze and SDK decisions land. | Project Mgmt |

19
docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
View File

@@ -25,7 +25,6 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -38,18 +37,24 @@
| 2 | SCANNER-ANALYZERS-DENO-26-010 | DONE (2025-11-24) | Runtime trace collection documented (`src/Scanner/docs/deno-runtime-trace.md`); analyzer auto-runs when `STELLA_DENO_ENTRYPOINT` is set. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
| 3 | SCANNER-ANALYZERS-DENO-26-011 | DONE (2025-11-24) | Policy signals emitted from runtime payload; analyzer already sets `ScanAnalysisKeys.DenoRuntimePayload` and emits metadata. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
| 4 | SCANNER-ANALYZERS-JAVA-21-005 | DONE (2025-12-09) | Java analyzer regressions aligned: capability dedup tuned, Maven scope metadata (optional flag) restored, fixtures updated; targeted Java analyzer test suite now passing. | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
| 5 | SCANNER-ANALYZERS-JAVA-21-006 | BLOCKED (depends on 21-005) | Needs outputs from 21-005 plus CoreLinksets package/LNM schema alignment; CI runner available via DEVOPS-SCANNER-CI-11-001 (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`). | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
| 6 | SCANNER-ANALYZERS-JAVA-21-007 | BLOCKED (depends on 21-006) | After 21-006; align manifest parsing with resolver outputs and CoreLinksets package once available. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON; DEVOPS-SCANNER-CI-11-001 runner (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`); Java entrypoint resolver schema available (`docs/schemas/java-entrypoint-resolver.schema.json`); waiting on CoreLinksets package and upstream 21-005..21-007 outputs. | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
| 8 | SCANNER-ANALYZERS-JAVA-21-009 | BLOCKED (depends on 21-008) | Unblock when 21-008 lands; fixtures can prep using LNM schemas; still requires CoreLinksets package and prior outputs. | Java Analyzer Guild A? QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
| 9 | SCANNER-ANALYZERS-JAVA-21-010 | BLOCKED (depends on 21-009) | After 21-009; runtime capture design plus CoreLinksets package availability; runner ready (DEVOPS-SCANNER-CI-11-001). | Java Analyzer Guild A? Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
| 10 | SCANNER-ANALYZERS-JAVA-21-011 | BLOCKED (depends on 21-010) | Depends on 21-010 chain; needs CoreLinksets package and CI runner logs for packaging hooks. | Java Analyzer Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
| 5 | SCANNER-ANALYZERS-JAVA-21-006 | **DONE** (2025-12-10) | Implementation complete: `JavaJniAnalyzer` + `JavaJniAnalysis` emitting typed edges with reason codes (`NativeMethod`, `SystemLoad`, `SystemLoadLibrary`, `RuntimeLoad`, `GraalJniConfig`, `BundledNativeLib`) and confidence levels. Test class `JavaJniAnalyzerTests` added with 6 test cases. All 327 Java analyzer tests passing. Files: `Internal/Jni/JavaJniAnalysis.cs`, `Internal/Jni/JavaJniAnalyzer.cs`, `Java/JavaJniAnalyzerTests.cs`. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
| 6 | SCANNER-ANALYZERS-JAVA-21-007 | **DONE** (2025-12-10) | Implementation complete: `JavaSignatureManifestAnalyzer` + `JavaSignatureManifestAnalysis` capturing JAR signature structure (signers, algorithms, certificate fingerprints) and manifest loader attributes (Main-Class, Start-Class, Agent-Class, Premain-Class, Launcher-Agent-Class, Class-Path, Automatic-Module-Name, Multi-Release, sealed packages). Test class `JavaSignatureManifestAnalyzerTests` added with 9 test cases. Files: `Internal/Signature/JavaSignatureManifestAnalysis.cs`, `Internal/Signature/JavaSignatureManifestAnalyzer.cs`, `Java/JavaSignatureManifestAnalyzerTests.cs`. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
| 7 | SCANNER-ANALYZERS-JAVA-21-008 | **DONE** (2025-12-10) | Implementation complete: `JavaEntrypointResolver` + `JavaEntrypointAocWriter` with 9 tests. All 346 Java analyzer tests passing. BouncyCastle upgraded to 2.6.2, NuGet.Versioning upgraded to 6.13.2. Fixed manifest entrypoint resolution for archives not in classpath segments. Files: `Internal/Resolver/JavaEntrypointResolution.cs`, `Internal/Resolver/JavaEntrypointResolver.cs`, `Internal/Resolver/JavaEntrypointAocWriter.cs`, `Java/JavaEntrypointResolverTests.cs`. | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
| 8 | SCANNER-ANALYZERS-JAVA-21-009 | **DONE** (2025-12-10) | **UNBLOCKED by 21-008:** Created 8 comprehensive fixture definitions (`Fixtures/java/resolver/`) + fixture test class (`JavaResolverFixtureTests.cs`). Fixtures: modular-app (JPMS), spring-boot-fat, war (servlets), ear (EJB), multi-release, jni-heavy, reflection-heavy, signed-jar, microprofile (JAX-RS/CDI/MP-Health). All 346 Java analyzer tests passing. | Java Analyzer Guild A? QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
| 9 | SCANNER-ANALYZERS-JAVA-21-010 | BLOCKED (depends on 21-009) | After 21-009; runtime capture design; runner ready (DEVOPS-SCANNER-CI-11-001). CoreLinksets now available. | Java Analyzer Guild A? Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
| 10 | SCANNER-ANALYZERS-JAVA-21-011 | BLOCKED (depends on 21-010) | Depends on 21-010 chain; CI runner logs for packaging hooks. CoreLinksets now available. | Java Analyzer Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES; DEVOPS-SCANNER-CI-11-001 runner (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`); .NET IL metadata schema exists (`docs/schemas/dotnet-il-metadata.schema.json`); hang persists pending clean run/binlogs. | StellaOps.Scanner EPDR Guild A? Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
| 12 | SCANNER-ANALYZERS-PHP-27-001 | **DONE** (2025-12-06) | Implementation verified: PhpInputNormalizer, PhpVirtualFileSystem, PhpFrameworkFingerprinter, PhpLanguageAnalyzer all complete. Build passing. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers; detect framework/CMS fingerprints deterministically. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-008 and 21-009 verified DONE:** Network restored, NuGet packages resolved (BouncyCastle 2.6.2, NuGet.Versioning 6.13.2). Fixed `JavaEntrypointResolver` to process manifest entrypoints outside segment loop (manifest-analyzed archives may not appear as classpath segments). All 346 Java analyzer tests now passing. Updated sprint status to DONE for both tasks. | Implementer |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-009 implementation complete:** Created 8 comprehensive fixture definitions for Java entrypoint resolver testing. Fixtures cover: (1) modular-app - JPMS module-info with requires/exports/opens/uses/provides edges; (2) spring-boot-fat - Boot fat JAR with Start-Class and embedded libs; (3) war - servlet/filter/listener entrypoints from web.xml; (4) ear - EJB session beans and MDBs with EAR module edges; (5) multi-release - MR-JAR with Java 11/17/21 versioned classes; (6) jni-heavy - native methods, System.load calls, bundled native libs, Graal JNI configs; (7) reflection-heavy - Class.forName, ServiceLoader, Proxy patterns; (8) signed-jar - multiple signers with certificate metadata; (9) microprofile - JAX-RS, CDI, MP-Health, MP-REST-Client. Created `JavaResolverFixtureTests.cs` with 8 test cases validating fixture schemas. Files: `Fixtures/java/resolver/{modular-app,spring-boot-fat,war,ear,multi-release,jni-heavy,reflection-heavy,signed-jar,microprofile}/fixture.json`, `Java/JavaResolverFixtureTests.cs`. | Implementer |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-008 implementation complete:** Created `JavaEntrypointResolver` combining outputs from 21-005, 21-006, 21-007 to produce unified entrypoints, components, and edges. Created `JavaEntrypointAocWriter` for deterministic NDJSON output with SHA-256 content hash. Edge types: JPMS (requires/exports/opens/uses/provides), classpath (manifest Class-Path), SPI (ServiceLoader), reflection (Class.forName, ClassLoader.loadClass), JNI (native methods, System.load/loadLibrary). Resolution types: MainClass, SpringBootStartClass, JavaAgentPremain, JavaAgentAttach, LauncherAgent, NativeMethod, ServiceProvider, etc. Component types: Jar, War, Ear, JpmsModule, OsgiBundle, SpringBootFatJar. Created 9 test cases covering resolution and AOC writing. **BLOCKED on build:** NuGet package compatibility issues (BouncyCastle 2.5.1, NuGet.Versioning 6.9.1 in mirror not compatible with net10.0; nuget.org unreachable). Files: `Internal/Resolver/JavaEntrypointResolution.cs`, `Internal/Resolver/JavaEntrypointResolver.cs`, `Internal/Resolver/JavaEntrypointAocWriter.cs`, `Java/JavaEntrypointResolverTests.cs`. | Implementer |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-007 DONE:** Created `JavaSignatureManifestAnalyzer` with `JavaSignatureManifestAnalysis` result types. Captures JAR signature structure (META-INF/*.SF, *.RSA, *.DSA, *.EC), digest algorithms, certificate fingerprints (SHA-256), and manifest loader attributes (Main-Class, Start-Class, Agent-Class, Premain-Class, Launcher-Agent-Class, Class-Path, Automatic-Module-Name, Multi-Release, sealed packages). Created 9 unit tests covering Main-Class, Spring Boot Start-Class, Java agent attributes, Multi-Release detection, signed/unsigned JARs, and empty manifest handling. All 327 Java analyzer tests passing. Files: `Internal/Signature/JavaSignatureManifestAnalysis.cs`, `Internal/Signature/JavaSignatureManifestAnalyzer.cs`, `Java/JavaSignatureManifestAnalyzerTests.cs`. | Implementer |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-006 DONE:** Fixed .NET 10 package compatibility issues (Konscious→BouncyCastle Argon2, Pkcs11Interop 5.x API, Polly 8.x→Http.Resilience), fixed duplicate bytecode case in JNI analyzer, fixed test assertions for class name format. JNI analyzer now emitting typed edges with reason codes and confidence levels. All 327 Java tests passing. | Implementer |
| 2025-12-10 | **SCANNER-ANALYZERS-JAVA-21-006 implementation complete (DOING):** Created `JavaJniAnalyzer` emitting typed edges for native methods (`ACC_NATIVE` flag detection), `System.load/loadLibrary` call sites, and JNI patterns. New files: `Internal/Jni/JavaJniAnalysis.cs` (edge/warning/reason/confidence records), `Internal/Jni/JavaJniAnalyzer.cs` (bytecode parser with constant pool resolution). Added test factory methods (`CreateNativeMethodClass`, `CreateSystemLoadLibraryInvoker`, `CreateSystemLoadInvoker`) to `JavaClassFileFactory.cs`. Created `JavaJniAnalyzerTests.cs` with 6 test cases covering native methods, load calls, multiple edges, and reason code validation. **BLOCKED:** NuGet mirror packages (`BouncyCastle.Cryptography 2.5.1`, `Polly 7.2.4`, `YamlDotNet 9.1.0`, etc.) are not compatible with `net10.0`; need updated package versions on mirror to proceed with build verification. | Implementer |
| 2025-12-09 | Located Core linkset docs/contracts: schema + samples (`docs/modules/concelier/link-not-merge-schema.md`, `docs/modules/concelier/schemas/*.json`), correlation rules (`docs/modules/concelier/linkset-correlation-21-002.md`), event shape (`docs/modules/concelier/events/advisory.linkset.updated@1.md`), and core library code at `src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets`. Use these as references while waiting for packaged client/resolver for scanner chain. | Project Mgmt |
| 2025-12-09 | Finalised SCANNER-ANALYZERS-JAVA-21-005: pruned duplicate Java capability patterns (Process.start), restored Maven scope optional metadata via lock entry propagation, refreshed fixtures, and verified `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj -c Release` passing. | Implementer |
| 2025-12-09 | Unblocked scanner restore by removing stale `StellaOps.Concelier.Storage.Mongo` from the solution, switching BuildX Surface.Env to project reference, and adding stub `StellaOps.Cryptography.Plugin.WineCsp` + `Microsoft.Extensions.Http` to satisfy crypto DI after upstream removal. Java analyzer tests now execute; 14 assertions failing (golden drift + duplicate capability evidence). | Implementer |

