stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-12 21:02:43 +02:00
parent 5bca406787
commit 9911b7d73c
593 changed files with 174390 additions and 1376 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/implplan/SPRINT_20260211_033_BinaryIndex_unchecked_feature_verification_continuation.md
View File

@@ -225,9 +225,24 @@ Completion criteria:
- [x] Tier 2 API verification passes with fresh request/response evidence.
- [x] Feature file moved to `docs/features/checked/binaryindex/` and module state set to terminal `done`.
### QA-BINARYINDEX-VERIFY-034 - Remediate and recheck `vulnerable-code-fingerprint-matching`
Status: DONE
Dependency: none
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Close the FLOW failure loop for `vulnerable-code-fingerprint-matching` by implementing missing fingerprint extraction behavior and restoring claimed curated package coverage.
- Re-run Tier 0/1/2 with fresh run artifacts and promote dossier from `unimplemented` to `checked` only if parity is restored.
Completion criteria:
- [x] `FingerprintExtractor` no longer relies on seed-only synthetic fingerprints and produces deterministic byte-window-derived fingerprint signals.
- [x] Golden CVE fixture coverage includes required high-impact package set (`openssl`, `glibc`, `zlib`, `curl`) with regression checks.
- [x] Fresh `run-002` Tier 0/1/2 artifacts pass and state transitions to terminal `done`.
- [x] Stale unimplemented dossier copy removed after successful promotion to checked.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-034`: remediated `vulnerable-code-fingerprint-matching` by replacing synthetic/stubbed extractor behavior with deterministic byte-window fingerprint extraction, expanded golden CVE package coverage (glibc/zlib/curl), captured fresh `run-002` Tier 0/1/2 passing artifacts, promoted dossier to `docs/features/checked/binaryindex/`, and terminalized state as `done`. | QA/Dev |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-033` for `vulnerable-binaries-database`: added deterministic `InMemoryGoldenSetStore` and `InMemoryResolutionCacheService`, updated WebService DI and resolution error mapping, restored Worker project buildability with `StellaOps.BinaryIndex.Worker.csproj`, produced fresh `run-002` Tier 0/1/2 artifacts, and terminalized feature as `done` in checked dossiers. | QA/Dev |
| 2026-02-12 | Claimed `symbol-source-connectors` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-032` to DOING as the next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-031`: `symbol-change-tracking-in-binary-diffs` run-001 reached terminal `not_implemented` after Tier 1 parity review confirmed `IrDiffGenerator` placeholder behavior and missing IR-diff behavioral test coverage despite passing Tier 0/1/2 command executions. | QA |
@@ -280,13 +295,16 @@ Completion criteria:
- Decision: Terminalized `symbol-change-tracking-in-binary-diffs` as `not_implemented`; core symbol change tracing is present, but IR diff generation remains placeholder-backed and does not satisfy the dossier's semantic IR-diff claim.
- Decision: For `vulnerable-binaries-database`, WebService now wires deterministic runtime fallbacks for GoldenSet storage and resolution caching (`InMemoryGoldenSetStore`, `InMemoryResolutionCacheService`) so Tier 2 API checks remain operational in offline/dev runs when Redis/Postgres are unavailable.
- Decision: Added `src/BinaryIndex/StellaOps.BinaryIndex.Worker/StellaOps.BinaryIndex.Worker.csproj` and aligned `ReproducibleBuildJob` with current Builders contracts to restore buildability of documented Worker path.
- Decision: For `vulnerable-code-fingerprint-matching`, `FingerprintExtractor` now performs deterministic byte-window fingerprint derivation (basic-block/CFG/string refs/constants/call-targets) and the curated golden fixture now includes `openssl`, `glibc`, `zlib`, and `curl` package coverage required by the feature contract.
- Risk: Concurrent agents may claim the same BinaryIndex feature and produce conflicting run artifacts.
- Risk: `IrDiffGenerator` still emits placeholder IR-diff payloads, so the documented semantic IR-diff capability remains partially implemented.
- Risk: `local-mirror-layer-for-corpus-sources` dossier currently overstates offline mirror readiness; Alpine/RPM package-source implementations and connector-level offline cache behavior remain incomplete.
- Mitigation: Record ownership claim in state before Tier 0 and terminalize collisions per FLOW 0.1.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/delta-signature-matching-and-patch-coverage-analysis/run-002/` and `docs/features/unimplemented/binaryindex/delta-signature-matching-and-patch-coverage-analysis.md`.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-binaries-database/run-002/` and `docs/features/checked/binaryindex/vulnerable-binaries-database.md`.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-code-fingerprint-matching/run-002/` and `docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md`.
- Docs sync: updated `docs/modules/binary-index/architecture.md` with startup fallback behavior for patch-coverage routes and Tier-B catalog identity dimensions (Build-ID/binary key/file SHA256).
- Docs sync: updated `docs/modules/binary-index/architecture.md` Tier C contract notes with deterministic byte-window fingerprint extraction behavior and curated package-coverage requirement.
## Next Checkpoints
- Verify one BinaryIndex queued feature to terminal state with full Tier 0/1/2 artifacts.