1
docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
View File

@@ -18,7 +18,6 @@
- docs/modules/taskrunner/architecture.md
- docs/modules/registry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
View File

@@ -16,7 +16,6 @@
- docs/modules/graph/architecture.md
- docs/modules/telemetry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
View File

@@ -16,7 +16,6 @@
- `docs/modules/platform/architecture-overview.md`
- Module charter: `src/Orchestrator/StellaOps.Orchestrator/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
View File

@@ -16,7 +16,6 @@
- docs/modules/scheduler/architecture.md
- src/Scheduler/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
View File

@@ -16,7 +16,6 @@
- docs/modules/scheduler/implementation_plan.md
- docs/modules/platform/architecture-overview.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
View File

@@ -21,7 +21,6 @@
- docs/task-packs/runbook.md
- src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
View File

@@ -19,7 +19,6 @@
- `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
- `docs/events/orchestrator-scanner-events.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
View File

@@ -20,7 +20,6 @@
- `docs/events/orchestrator-scanner-events.md`
- `docs/modules/cli/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
View File

@@ -17,7 +17,6 @@
- EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
- Observability guidance/dashboards referenced by Observability Guild
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
View File

@@ -16,7 +16,6 @@
- docs/modules/export-center/architecture.md
- src/ExportCenter/AGENTS.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -16,7 +16,6 @@
- docs/modules/export-center/architecture.md (for evidence linkage)
- src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
View File

@@ -17,7 +17,6 @@
- docs/notifications/templates.md
- src/Notifier/StellaOps.Notifier/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0174_0001_0001_telemetry.md
View File

@@ -16,7 +16,6 @@
- docs/modules/telemetry/architecture.md
- src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0180_0001_0001_telemetry_core.md
View File

@@ -15,7 +15,6 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/telemetry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -19,7 +19,6 @@
- Product advisory: `docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md` (canonical for SPDX/VEX work)
- SPDX 3.0.1 specification: https://spdx.github.io/spdx-spec/v3.0.1/
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md
View File

@@ -16,7 +16,6 @@
- docs/runbooks/replay_ops.md
- docs/security/crypto-routing-audit-2025-11-07.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
View File

@@ -21,7 +21,6 @@
- FIRST CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4-0
- Module AGENTS.md: Create `src/Policy/StellaOps.Policy.Scoring/AGENTS.md` as part of task 1
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md
View File

@@ -15,7 +15,6 @@
- docs/modules/platform/architecture-overview.md
- docs/implplan/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0201_0001_0001_cli_i.md
View File

@@ -17,7 +17,6 @@
- `docs/modules/cli/architecture.md`.
- `src/Cli/StellaOps.Cli/AGENTS.md` and `docs/implplan/AGENTS.md`.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0202_0001_0001_cli_ii.md
View File

@@ -16,7 +16,6 @@
- docs/modules/cli/architecture.md
- src/Cli/StellaOps.Cli/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0203_0001_0003_cli_iii.md
View File

@@ -1,6 +1,5 @@
# Sprint 203 - Experience & SDKs · 180.A) Cli.III
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

1
docs/implplan/SPRINT_0208_0001_0001_sdk.md
View File

@@ -17,7 +17,6 @@
- docs/modules/cli/architecture.md; docs/modules/ui/architecture.md.
- API/OAS governance specs referenced by APIG0101 and portal contracts (DEVL0101) once published.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0209_0001_0001_ui_i.md
View File

@@ -25,7 +25,6 @@
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
View File

@@ -25,7 +25,6 @@
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0212_0001_0001_web_i.md
View File

@@ -18,7 +18,6 @@
- `docs/api/console/workspaces.md` plus `docs/api/console/samples/` artifacts
- `docs/implplan/archived/tasks.md` for prior completions
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition / Evidence |

1
docs/implplan/SPRINT_0213_0001_0002_web_ii.md
View File

@@ -20,7 +20,6 @@
- `docs/modules/export-center/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0214_0001_0001_web_iii.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
View File

@@ -23,7 +23,6 @@
- `docs/schemas/vex-decision.schema.json`
- `docs/schemas/audit-bundle-index.schema.json`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0215_0001_0001_web_iv.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/policy/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0216_0001_0001_web_v.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/ui/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
View File

@@ -16,7 +16,6 @@
- Console module dossier for observability widgets (when provided)
- Governance/Exceptions specifications (when provided)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0304_0001_0004_docs_tasks_md_iv.md
View File

@@ -19,7 +19,6 @@ Active items only. Completed/historic work live in `docs/implplan/archived/tasks
- Module dossiers: `docs/modules/export-center/architecture.md`, `docs/modules/attestor/architecture.md`, `docs/modules/signer/architecture.md`, `docs/modules/telemetry/architecture.md`, `docs/modules/ui/architecture.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0305_0001_0005_docs_tasks_md_v.md
View File

@@ -19,7 +19,6 @@ Active items only. Completed/historic work live in `docs/implplan/archived/tasks
- Module dossiers relevant to each task (install, notifications, OAS)
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0307_0001_0007_docs_tasks_md_vii.md
View File

@@ -18,7 +18,6 @@ Active items only. Completed/historic work live in `docs/implplan/archived/tasks
- Policy dossiers referenced per task
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0311_0001_0001_docs_tasks_md_xi.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/findings-ledger/README.md`
- `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0312_0001_0001_docs_modules_advisory_ai.md
View File

@@ -19,7 +19,6 @@ Active items only. Completed/historic work live in `docs/implplan/archived/tasks
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
View File

@@ -18,7 +18,6 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0318_0001_0001_docs_modules_devops.md
View File

@@ -17,7 +17,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0319_0001_0001_docs_modules_excititor.md
View File

@@ -18,7 +18,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.md
View File

@@ -19,7 +19,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
View File

@@ -17,7 +17,6 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0322_0001_0001_docs_modules_notify.md
View File

@@ -18,7 +18,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
View File

@@ -16,7 +16,6 @@
- docs/modules/orchestrator/implementation_plan.md
- docs/modules/platform/architecture-overview.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0324_0001_0001_docs_modules_platform.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/implementation_plan.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0325_0001_0001_docs_modules_policy.md
View File

@@ -18,7 +18,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0326_0001_0001_docs_modules_registry.md
View File

@@ -18,7 +18,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0327_0001_0001_docs_modules_scanner.md
View File

@@ -16,7 +16,6 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/scanner/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
View File

@@ -16,7 +16,6 @@
- docs/modules/scheduler/implementation_plan.md
- docs/modules/scheduler/AGENTS.md (this sprint refreshes it)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0329_0001_0001_docs_modules_signer.md
View File

@@ -18,7 +18,6 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Sprint template rules in `docs/implplan/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0330_0001_0001_docs_modules_telemetry.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0332_0001_0001_docs_modules_vex_lens.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0333_0001_0001_docs_modules_excititor.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0334_0001_0001_docs_modules_vuln_explorer.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
View File

@@ -17,7 +17,6 @@
- docs/reachability/function-level-evidence.md
- docs/reachability/DELIVERY_GUIDE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -30,7 +30,6 @@
- docs/provenance/inline-dsse.md
- docs/ci/dsse-build-flow.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0501_0001_0001_ops_deployment_i.md
View File

@@ -18,7 +18,6 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
- docs/modules/ci/architecture.md
- docs/airgap/** (for mirror/import tasks)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| Task ID | State | Task description | Owners (Source) |

1
docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
View File

@@ -15,7 +15,6 @@
- docs/modules/platform/architecture-overview.md
- Any module-specific runbooks referenced by tasks (policy, VEX Lens, Findings Ledger).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0503_0001_0001_ops_devops_i.md
View File

@@ -19,7 +19,6 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
- docs/modules/ci/architecture.md
- docs/airgap/** (for sealed-mode tasks)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| Task ID | State | Task description | Owners (Source) |

1
docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md
View File

@@ -15,7 +15,6 @@
- `docs/modules/platform/architecture-overview.md`
- `ops/devops/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
View File

@@ -15,7 +15,6 @@
- docs/modules/platform/architecture-overview.md
- Existing CI/OAS runbooks referenced by tasks.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
View File

@@ -16,7 +16,6 @@
- docs/modules/devops/architecture.md
- ops/devops/README.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0507_0001_0001_ops_devops_v.md
View File

@@ -13,7 +13,6 @@
- ops/devops/README.md
- ops/devops/docker/base-image-guidelines.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

3
docs/implplan/SPRINT_0510_0001_0001_airgap.md
View File

@@ -15,7 +15,6 @@
- docs/modules/devops/architecture.md
- docs/modules/airgap/airgap-mode.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -50,6 +49,7 @@
| 19 | AIRGAP-RECEIPTS-510-012 | DONE (2025-12-02) | Depends on AIRGAP-MANIFEST-510-010 | AirGap Controller Guild · Platform Guild | Emit ingress/egress DSSE receipts (hash, operator, time, decision) and store in Proof Graph; expose verify CLI hook. |
| 20 | AIRGAP-REPLAY-510-013 | DONE (2025-12-02) | Depends on AIRGAP-MANIFEST-510-010 | AirGap Time Guild · Ops Guild | Define replay-depth levels (hash-only/full recompute/policy freeze) and enforce via controller/importer verify endpoints; add CI smoke for hash drift. |
| 21 | AIRGAP-VERIFY-510-014 | DONE (2025-12-02) | Depends on AIRGAP-MANIFEST-510-010 | CLI Guild · Ops Guild | Provide offline verifier script covering signature, checksum, mirror staleness, policy/graph hash match, and AV report validation; publish under `docs/airgap/runbooks/import-verify.md`. |
| 22 | AIRGAP-PG-510-015 | TODO | Depends on PostgreSQL kit setup (see Sprint 3407) | DevOps Guild | Test PostgreSQL kit installation in air-gapped environment: verify `docker-compose.airgap.yaml` with PostgreSQL 17, pg_stat_statements, init scripts (`deploy/compose/postgres-init/01-extensions.sql`), schema creation, and module connectivity. Reference: `docs/operations/postgresql-guide.md`. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -100,6 +100,7 @@
| 2025-12-01 | Added AIRGAP-GAPS-510-009 to track remediation of AG1AG12 from `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md`. | Product Mgmt |
| 2025-12-01 | AIRGAP-GAPS-510-009 DONE: drafted remediation plan `docs/airgap/gaps/AG1-AG12-remediation.md` covering trust roots, Rekor mirror, feed freezing, tool hashes, chunked kits, AV/YARA, policy/graph hashes, tenant scoping, ingress/egress receipts, replay levels, observability, and runbooks. | Implementer |
| 2025-12-02 | Added implementation tasks 510-010…014 for manifest schema + DSSE, AV/YARA scans, ingress/egress receipts, replay-depth enforcement, and offline verifier script per `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md`. | Project Mgmt |
| 2025-12-10 | Added AIRGAP-PG-510-015 (PostgreSQL air-gap test) migrated from Sprint 3407 (PG-T7.5.5); covers PostgreSQL 17 kit verification with pg_stat_statements, init scripts, and schema validation. | Infrastructure Guild |
| 2025-12-06 | ✅ **5 tasks UNBLOCKED**: Created `docs/schemas/sealed-mode.schema.json` (AirGap state, egress policy, bundle verification) and `docs/schemas/time-anchor.schema.json` (TUF trust roots, time anchors, validation). Tasks AIRGAP-IMP-57-002, 58-001, 58-002 and AIRGAP-TIME-58-001, 58-002 moved from BLOCKED to TODO. | System |
## Decisions & Risks

1
docs/implplan/SPRINT_0511_0001_0001_api.md
View File

@@ -14,7 +14,6 @@
- docs/api/openapi-discovery.md
- src/Api/StellaOps.Api.Governance/README.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0512_0001_0001_bench.md
View File

@@ -16,7 +16,6 @@
- docs/modules/signals/architecture.md (for reachability benches)
- docs/modules/policy/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0513_0001_0001_provenance.md
View File

@@ -18,7 +18,6 @@
- `docs/modules/orchestrator/architecture.md`
- `docs/modules/export-center/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md
View File

@@ -17,7 +17,6 @@
- docs/modules/scanner/architecture.md (for registry wiring in Scanner WebService/Worker)
- docs/modules/attestor/architecture.md (for attestation hashing/witness flows)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

210
docs/implplan/SPRINT_3410_0001_0001_mongodb_final_removal.md Normal file
View File

@@ -0,0 +1,210 @@
# Sprint 3410 · MongoDB Final Removal — Complete Cleanse
## Topic & Scope
- Complete removal of ALL MongoDB references from the codebase
- Remove MongoDB.Driver, MongoDB.Bson, Mongo2Go package references
- Remove Storage.Mongo namespaces and using statements
- Convert remaining tests from Mongo2Go fixtures to Postgres/in-memory fixtures
- **Working directory:** cross-module; all modules with MongoDB references
## Dependencies & Concurrency
- Upstream: Sprint 3407 (PostgreSQL Conversion Phase 7) provided foundation
- This sprint addresses remaining ~680 MongoDB occurrences across ~200 files
- Execute module-by-module to keep build green between changes
## Audit Summary (2025-12-10)
Total MongoDB references found: **~680 occurrences across 200+ files**
## Documentation Prerequisites
- docs/db/SPECIFICATION.md
- docs/operations/postgresql-guide.md
- Module AGENTS.md files
## Delivery Tracker
### T10.1: Concelier Module (Highest Priority - ~80+ files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T10.1.1 | TODO | Start here | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
| 2 | MR-T10.1.2 | TODO | MR-T10.1.1 | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
| 3 | MR-T10.1.3 | TODO | MR-T10.1.1 | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
| 4 | MR-T10.1.4 | TODO | MR-T10.1.3 | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
| 5 | MR-T10.1.5 | TODO | MR-T10.1.4 | Concelier Guild | Remove MongoDB from `Storage.Postgres` adapter references |
| 6 | MR-T10.1.6 | TODO | MR-T10.1.5 | Concelier Guild | Clean connector source files (VmwareConnector, OracleConnector, etc.) |
### T10.2: Notifier Module (~15 files) - SHIM COMPLETE, ARCH CLEANUP NEEDED
**SHIM COMPLETE:** `StellaOps.Notify.Storage.Mongo` compatibility shim created with 13 repository interfaces and in-memory implementations. Shim builds successfully.
**BLOCKED BY:** SPRINT_3411_0001_0001 (Notifier Architectural Cleanup) - Notifier.Worker has 70+ pre-existing build errors unrelated to MongoDB (duplicate types, missing types, interface mismatches).
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 7 | MR-T10.2.0 | DONE | Shim complete | Notifier Guild | Create `StellaOps.Notify.Storage.Mongo` compatibility shim with in-memory implementations |
| 8 | MR-T10.2.1 | BLOCKED | SPRINT_3411 | Notifier Guild | Remove `Storage.Mongo` imports from `Notifier.WebService/Program.cs` |
| 9 | MR-T10.2.2 | BLOCKED | SPRINT_3411 | Notifier Guild | Remove MongoDB from Worker (MongoInitializationHostedService, Simulation, Escalation) |
| 10 | MR-T10.2.3 | BLOCKED | SPRINT_3411 | Notifier Guild | Update Notifier DI to use Postgres storage only |
### T10.3: Authority Module (~30 files) - SHIM + POSTGRES REWRITE COMPLETE
**COMPLETE:**
- `StellaOps.Authority.Storage.Mongo` compatibility shim created with 8 store interfaces, 11 document types, BsonId/BsonElement attributes, ObjectId struct
- `Authority.Plugin.Standard` FULLY REWRITTEN to use PostgreSQL via `IUserRepository` instead of MongoDB collections
- `StandardUserCredentialStore` stores roles/attributes in `UserEntity.Metadata` JSON field
- Both shim and Plugin.Standard build successfully
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 11 | MR-T10.3.0 | DONE | Shim + rewrite complete | Authority Guild | Created `StellaOps.Authority.Storage.Mongo` shim + rewrote Plugin.Standard for PostgreSQL |
| 12 | MR-T10.3.1 | TODO | MR-T10.3.0 | Authority Guild | Remove MongoDB from `Authority/Program.cs` |
| 13 | MR-T10.3.2 | DONE | PostgreSQL rewrite | Authority Guild | Plugin.Standard now uses PostgreSQL via IUserRepository |
| 14 | MR-T10.3.3 | TODO | MR-T10.3.1 | Authority Guild | Remove MongoDB from `Plugin.Ldap` (Credentials, Claims, ClientProvisioning) |
| 15 | MR-T10.3.4 | TODO | MR-T10.3.3 | Authority Guild | Remove MongoDB from OpenIddict handlers |
| 16 | MR-T10.3.5 | TODO | MR-T10.3.4 | Authority Guild | Remove MongoDB from all Authority tests (~15 test files) |
### T10.4: Scanner.Storage Module (~5 files) - BLOCKED
**BLOCKED:** Scanner.Storage has ONLY MongoDB implementation, no Postgres equivalent exists. Must implement full Postgres storage layer first.
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 16 | MR-T10.4.0 | BLOCKED | Need Postgres storage implementation | Scanner Guild | Implement `StellaOps.Scanner.Storage.Postgres` with migration layer |
| 17 | MR-T10.4.1 | TODO | MR-T10.4.0 | Scanner Guild | Remove `Scanner.Storage/Mongo/MongoCollectionProvider.cs` |
| 18 | MR-T10.4.2 | TODO | MR-T10.4.1 | Scanner Guild | Remove MongoDB from ServiceCollectionExtensions |
| 19 | MR-T10.4.3 | TODO | MR-T10.4.2 | Scanner Guild | Remove MongoDB from repositories (BunPackageInventory, etc.) |
### T10.5: Attestor Module (~8 files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 18 | MR-T10.5.1 | TODO | None | Attestor Guild | Remove `Attestor.Infrastructure/Storage/Mongo*.cs` files |
| 19 | MR-T10.5.2 | TODO | MR-T10.5.1 | Attestor Guild | Remove MongoDB from ServiceCollectionExtensions |
| 20 | MR-T10.5.3 | TODO | MR-T10.5.2 | Attestor Guild | Remove MongoDB from Attestor tests |
### T10.6: AirGap.Controller Module (~4 files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 21 | MR-T10.6.1 | TODO | None | AirGap Guild | Remove `MongoAirGapStateStore.cs` |
| 22 | MR-T10.6.2 | TODO | MR-T10.6.1 | AirGap Guild | Remove MongoDB from DI extensions |
| 23 | MR-T10.6.3 | TODO | MR-T10.6.2 | AirGap Guild | Remove MongoDB from Controller tests |
### T10.7: TaskRunner Module (~6 files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 24 | MR-T10.7.1 | TODO | None | TaskRunner Guild | Remove MongoDB from `TaskRunner.WebService/Program.cs` |
| 25 | MR-T10.7.2 | TODO | MR-T10.7.1 | TaskRunner Guild | Remove MongoDB from `TaskRunner.Worker/Program.cs` |
| 26 | MR-T10.7.3 | TODO | MR-T10.7.2 | TaskRunner Guild | Remove MongoDB from TaskRunner tests |
### T10.8: PacksRegistry Module (~8 files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 27 | MR-T10.8.1 | TODO | None | PacksRegistry Guild | Remove `PacksRegistry.Infrastructure/Mongo/*.cs` files |
| 28 | MR-T10.8.2 | TODO | MR-T10.8.1 | PacksRegistry Guild | Remove MongoDB from WebService Program.cs |
### T10.9: SbomService Module (~5 files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 29 | MR-T10.9.1 | TODO | None | SbomService Guild | Remove MongoDB from `SbomService/Program.cs` |
| 30 | MR-T10.9.2 | TODO | MR-T10.9.1 | SbomService Guild | Remove MongoDB repositories (MongoCatalogRepository, MongoComponentLookupRepository) |
| 31 | MR-T10.9.3 | TODO | MR-T10.9.2 | SbomService Guild | Remove MongoDB from tests |
### T10.10: Other Modules (Signals, VexLens, Policy, Graph, Bench)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 32 | MR-T10.10.1 | TODO | None | Signals Guild | Remove MongoDB from Signals (Options, Program, Models) |
| 33 | MR-T10.10.2 | TODO | None | VexLens Guild | Remove MongoDB from VexLens (Options, ServiceCollectionExtensions) |
| 34 | MR-T10.10.3 | TODO | None | Policy Guild | Remove MongoDB from Policy.Engine (MongoDocumentConverter, etc.) |
| 35 | MR-T10.10.4 | TODO | None | Graph Guild | Remove MongoDB from Graph.Indexer |
| 36 | MR-T10.10.5 | TODO | None | Bench Guild | Remove MongoDB from Bench tools |
### T10.11: Package and Project Cleanup
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 37 | MR-T10.11.1 | TODO | All above | Infrastructure Guild | Remove MongoDB.Driver package references from all csproj files |
| 38 | MR-T10.11.2 | TODO | MR-T10.11.1 | Infrastructure Guild | Remove MongoDB.Bson package references from all csproj files |
| 39 | MR-T10.11.3 | TODO | MR-T10.11.2 | Infrastructure Guild | Remove Mongo2Go package references from all test csproj files |
| 40 | MR-T10.11.4 | TODO | MR-T10.11.3 | Infrastructure Guild | Remove `StellaOps.Provenance.Mongo` project |
| 41 | MR-T10.11.5 | TODO | MR-T10.11.4 | Infrastructure Guild | Final grep verification: zero MongoDB references |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-10 | Sprint created after audit revealed ~680 MongoDB occurrences remain across 200+ files. Previous sprints incorrectly marked as complete. | Infrastructure Guild |
| 2025-12-10 | **CRITICAL FINDING:** Authority module uses `StellaOps.Authority.Storage.Mongo.*` namespaces but project was deleted and csproj points to Postgres storage. Code won't compile! Notifier module similar - references deleted `StellaOps.Notify.Storage.Mongo` namespace. These modules have BROKEN BUILDS. | Infrastructure Guild |
| 2025-12-10 | Found 20 csproj files with MongoDB.Driver/MongoDB.Bson refs, 5+ with Mongo2Go refs for tests. Full cleanup requires: (1) restore or rebuild Storage.Mongo shim projects, OR (2) complete code migration to Postgres types in each affected module. | Infrastructure Guild |
| 2025-12-10 | Created `StellaOps.Authority.Storage.Mongo` compatibility shim with interfaces (IAuthorityServiceAccountStore, IAuthorityClientStore, IAuthorityTokenStore, etc.), documents (AuthorityServiceAccountDocument, AuthorityClientDocument, etc.), and in-memory implementations. Build shim successfully. | Infrastructure Guild |
| 2025-12-10 | Authority.Plugin.Standard still fails: code uses MongoDB.Bson attributes directly (BsonId, BsonElement, ObjectId) on StandardUserDocument.cs and StandardUserCredentialStore.cs. These require either MongoDB.Bson package OR deeper code migration to remove Bson serialization attributes. | Infrastructure Guild |
| 2025-12-10 | Extended shim with MongoDB.Bson types (ObjectId, BsonType, BsonId, BsonElement attributes) and MongoDB.Driver shims (IMongoCollection, IMongoDatabase, IMongoClient). Shim builds successfully. | Infrastructure Guild |
| 2025-12-10 | **Authority.Plugin.Standard** requires full MongoDB API coverage: `Find()`, `Builders<T>`, `Indexes`, `BsonDocument`, `CreateIndexModel<T>`, `MongoCommandException`. Also missing document properties: `Plugin`, `SecretHash`, `SenderConstraint` on AuthorityClientDocument; `Category`, `RevocationId`, `ReasonDescription`, `EffectiveAt`, `Metadata` on AuthorityRevocationDocument. Complete shim would require replicating most of MongoDB driver API surface. | Infrastructure Guild |
| 2025-12-10 | **CONCLUSION:** Creating a full MongoDB compatibility shim is not feasible - code deeply intertwined with MongoDB driver. Two viable paths: (1) Restore MongoDB.Driver package refs temporarily and plan proper PostgreSQL migration per-module, (2) Rewrite Authority.Plugin.Standard storage entirely for PostgreSQL. | Infrastructure Guild |
| 2025-12-10 | **Authority.Plugin.Standard REWRITTEN for PostgreSQL.** Full PostgreSQL implementation using IUserRepository. Stores roles/attributes in UserEntity.Metadata JSON field. Maps MongoDB lockout fields to PostgreSQL equivalents. Build succeeds. | Infrastructure Guild |
| 2025-12-10 | **Notify.Storage.Mongo shim CREATED.** 13 repository interfaces with in-memory implementations. Shim builds successfully. However, Notifier.Worker has 70+ PRE-EXISTING errors (duplicate types, interface mismatches) unrelated to MongoDB. Created SPRINT_3411 for architectural cleanup. | Infrastructure Guild |
## Current Progress
**Authority Storage.Mongo Shim Created:**
- Location: `src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/`
- Files created:
- `StellaOps.Authority.Storage.Mongo.csproj` - Standalone shim project
- `Documents/AuthorityDocuments.cs` - 10 document types
- `Stores/IAuthorityStores.cs` - 8 store interfaces
- `Stores/InMemoryStores.cs` - In-memory implementations
- `Sessions/IClientSessionHandle.cs` - Session types
- `Initialization/AuthorityMongoInitializer.cs` - No-op initializer
- `Extensions/ServiceCollectionExtensions.cs` - DI registration
- `Bson/BsonAttributes.cs` - BsonId, BsonElement attributes
- `Bson/BsonTypes.cs` - ObjectId, BsonType enum
- `Driver/MongoDriverShim.cs` - IMongoCollection, IMongoDatabase interfaces
- Status: Shim builds successfully but Plugin.Standard requires full MongoDB driver API coverage
## Critical Build Status
**BROKEN BUILDS DISCOVERED:**
- `StellaOps.Authority` - uses deleted `Storage.Mongo` namespace but csproj references `Storage.Postgres`
- `StellaOps.Notifier` - uses deleted `StellaOps.Notify.Storage.Mongo` namespace (project deleted, code not updated)
- Multiple modules reference MongoDB.Driver but use storage interfaces from deleted projects
**Package Reference Inventory (MongoDB.Driver/Bson):**
| Project | MongoDB.Driver | MongoDB.Bson | Mongo2Go |
|---------|----------------|--------------|----------|
| AirGap.Controller | 3.5.0 | - | - |
| Graph.Indexer | 3.5.0 | 3.5.0 | 3.1.3 (tests) |
| Bench.LinkNotMerge | 3.5.0 | - | - |
| Bench.LinkNotMerge.Vex | 3.5.0 | - | - |
| Authority.Tests | 3.5.0 | - | - |
| Authority.Plugin.Standard.Tests | 3.5.0 | - | - |
| Authority.Plugin.Ldap | 3.5.0 | - | - |
| Attestor.WebService | 3.5.0 | - | - |
| Attestor.Infrastructure | 3.5.0 | - | - |
| TaskRunner.Infrastructure | 3.5.0 | - | 4.1.0 (tests) |
| Policy.Engine | 3.5.0 | - | - |
| Replay.Core | - | 2.25.0 | - |
| PacksRegistry.Infrastructure | 3.5.0 | - | - |
| IssuerDirectory.Infrastructure | 3.5.0 | 3.5.0 | - |
| Signer.Infrastructure | 3.5.0 | - | 3.1.3 (tests) |
| Signals | 2.24.0 | - | 4.1.0 (tests) |
| SbomService | 3.5.0 | - | - |
| Scanner.Storage | 3.5.0 | - | - |
| Scheduler.WebService.Tests | - | - | 4.1.0 |
## Decisions & Risks
- **CRITICAL RISK:** Builds are BROKEN - Authority/Notifier reference deleted Storage.Mongo namespaces but code not migrated
- **RISK:** Large surface area (~200 files) - execute module-by-module to avoid breaking build
- **RISK:** Many modules have ONLY MongoDB implementation with no Postgres equivalent (Scanner.Storage, Attestor, AirGap, etc.)
- **DECISION REQUIRED:** Either (A) restore Storage.Mongo shim projects to fix builds, OR (B) implement missing Postgres storage for ALL affected modules
- **ESTIMATE:** Full MongoDB removal requires implementing Postgres storage for 10+ modules - this is a multi-sprint effort, not a cleanup task
## Blocked Modules Summary
| Module | Blocker | Resolution |
|--------|---------|------------|
| Notifier | Missing 4 Postgres repos (PackApproval, ThrottleConfig, OperatorOverride, Localization) | Implement repos OR restore Mongo |
| Authority | Code uses deleted Storage.Mongo namespace; csproj points to Postgres | Implement shim OR migrate code to Postgres types |
| Scanner.Storage | Only MongoDB impl exists, no Postgres | Full Postgres impl required |
| Attestor | Only MongoDB impl exists (MongoAttestorEntryRepository, etc.) | Full Postgres impl required |
| AirGap.Controller | Only MongoDB impl exists (MongoAirGapStateStore) | Full Postgres impl required |
| TaskRunner | MongoDB references throughout Infrastructure/WebService/Worker | Postgres impl + code migration |
| PacksRegistry | Infrastructure/Mongo/* files | Postgres impl required |
| SbomService | MongoDB repositories | Postgres impl required |
| Signals | MongoDB storage throughout | Postgres impl required |
| Graph.Indexer | MongoGraphDocumentWriter | Postgres impl required |
| Concelier | MongoCompat shim + 80+ test files using Mongo2Go | Large migration effort |
## Next Checkpoints
- **IMMEDIATE:** Decision required from stakeholders on approach (restore Mongo shims vs implement Postgres)
- **IF RESTORE SHIM:** Create minimal Storage.Mongo shim projects for Authority/Notifier to fix broken builds
- **IF POSTGRES:** Plan multi-sprint effort for 10+ modules requiring Postgres storage implementation
- **PARALLEL:** Remove MongoDB.Driver package references from modules that already have working Postgres storage (Policy.Engine, etc.)

329
docs/implplan/SPRINT_3411_0001_0001_notifier_arch_cleanup.md Normal file
View File

@@ -0,0 +1,329 @@
# Sprint 3411 · Notifier Worker Architectural Cleanup
## Topic & Scope
- Clean up accumulated technical debt in `StellaOps.Notifier.Worker` module
- Resolve duplicate type definitions (12 instances)
- Create missing type definitions (5 types)
- Fix interface implementation mismatches (5 critical)
- Consolidate dual namespace structure (Escalation vs Escalations, Processing vs Dispatch)
- **Working directory:** `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/`
## Dependencies & Concurrency
- **Upstream:** SPRINT_3410_0001_0001 (MongoDB Final Removal) - Notify.Storage.Mongo shim MUST be completed first
- **Upstream:** Authority.Plugin.Standard PostgreSQL migration COMPLETE
- Execute phases sequentially to maintain build integrity between changes
## Problem Analysis Summary
### 1. Duplicate Type Definitions (12 instances)
| Type Name | File 1 | File 2 | Status |
|-----------|--------|--------|--------|
| `IDigestDistributor` | `Digest/DigestDistributor.cs:12` | `Digest/DigestScheduleRunner.cs:175` | DIFFERENT signatures |
| `ITenantContext` | `Tenancy/ITenantContext.cs:9` | `Tenancy/TenantContext.cs:7` | DIFFERENT contracts |
| `TenantContext` | `Tenancy/ITenantContext.cs:86` | `Tenancy/TenantContext.cs:38` | DIFFERENT implementations |
| `TenantContextExtensions` | `Tenancy/ITenantContext.cs:245` | `Tenancy/TenantContext.cs:87` | DIFFERENT methods |
| `IOnCallScheduleService` | `Escalation/IOnCallScheduleService.cs:6` | `Escalations/IOnCallSchedule.cs:6` | DIFFERENT signatures |
| `OnCallSchedule` | `Escalation/IOnCallScheduleService.cs:83` | `Escalations/IOnCallSchedule.cs:69` | DIFFERENT properties |
| `OnCallUser` | `Escalation/IOnCallScheduleService.cs:256` | `Escalations/IOnCallSchedule.cs:202` | DIFFERENT properties |
| `RotationType` | `Escalation/IOnCallScheduleService.cs:200` | `Escalations/IOnCallSchedule.cs:181` | IDENTICAL |
| `ChaosFaultType` | `Observability/IChaosEngine.cs:67` | `Observability/IChaosTestRunner.cs:121` | DIFFERENT values |
| `INotifyTemplateRenderer` | `Processing/INotifyTemplateRenderer.cs:9` | `Dispatch/INotifyTemplateRenderer.cs:8` | DIFFERENT signatures |
| `SimpleTemplateRenderer` | `Processing/SimpleTemplateRenderer.cs:10` | `Dispatch/SimpleTemplateRenderer.cs:15` | DIFFERENT implementations |
| `EscalationServiceExtensions` | `Escalation/EscalationServiceExtensions.cs:9` | `Escalations/EscalationServiceExtensions.cs:9` | DIFFERENT registrations |
### 2. Missing Type Definitions (5 instances)
| Type Name | Kind | References | Suggested Location |
|-----------|------|------------|-------------------|
| `DigestType` | Enum | `DigestScheduler.cs:98,348` | `Digest/DigestTypes.cs` |
| `DigestFormat` | Enum | `DigestScheduler.cs:108`, `DigestDistributor.cs:20,107,148,193,380` | `Digest/DigestTypes.cs` |
| `EscalationProcessResult` | Record | `DefaultEscalationEngine.cs:99` | `Escalation/IEscalationEngine.cs` |
| `NotifyInboxMessage` | Class | `MongoInboxStoreAdapter.cs:21,81` | `Notify.Storage.Mongo/Documents/` |
| `NotifyAuditEntryDocument` | Class | `DefaultNotifySimulationEngine.cs:434,482,510`, 24+ in Program.cs | `Notify.Storage.Mongo/Documents/` |
### 3. Interface Implementation Mismatches (5 critical)
| Class | Interface | Issues |
|-------|-----------|--------|
| `DefaultCorrelationEngine` | `ICorrelationEngine` | Has `ProcessAsync` instead of `CorrelateAsync`; missing `CheckSuppressionAsync`, `CheckThrottleAsync` |
| `DefaultEscalationEngine` | `IEscalationEngine` | Wrong return types (`NotifyEscalationState` vs `EscalationState`); missing 5 methods |
| `LockBasedThrottler` | `INotifyThrottler` | Has `IsThrottledAsync` instead of `CheckAsync`; returns `bool` not `ThrottleCheckResult` |
| `DefaultDigestGenerator` | `IDigestGenerator` | Completely different signature; returns `NotifyDigest` vs `DigestResult` |
| `DefaultStormBreaker` | `IStormBreaker` | Has `DetectAsync` instead of `EvaluateAsync`; missing `GetStateAsync`, `ClearAsync` |
### 4. Architectural Issues
**Dual namespace conflict:** `Escalation/` vs `Escalations/` folders contain competing implementations of the same concepts. Must consolidate to single folder.
**Dual rendering conflict:** `Processing/` vs `Dispatch/` both have `INotifyTemplateRenderer` with different signatures.
---
## Implementation Plan
### Phase 1: Create Missing Types (Est. ~50 lines)
**Task 1.1: Create DigestTypes.cs**
```
File: src/Notifier/.../Worker/Digest/DigestTypes.cs
- Add DigestType enum: Daily, Weekly, Monthly
- Add DigestFormat enum: Html, PlainText, Markdown, Json, Slack, Teams
```
**Task 1.2: Add EscalationProcessResult**
```
File: src/Notifier/.../Worker/Escalation/IEscalationEngine.cs
- Add record EscalationProcessResult { Processed, Escalated, Exhausted, Errors, ErrorMessages }
```
**Task 1.3: Add Missing Documents to Mongo Shim**
```
File: src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/Documents/NotifyDocuments.cs
- Add NotifyInboxMessage class
- Add NotifyAuditEntryDocument class (or alias to NotifyAuditDocument)
```
### Phase 2: Consolidate Duplicate Escalation Code
**Task 2.1: Choose canonical Escalation folder**
- Keep: `Escalation/` (has implementations like `DefaultEscalationEngine`, `DefaultOnCallResolver`)
- Delete: `Escalations/` folder contents (merge any unique code first)
**Task 2.2: Merge unique types from Escalations/**
- Review `IntegrationAdapters.cs` (PagerDuty, OpsGenie) - may need to keep
- Review `InboxChannel.cs` - contains `IInboxService`, `CliInboxChannelAdapter`
- Move useful types to `Escalation/` folder
**Task 2.3: Delete redundant Escalations/ files**
```
Delete: Escalations/IOnCallSchedule.cs (duplicate of Escalation/IOnCallScheduleService.cs)
Delete: Escalations/EscalationServiceExtensions.cs (merge into Escalation/)
Keep & Move: Escalations/IntegrationAdapters.cs -> Escalation/
Keep & Move: Escalations/InboxChannel.cs -> Escalation/
Keep & Move: Escalations/IEscalationPolicy.cs -> Escalation/
```
### Phase 3: Consolidate Duplicate Tenancy Code
**Task 3.1: Choose canonical ITenantContext**
- Keep: `Tenancy/ITenantContext.cs` (full-featured with Claims, CorrelationId, Source)
- Delete: `Tenancy/TenantContext.cs` duplicate interface definition
**Task 3.2: Merge TenantContext implementations**
- The record in `ITenantContext.cs` is more complete
- Delete the class in `TenantContext.cs:38`
- Keep useful extension methods from both files
### Phase 4: Consolidate Template Renderer Code
**Task 4.1: Choose canonical INotifyTemplateRenderer**
- Keep: `Dispatch/INotifyTemplateRenderer.cs` (async, returns `NotifyRenderedContent`)
- Delete: `Processing/INotifyTemplateRenderer.cs` (sync, returns string)
**Task 4.2: Update SimpleTemplateRenderer**
- Keep: `Dispatch/SimpleTemplateRenderer.cs`
- Delete: `Processing/SimpleTemplateRenderer.cs`
- Update any code using sync renderer to use async version
### Phase 5: Fix Interface Implementation Mismatches
**Task 5.1: Fix DefaultCorrelationEngine**
```
File: Correlation/DefaultCorrelationEngine.cs
Option A: Rename ProcessAsync -> CorrelateAsync, adjust signature
Option B: Delete DefaultCorrelationEngine, keep only CorrelationEngine.cs if it exists
Option C: Update ICorrelationEngine to match implementation (if impl is correct)
```
**Task 5.2: Fix DefaultEscalationEngine**
```
File: Escalation/DefaultEscalationEngine.cs
- Change return type from NotifyEscalationState to EscalationState
- Implement missing methods or update interface
- Add missing EscalationState type if needed
```
**Task 5.3: Fix LockBasedThrottler**
```
File: Correlation/LockBasedThrottler.cs
- Rename IsThrottledAsync -> CheckAsync
- Change return type from bool to ThrottleCheckResult
- Rename RecordSentAsync -> RecordEventAsync
- Add ClearAsync method
```
**Task 5.4: Fix DefaultDigestGenerator**
```
File: Digest/DefaultDigestGenerator.cs
Option A: Update signature to match IDigestGenerator
Option B: Update IDigestGenerator to match implementation
Option C: Create new implementation, rename existing to LegacyDigestGenerator
```
**Task 5.5: Fix DefaultStormBreaker**
```
File: StormBreaker/DefaultStormBreaker.cs
- Rename DetectAsync -> EvaluateAsync
- Change return type StormDetectionResult -> StormEvaluationResult
- Add missing GetStateAsync, ClearAsync methods
- Rename TriggerSummaryAsync -> GenerateSummaryAsync
```
### Phase 6: Fix Remaining Duplicates
**Task 6.1: Fix ChaosFaultType duplicate**
```
Keep: Observability/IChaosEngine.cs
Delete: Duplicate enum from IChaosTestRunner.cs
```
**Task 6.2: Fix IDigestDistributor duplicate**
```
Keep: Digest/DigestDistributor.cs (with DigestDistributionResult)
Delete: Duplicate interface from DigestScheduleRunner.cs
Update: ChannelDigestDistributor to implement correct interface
```
**Task 6.3: Add missing package reference**
```
File: StellaOps.Notifier.Worker.csproj
Add: <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" />
```
### Phase 7: Update DI Registrations
**Task 7.1: Update ServiceCollectionExtensions**
- Consolidate `EscalationServiceExtensions` from both folders
- Ensure all implementations are registered correctly
- Remove duplicate registrations
### Phase 8: Verification
**Task 8.1: Build verification**
```bash
dotnet build src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj
```
**Task 8.2: Test verification**
```bash
dotnet test src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker.Tests/
```
---
## Critical Files to Modify
### Create/Add:
- `Digest/DigestTypes.cs` (NEW)
- `Notify.Storage.Mongo/Documents/NotifyDocuments.cs` (ADD types)
- `Escalation/IEscalationEngine.cs` (ADD EscalationProcessResult)
### Delete:
- `Escalations/IOnCallSchedule.cs`
- `Escalations/EscalationServiceExtensions.cs`
- `Tenancy/TenantContext.cs` (after merging)
- `Processing/INotifyTemplateRenderer.cs`
- `Processing/SimpleTemplateRenderer.cs`
### Major Refactor:
- `Correlation/DefaultCorrelationEngine.cs`
- `Escalation/DefaultEscalationEngine.cs`
- `Correlation/LockBasedThrottler.cs`
- `Digest/DefaultDigestGenerator.cs`
- `StormBreaker/DefaultStormBreaker.cs`
### Move:
- `Escalations/IntegrationAdapters.cs` -> `Escalation/`
- `Escalations/InboxChannel.cs` -> `Escalation/`
- `Escalations/IEscalationPolicy.cs` -> `Escalation/`
---
## Risk Assessment
| Risk | Mitigation |
|------|------------|
| Breaking changes to public interfaces | Review if any interfaces are used externally before changing |
| Lost functionality during merge | Carefully diff before deleting any file |
| Runtime DI failures | Verify all services registered after cleanup |
| Test failures | Run tests after each phase |
## Delivery Tracker
### T11.1: Create Missing Types
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | NC-T11.1.1 | TODO | Start here | Notifier Guild | Create `Digest/DigestTypes.cs` with DigestType enum (Daily, Weekly, Monthly) |
| 2 | NC-T11.1.2 | TODO | NC-T11.1.1 | Notifier Guild | Add DigestFormat enum to DigestTypes.cs (Html, PlainText, Markdown, Json, Slack, Teams) |
| 3 | NC-T11.1.3 | TODO | NC-T11.1.2 | Notifier Guild | Add EscalationProcessResult record to `Escalation/IEscalationEngine.cs` |
| 4 | NC-T11.1.4 | TODO | NC-T11.1.3 | Notifier Guild | Add NotifyInboxMessage class to Notify.Storage.Mongo/Documents |
| 5 | NC-T11.1.5 | TODO | NC-T11.1.4 | Notifier Guild | Add NotifyAuditEntryDocument class (or alias to NotifyAuditDocument) |
### T11.2: Consolidate Escalation Namespace (Escalation vs Escalations)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 6 | NC-T11.2.1 | TODO | T11.1 complete | Notifier Guild | Move `Escalations/IntegrationAdapters.cs` to `Escalation/` folder |
| 7 | NC-T11.2.2 | TODO | NC-T11.2.1 | Notifier Guild | Move `Escalations/InboxChannel.cs` to `Escalation/` folder |
| 8 | NC-T11.2.3 | TODO | NC-T11.2.2 | Notifier Guild | Move `Escalations/IEscalationPolicy.cs` to `Escalation/` folder |
| 9 | NC-T11.2.4 | TODO | NC-T11.2.3 | Notifier Guild | Delete `Escalations/IOnCallSchedule.cs` (duplicate) |
| 10 | NC-T11.2.5 | TODO | NC-T11.2.4 | Notifier Guild | Delete `Escalations/EscalationServiceExtensions.cs` after merging into `Escalation/` |
| 11 | NC-T11.2.6 | TODO | NC-T11.2.5 | Notifier Guild | Delete empty `Escalations/` folder |
### T11.3: Consolidate Tenancy Namespace
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 12 | NC-T11.3.1 | TODO | T11.2 complete | Notifier Guild | Review and merge useful code from `Tenancy/TenantContext.cs` to `ITenantContext.cs` |
| 13 | NC-T11.3.2 | TODO | NC-T11.3.1 | Notifier Guild | Delete `Tenancy/TenantContext.cs` (keep ITenantContext.cs version) |
| 14 | NC-T11.3.3 | TODO | NC-T11.3.2 | Notifier Guild | Update all TenantContext usages to use the canonical version |
### T11.4: Consolidate Template Renderer (Processing vs Dispatch)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 15 | NC-T11.4.1 | TODO | T11.3 complete | Notifier Guild | Keep `Dispatch/INotifyTemplateRenderer.cs` (async version) |
| 16 | NC-T11.4.2 | TODO | NC-T11.4.1 | Notifier Guild | Update code using sync renderer to async |
| 17 | NC-T11.4.3 | TODO | NC-T11.4.2 | Notifier Guild | Delete `Processing/INotifyTemplateRenderer.cs` |
| 18 | NC-T11.4.4 | TODO | NC-T11.4.3 | Notifier Guild | Delete `Processing/SimpleTemplateRenderer.cs` |
### T11.5: Fix Interface Implementation Mismatches
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 19 | NC-T11.5.1 | TODO | T11.4 complete | Notifier Guild | Fix DefaultCorrelationEngine - align with ICorrelationEngine interface |
| 20 | NC-T11.5.2 | TODO | NC-T11.5.1 | Notifier Guild | Fix DefaultEscalationEngine - align with IEscalationEngine interface |
| 21 | NC-T11.5.3 | TODO | NC-T11.5.2 | Notifier Guild | Fix LockBasedThrottler - align with INotifyThrottler interface |
| 22 | NC-T11.5.4 | TODO | NC-T11.5.3 | Notifier Guild | Fix DefaultDigestGenerator - align with IDigestGenerator interface |
| 23 | NC-T11.5.5 | TODO | NC-T11.5.4 | Notifier Guild | Fix DefaultStormBreaker - align with IStormBreaker interface |
### T11.6: Fix Remaining Duplicates
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 24 | NC-T11.6.1 | TODO | T11.5 complete | Notifier Guild | Fix ChaosFaultType - remove duplicate from IChaosTestRunner.cs |
| 25 | NC-T11.6.2 | TODO | NC-T11.6.1 | Notifier Guild | Fix IDigestDistributor - remove duplicate from DigestScheduleRunner.cs |
| 26 | NC-T11.6.3 | TODO | NC-T11.6.2 | Notifier Guild | Fix TenantIsolationOptions - remove duplicate |
| 27 | NC-T11.6.4 | TODO | NC-T11.6.3 | Notifier Guild | Fix WebhookSecurityOptions - remove duplicate |
### T11.7: DI Registration and Package References
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 28 | NC-T11.7.1 | TODO | T11.6 complete | Notifier Guild | Add Microsoft.AspNetCore.Http.Abstractions package reference |
| 29 | NC-T11.7.2 | TODO | NC-T11.7.1 | Notifier Guild | Consolidate EscalationServiceExtensions registrations |
| 30 | NC-T11.7.3 | TODO | NC-T11.7.2 | Notifier Guild | Verify all services registered correctly |
### T11.8: Build Verification
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 31 | NC-T11.8.1 | TODO | T11.7 complete | Notifier Guild | `dotnet build StellaOps.Notifier.Worker.csproj` - must succeed |
| 32 | NC-T11.8.2 | TODO | NC-T11.8.1 | Notifier Guild | `dotnet build StellaOps.Notifier.WebService.csproj` - must succeed |
| 33 | NC-T11.8.3 | TODO | NC-T11.8.2 | Notifier Guild | `dotnet test StellaOps.Notifier.Worker.Tests` - verify no regressions |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-10 | Sprint created after discovering 12 duplicate definitions, 5 missing types, 5 interface mismatches during MongoDB removal. Pre-existing issues exposed when build attempted. | Infrastructure Guild |
## Success Criteria
1. `dotnet build StellaOps.Notifier.Worker.csproj` succeeds with 0 errors
2. No duplicate type definitions remain
3. All interface implementations match their contracts
4. Single canonical location for each concept (Escalation, TenantContext, TemplateRenderer)

451
docs/implplan/UNBLOCK_IMPLEMENTATION_PLAN.md
View File

@@ -1,451 +0,0 @@
# Blocker Unblock Implementation Plan
> **Created:** 2025-12-04
> **Purpose:** Step-by-step implementation plan to unblock remaining ~14 tasks
> **Estimated Effort:** 16-22 developer-days
## Executive Summary
After creating 11 specification contracts that unblocked ~61 tasks, we have **14 remaining blocked tasks** that require actual implementation work (not just specs). This plan outlines the implementation roadmap.
---
## Remaining Blockers Analysis
| Blocker | Tasks Blocked | Type | Complexity |
|---------|--------------|------|------------|
| WEB-POLICY-20-004 (Rate Limiting) | 6 | Code Implementation | SIMPLE |
| Shared Signals Library | 5+ | New Library | MODERATE |
| Postgres Repositories | 5 | Code Implementation | MODERATE |
| Test Infrastructure | N/A | Infrastructure | MODERATE |
| PGMI0101 Staffing | 3 | Human Decision | N/A |
---
## Implementation Phases
### Phase 1: Policy Engine Rate Limiting (WEB-POLICY-20-004)
**Duration:** 1-2 days
**Unblocks:** 6 tasks (WEB-POLICY-20-004 chain)
**Dependencies:** None
#### 1.1 Create Rate Limit Options
**File:** `src/Policy/StellaOps.Policy.Engine/Options/PolicyEngineRateLimitOptions.cs`
```csharp
namespace StellaOps.Policy.Engine.Options;
public sealed class PolicyEngineRateLimitOptions
{
public const string SectionName = "RateLimiting";
/// <summary>Default permits per window for simulation endpoints</summary>
public int SimulationPermitLimit { get; set; } = 100;
/// <summary>Window duration in seconds</summary>
public int WindowSeconds { get; set; } = 60;
/// <summary>Queue limit for pending requests</summary>
public int QueueLimit { get; set; } = 10;
/// <summary>Enable tenant-aware partitioning</summary>
public bool TenantPartitioning { get; set; } = true;
}
```
#### 1.2 Register Rate Limiter in Program.cs
Add to `src/Policy/StellaOps.Policy.Engine/Program.cs`:
```csharp
// Rate limiting configuration
var rateLimitOptions = builder.Configuration
.GetSection(PolicyEngineRateLimitOptions.SectionName)
.Get<PolicyEngineRateLimitOptions>() ?? new();
builder.Services.AddRateLimiter(options =>
{
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
options.AddTokenBucketLimiter("policy-simulation", limiterOptions =>
{
limiterOptions.TokenLimit = rateLimitOptions.SimulationPermitLimit;
limiterOptions.ReplenishmentPeriod = TimeSpan.FromSeconds(rateLimitOptions.WindowSeconds);
limiterOptions.TokensPerPeriod = rateLimitOptions.SimulationPermitLimit;
limiterOptions.QueueLimit = rateLimitOptions.QueueLimit;
limiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
});
options.OnRejected = async (context, cancellationToken) =>
{
PolicyEngineTelemetry.RateLimitExceededCounter.Add(1);
context.HttpContext.Response.StatusCode = StatusCodes.Status429TooManyRequests;
await context.HttpContext.Response.WriteAsJsonAsync(new
{
error = "ERR_POL_007",
message = "Rate limit exceeded. Please retry after the reset window.",
retryAfterSeconds = rateLimitOptions.WindowSeconds
}, cancellationToken);
};
});
```
#### 1.3 Apply to Simulation Endpoints
Modify `src/Policy/StellaOps.Policy.Engine/Endpoints/RiskSimulationEndpoints.cs`:
```csharp
group.MapPost("/simulate", SimulateRisk)
.RequireRateLimiting("policy-simulation") // ADD THIS
.WithName("SimulateRisk");
```
#### 1.4 Add Telemetry Counter
Add to `src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs`:
```csharp
public static readonly Counter<long> RateLimitExceededCounter =
Meter.CreateCounter<long>(
"policy_rate_limit_exceeded_total",
unit: "requests",
description: "Total requests rejected due to rate limiting");
```
#### 1.5 Configuration Sample
Add to `etc/policy-engine.yaml.sample`:
```yaml
RateLimiting:
SimulationPermitLimit: 100
WindowSeconds: 60
QueueLimit: 10
TenantPartitioning: true
```
---
### Phase 2: Shared Signals Contracts Library
**Duration:** 3-4 days
**Unblocks:** 5+ modules (Concelier, Scanner, Policy, Signals, Authority)
**Dependencies:** None
#### 2.1 Create Project Structure
```
src/__Libraries/StellaOps.Signals.Contracts/
├── StellaOps.Signals.Contracts.csproj
├── AGENTS.md
├── Models/
│ ├── SignalEnvelope.cs
│ ├── SignalType.cs
│ ├── ReachabilitySignal.cs
│ ├── EntropySignal.cs
│ ├── ExploitabilitySignal.cs
│ ├── TrustSignal.cs
│ └── UnknownSymbolSignal.cs
├── Abstractions/
│ ├── ISignalEmitter.cs
│ ├── ISignalConsumer.cs
│ └── ISignalContext.cs
└── Extensions/
└── ServiceCollectionExtensions.cs
```
#### 2.2 Core Models
**SignalEnvelope.cs:**
```csharp
namespace StellaOps.Signals.Contracts;
public sealed record SignalEnvelope(
string SignalKey,
SignalType SignalType,
object Value,
DateTimeOffset ComputedAt,
string SourceService,
string? TenantId = null,
string? CorrelationId = null,
string? ProvenanceDigest = null);
```
**SignalType.cs:**
```csharp
namespace StellaOps.Signals.Contracts;
public enum SignalType
{
Reachability,
Entropy,
Exploitability,
Trust,
UnknownSymbol,
Custom
}
```
#### 2.3 Signal Models
Each signal type gets a dedicated record:
- `ReachabilitySignal` - package reachability from callgraph
- `EntropySignal` - code complexity/risk metrics
- `ExploitabilitySignal` - KEV status, exploit availability
- `TrustSignal` - reputation, chain of custody scores
- `UnknownSymbolSignal` - unresolved dependencies
#### 2.4 Abstractions
```csharp
public interface ISignalEmitter
{
ValueTask EmitAsync(SignalEnvelope signal, CancellationToken ct = default);
ValueTask EmitBatchAsync(IEnumerable<SignalEnvelope> signals, CancellationToken ct = default);
}
public interface ISignalConsumer
{
IAsyncEnumerable<SignalEnvelope> ConsumeAsync(
SignalType? filterType = null,
CancellationToken ct = default);
}
```
---
### Phase 3: Postgres Repositories
**Duration:** 4-5 days
**Unblocks:** Persistence for new features
**Dependencies:** SQL migrations
#### 3.1 Repository Interfaces
Create in `src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Repositories/`:
| Interface | Methods |
|-----------|---------|
| `ISnapshotRepository` | Create, GetById, List, Delete |
| `IViolationEventRepository` | Append, GetById, List (immutable) |
| `IWorkerResultRepository` | Create, GetById, List, Update |
| `IConflictRepository` | Create, GetById, List, Resolve |
| `ILedgerExportRepository` | Create, GetById, List, GetByDigest |
#### 3.2 SQL Migrations
Create migrations for tables:
```sql
-- policy.snapshots
CREATE TABLE policy.snapshots (
id UUID PRIMARY KEY,
tenant_id TEXT NOT NULL,
policy_id UUID NOT NULL,
version INTEGER NOT NULL,
content_digest TEXT NOT NULL,
metadata JSONB,
created_by TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- policy.violation_events (append-only)
CREATE TABLE policy.violation_events (
id UUID PRIMARY KEY,
tenant_id TEXT NOT NULL,
policy_id UUID NOT NULL,
rule_id TEXT NOT NULL,
severity TEXT NOT NULL,
subject_purl TEXT,
details JSONB,
occurred_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Similar for conflicts, worker_results, ledger_exports
```
#### 3.3 Implementation Pattern
Follow `RiskProfileRepository.cs` pattern:
```csharp
public sealed class SnapshotRepository : RepositoryBase<PolicyDataSource>, ISnapshotRepository
{
public SnapshotRepository(PolicyDataSource dataSource, ILogger<SnapshotRepository> logger)
: base(dataSource, logger) { }
public async Task<SnapshotEntity> CreateAsync(SnapshotEntity entity, CancellationToken ct)
{
const string sql = """
INSERT INTO policy.snapshots
(id, tenant_id, policy_id, version, content_digest, metadata, created_by)
VALUES (@Id, @TenantId, @PolicyId, @Version, @ContentDigest, @Metadata::jsonb, @CreatedBy)
RETURNING *
""";
return await ExecuteScalarAsync<SnapshotEntity>(sql, entity, ct);
}
// ... other CRUD methods
}
```
---
### Phase 4: Test Infrastructure
**Duration:** 2-3 days
**Unblocks:** Validation before merge
**Dependencies:** Phase 3
#### 4.1 Postgres Test Fixture
```csharp
public sealed class PostgresFixture : IAsyncLifetime
{
private TestcontainersContainer? _container;
public string ConnectionString { get; private set; } = string.Empty;
public async Task InitializeAsync()
{
_container = new TestcontainersBuilder<TestcontainersContainer>()
.WithImage("postgres:16-alpine")
.WithEnvironment("POSTGRES_PASSWORD", "test")
.WithPortBinding(5432, true)
.Build();
await _container.StartAsync();
ConnectionString = $"Host=localhost;Port={_container.GetMappedPublicPort(5432)};...";
// Run migrations
await MigrationRunner.RunAsync(ConnectionString);
}
public async Task DisposeAsync() => await _container?.DisposeAsync();
}
```
#### 4.2 Test Classes
- `RateLimitingTests.cs` - quota exhaustion, recovery, tenant partitioning
- `SnapshotRepositoryTests.cs` - CRUD operations
- `ViolationEventRepositoryTests.cs` - append-only semantics
- `ConflictRepositoryTests.cs` - resolution workflow
- `SignalEnvelopeTests.cs` - serialization, validation
---
### Phase 5: New Endpoints
**Duration:** 2-3 days
**Unblocks:** API surface completion
**Dependencies:** Phase 3
#### 5.1 Endpoint Groups
| Path | Operations | Auth |
|------|------------|------|
| `/api/policy/snapshots` | GET, POST, DELETE | `policy:read`, `policy:author` |
| `/api/policy/violations` | GET | `policy:read` |
| `/api/policy/conflicts` | GET, POST (resolve) | `policy:read`, `policy:review` |
| `/api/policy/exports` | GET, POST | `policy:read`, `policy:archive` |
---
## Execution Order
```
Day 1-2: Phase 1 (Rate Limiting)
└── WEB-POLICY-20-004 ✓ UNBLOCKED
Day 3-5: Phase 2 (Signals Library)
└── Concelier, Scanner, Policy, Signals, Authority ✓ ENABLED
Day 6-9: Phase 3 (Repositories)
└── Persistence layer ✓ COMPLETE
Day 10-12: Phase 4 (Tests)
└── Validation ✓ READY
Day 13-15: Phase 5 (Endpoints)
└── API surface ✓ COMPLETE
```
---
## Files to Create/Modify Summary
### New Files (22 files)
```
src/Policy/StellaOps.Policy.Engine/Options/
└── PolicyEngineRateLimitOptions.cs
src/__Libraries/StellaOps.Signals.Contracts/
├── StellaOps.Signals.Contracts.csproj
├── AGENTS.md
├── Models/SignalEnvelope.cs
├── Models/SignalType.cs
├── Models/ReachabilitySignal.cs
├── Models/EntropySignal.cs
├── Models/ExploitabilitySignal.cs
├── Models/TrustSignal.cs
├── Models/UnknownSymbolSignal.cs
├── Abstractions/ISignalEmitter.cs
├── Abstractions/ISignalConsumer.cs
└── Extensions/ServiceCollectionExtensions.cs
src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Repositories/
├── ISnapshotRepository.cs
├── SnapshotRepository.cs
├── IViolationEventRepository.cs
├── ViolationEventRepository.cs
├── IConflictRepository.cs
├── ConflictRepository.cs
├── ILedgerExportRepository.cs
└── LedgerExportRepository.cs
```
### Files to Modify (5 files)
```
src/Policy/StellaOps.Policy.Engine/Program.cs
src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs
src/Policy/StellaOps.Policy.Engine/Endpoints/RiskSimulationEndpoints.cs
src/Policy/StellaOps.Policy.Engine/Endpoints/PathScopeSimulationEndpoint.cs
etc/policy-engine.yaml.sample
```
---
## Success Criteria
- [ ] Rate limiting returns 429 when quota exceeded
- [ ] Signals library compiles and referenced by 5+ modules
- [ ] All 5 repositories pass CRUD tests
- [ ] Endpoints return proper responses with auth
- [ ] Telemetry metrics visible in dashboards
- [ ] No regression in existing tests
---
## Risk Mitigation
| Risk | Mitigation |
|------|------------|
| Breaking existing endpoints | Feature flag rate limiting |
| Signal library circular deps | Careful namespace isolation |
| Migration failures | Test migrations in isolated DB first |
| Test flakiness | Use deterministic test data |
---
## Next Steps
1. **Start Phase 1** - Implement rate limiting (simplest, immediate impact)
2. **Parallel Phase 2** - Create Signals.Contracts scaffolding
3. **Review** - Get feedback before Phase 3

38
docs/implplan/SPRINT_0111_0001_0001_advisoryai.md → docs/implplan/archived/SPRINT_0111_0001_0001_advisoryai.md
View File

@@ -1,19 +1,15 @@
# Sprint 0111 · Advisory AI Ingestion & Evidence (Phase 110.A)
# Sprint 0111 - Advisory AI - Ingestion & Evidence (Phase 110.A)
## Topic & Scope
- Advance Advisory AI ingestion/evidence docs while keeping upstream Console/CLI/Policy dependencies explicit.
- Maintain Link-Not-Merge alignment for advisory evidence feeding Advisory AI surfaces.
- Wave plan: Wave A (drafting) done; Wave B (publish docs) now unblocked after CLI/Policy/SBOM/DevOps landed; Wave C (packaging) moved to Ops sprint.
- **Working directory:** `src/AdvisoryAI` and `docs` (Advisory AI docs).
## Dependencies & Concurrency
- Depends on Sprint 0100.A (Attestor) staying green.
- Upstream artefacts required: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `SBOM-AIAI-31-001`, `DEVOPS-AIAI-31-001`. `CLI-VULN-29-001` and `CLI-VEX-30-001` landed in Sprint 0205 on 2025-12-06.
- Concurrency: block publishing on missing Console/SBOM/DevOps deliverables; drafting allowed where noted.
## Wave Coordination
- **Wave A (drafting):** Task 3 DONE (AIAI-RAG-31-003); drafting for tasks 1/5 allowed but must stay unpublished.
- **Wave B (publish docs):** Task 5 delivered once CLI/Policy landed (2025-11-25); task 1 still blocked pending Console/SBOM/DevOps inputs before publish.
- **Wave C (packaging):** Task 2 moved to Ops sprint; no work here. Wave B completes sprint once upstreams finish.
- Upstream artefacts landed: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `SBOM-AIAI-31-001`, `DEVOPS-AIAI-31-001`; `CLI-VULN-29-001` and `CLI-VEX-30-001` landed in Sprint 0205 (2025-12-06).
- Concurrency: publishing allowed for docs; packaging remains in Ops sprint; keep SBOM/CLI/DevOps evidence mirrored into Offline Kits.
## Documentation Prerequisites
- docs/README.md
@@ -21,43 +17,41 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/advisory-ai/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | AIAI-DOCS-31-001 | BLOCKED (2025-11-22) | Await CLI/Policy artefacts | Advisory AI Docs Guild | Author guardrail + evidence docs with upstream references |
| 1 | AIAI-DOCS-31-001 | DONE (2025-12-09) | Guardrail/evidence doc published with CLI hashes, SBOM smoke, DevOps CI harness references | Advisory AI Docs Guild | Author guardrail + evidence docs with upstream references |
| 2 | AIAI-PACKAGING-31-002 | MOVED to SPRINT_0503_0001_0001_ops_devops_i (2025-11-23) | Track under DEVOPS-AIAI-31-002 in Ops sprint | Advisory AI Release | Package advisory feeds with SBOM pointers + provenance |
| 3 | AIAI-RAG-31-003 | DONE | None | Advisory AI + Concelier | Align RAG evidence payloads with LNM schema |
| 4 | SBOM-AIAI-31-003 | DONE (2025-11-25) | Published at `docs/advisory-ai/sbom-context-hand-off.md` | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants |
| 5 | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | CLI/Policy inputs landed; DEVOPS-AIAI-31-001 rollout still tracked separately | Docs Guild | CLI/policy/ops docs; proceed once upstream artefacts land |
| 3 | AIAI-RAG-31-003 | DONE (2025-11-22) | None | Advisory AI + Concelier | Align RAG evidence payloads with LNM schema |
| 4 | SBOM-AIAI-31-003 | DONE (2025-12-08) | Published at `docs/advisory-ai/sbom-context-hand-off.md`; live `/sbom/context` smoke captured | SBOM Service Guild / Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants |
| 5 | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | CLI/Policy inputs landed; ongoing Ops telemetry tracked separately | Docs Guild | CLI/policy/ops docs; proceed once upstream artefacts land |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Docs | Draft guardrail evidence doc | Docs Guild | 2025-11-18 | BLOCKED (awaiting CLI/Policy artefacts) |
| Docs | Draft guardrail evidence doc | Docs Guild | 2025-11-18 | DONE (2025-12-09) |
| Packaging | Define SBOM/policy bundle for Advisory AI | Release Guild | 2025-11-20 | MOVED to SPRINT_0503_0001_0001_ops_devops_i (DEVOPS-AIAI-31-002) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-09 | Published guardrail/evidence doc (`docs/advisory-ai/guardrails-and-evidence.md`) with CLI hashes, SBOM `/sbom/context` smoke (sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d), and DevOps CI harness references; marked AIAI-DOCS-31-001 DONE; normalized sprint layout. | Docs Guild |
| 2025-12-08 | Implemented `/sbom/context` in `StellaOps.SbomService` (timeline + dependency path aggregation, deterministic hash) with tests, then ran live smoke via `dotnet run --no-build` capturing `sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d` and mirrored offline kit `2025-12-08/`. | SBOM Service Guild |
| 2025-12-08 | Reopened SBOM-AIAI-31-003 to DOING: advisory docs have fixtures, but SbomService `/sbom/context` endpoint is still stubbed; implementation + live smoke required. | Project Mgmt |
| 2025-12-05 | Executed fixture-backed `/sbom/context` smoke (hash `sha256:421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18`), logged evidence at `evidence-locker/sbom-context/2025-12-05-smoke.ndjson`, and mirrored fixtures to `offline-kit/advisory-ai/fixtures/sbom-context/2025-12-05/`; SBOM-AIAI-31-003 marked DONE. | Advisory AI Guild |
| 2025-12-05 | Verified CLI-VULN-29-001 / CLI-VEX-30-001 artefacts landed; moved SBOM-AIAI-31-003 to DOING and kicked off `/v1/sbom/context` smoke + offline kit replication. | Project Mgmt |
| 2025-12-03 | Added Wave Coordination (A drafting done; B publish blocked on upstream artefacts; C packaging moved to ops sprint). No status changes. | Project Mgmt |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-12-02 | Normalized sprint file to standard template; no status changes. | StellaOps Agent |
| 2025-11-23 | Clarified packaging block is release/DevOps-only; dev can draft bundle layout with LNM facts; publish gated on CLI/Policy/SBOM artefacts. | Project Mgmt |
| 2025-11-22 | Began AIAI-DOCS-31-001 and AIAI-RAG-31-003: refreshed guardrail + LNM-aligned RAG docs; awaiting CLI/Policy artefacts before locking outputs. | Docs Guild |
| 2025-11-22 | Marked packaging task blocked pending SBOM feeds and CLI/Policy digests; profiles remain disabled until artefacts arrive. | Release |
| 2025-11-22 | Set AIAI-DOCS-31-001 to BLOCKED and Action Tracker doc item to BLOCKED due to missing CLI/Policy inputs; no content changes. | Implementer |
| 2025-11-23 | Clarified packaging block is release/DevOps-only; dev can draft bundle layout with LNM facts; publish gated on CLI/Policy/SBOM artefacts. | Project Mgmt |
| 2025-12-02 | Normalized sprint file to standard template; no status changes. | StellaOps Agent |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
## Decisions & Risks
- Publishing of docs/packages is gated on upstream Policy/DevOps artefacts; CLI prerequisites and SBOM hand-off smoke landed 2025-12-05, so remaining dependencies are `POLICY-ENGINE-31-001` and `DEVOPS-AIAI-31-001`.
- `/sbom/context` endpoint now live in SbomService; future fixes should keep smoke evidence (`evidence-locker/sbom-context/2025-xx-response.json`) updated when data contracts change.
- Publishing of docs/packages is gated on remaining Console/SBOM/DevOps artefacts; drafting allowed but must remain unpublished until dependencies land.
- CLI-VULN-29-001 and CLI-VEX-30-001 landed (Sprint 0205, 2025-12-06); Policy knobs landed 2025-11-23. Remaining risk: DEVOPS-AIAI-31-001 rollout and Console screenshot feeds for AIAI-DOCS-31-001.
- Guardrail/evidence doc published with CLI hashes, SBOM smoke evidence, and DevOps CI harness references; keep hashes updated when fixtures or `/sbom/context` responses change.
- `/sbom/context` endpoint live in SbomService; future fixes should keep smoke evidence (`evidence-locker/sbom-context/2025-xx-response.json`) updated when data contracts change.
- Packaging of advisory feeds remains in Ops sprint (AIAI-PACKAGING-31-002); track DSSE/Offline Kit metadata there.
- Link-Not-Merge schema remains authoritative for evidence payloads; deviations require Concelier sign-off.
## Next Checkpoints

1
docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md → docs/implplan/archived/SPRINT_0113_0001_0002_concelier_ii.md
View File

@@ -25,7 +25,6 @@
- `src/Concelier/AGENTS.md` (module charter, testing/guardrail rules)
- `docs/modules/concelier/link-not-merge-schema.md` (LNM schema v1, frozen 2025-11-17)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0114_0001_0003_concelier_iii.md
View File

@@ -23,7 +23,6 @@
- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -23,7 +23,6 @@
- docs/modules/concelier/architecture.md (policy/risk/tenant scope sections)
- docs/dev/raw-linkset-backfill-plan.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0116_0001_0005_concelier_v.md → docs/implplan/archived/SPRINT_0116_0001_0005_concelier_v.md
View File

@@ -24,7 +24,6 @@
- docs/modules/concelier/architecture.md (airgap, AOC, observability)
- Link-Not-Merge API specs and error envelope guidelines
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0117_0001_0006_concelier_vi.md
View File

@@ -24,7 +24,6 @@
- docs/modules/concelier/architecture.md (connectors, evidence locker integration)
- docs/migration/no-merge.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0119_0001_0004_excititor_iv.md
View File

@@ -1,5 +1,4 @@
# Redirected Sprint
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
This sprint was normalised to `SPRINT_0122_0001_0004_excititor_iv.md`. Do not edit this file; update the canonical sprint instead.

1
docs/implplan/archived/SPRINT_0119_0001_0005_excititor_v.md
View File

@@ -1,5 +1,4 @@
# Redirected Sprint
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
This sprint was normalised to `SPRINT_0123_0001_0005_excititor_v.md`. Do not edit this file; update the canonical sprint instead.

1
docs/implplan/archived/SPRINT_0119_0001_0006_excititor_vi.md
View File

@@ -1,5 +1,4 @@
# Redirected Sprint
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
This sprint was normalised to `SPRINT_0124_0001_0006_excititor_vi.md`. Do not edit this file; update the canonical sprint instead.

1
docs/implplan/archived/SPRINT_0120_0001_0001_policy_reasoning.md
View File

@@ -45,7 +45,6 @@
- `docs/modules/findings-ledger/airgap-provenance.md`
- `docs/observability/policy.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0121_0001_0001_policy_reasoning.md
View File

@@ -26,7 +26,6 @@
- docs/modules/findings-ledger/workflow-inference.md
- src/Findings/StellaOps.Findings.Ledger/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md → docs/implplan/archived/SPRINT_0121_0001_0002_policy_reasoning_blockers.md
View File

@@ -20,7 +20,6 @@
- `docs/modules/findings-ledger/prep/ledger-attestations-http.md`
- `docs/modules/findings-ledger/prep/ledger-risk-prep.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0121_0001_0003_excititor_iii.md
View File

@@ -15,7 +15,6 @@
- docs/modules/excititor/implementation_plan.md
- Component AGENTS.md under `src/Excititor/**`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0122_0001_0001_policy_reasoning.md
View File

@@ -27,7 +27,6 @@
- docs/modules/findings-ledger/workflow-inference.md
- src/Findings/StellaOps.Findings.Ledger/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

1
docs/implplan/archived/SPRINT_0122_0001_0004_excititor_iv.md
View File

@@ -16,7 +16,6 @@
- Excititor component `AGENTS.md` (Core, WebService, Worker)
- `docs/ingestion/aggregation-only-contract.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

Some files were not shown because too many files have changed in this diff Show More