185
docs/implplan/SPRINT_20260212_001_FE_web_unchecked_feature_verification.md Normal file
View File

@@ -0,0 +1,185 @@
# Sprint 20260212_001_FE — Web Unchecked Feature Verification
## Topic & Scope
- Verify 9 remaining unchecked web features through FLOW pipeline (Tier 0/1/2).
- Batch 1 (features 15): Playwright UI verification (Tier 2c).
- Batch 2 (features 69): Service/integration verification (Tier 2d).
- Working directory: `src/Web/StellaOps.Web/`
- Cross-module writes allowed: `docs/qa/feature-checks/`, `docs/features/`
- Expected evidence: tier0/tier1/tier2 JSON artifacts per feature, Playwright spec files.
## Dependencies & Concurrency
- No upstream sprint dependencies.
- All 59 previously-checked web features remain `done`.
- No collision with scanner `byos-ingestion-workflow` (owned by Codex QA).
## Documentation Prerequisites
- Feature markdown files in `docs/features/unchecked/web/` (9 files).
- Existing test patterns in `tests/e2e/` (smoke, quiet-triage, auth specs).
- State ledger: `docs/qa/feature-checks/state/web.json`.
## Delivery Tracker
### WEB-FEAT-001 - Verify witness-drawer feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `shared/overlays/witness-drawer/` source exists with non-trivial component.
- Tier 1: Build + code review.
- Tier 2c: Write Playwright spec `tests/e2e/witness-drawer.spec.ts` — drawer open/close, evidence timeline, metadata expand, copy hash, backdrop close, Escape close.
- Generate tier artifacts under `docs/qa/feature-checks/runs/web/witness-drawer/run-001/`.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes with component included
- [x] Playwright spec passes
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-002 - Verify witness-viewer-ui feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `shared/ui/witness-viewer/` source exists.
- Tier 1: Build + code review.
- Tier 2c: Write Playwright spec `tests/e2e/witness-viewer.spec.ts` — evidence loading, signature display, raw toggle, copy/download actions.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes with component included
- [x] Playwright spec passes
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-003 - Verify workflow-visualization-with-time-travel-controls feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `features/workflow-visualization/` source exists with routes, components, services.
- Tier 1: Build + code review.
- Tier 2c: Write Playwright spec `tests/e2e/workflow-time-travel.spec.ts` — DAG render, time-travel controls (step forward/backward), step-detail panel, layout switching.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes with component included
- [x] Playwright spec passes
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-004 - Verify web-gateway-graph-platform-client feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `features/graph/` source exists with canvas, explorer, filters, overlays, side-panels.
- Tier 1: Build + code review.
- Tier 2c: Write Playwright spec `tests/e2e/graph-platform-client.spec.ts` — explorer renders, node selection, filter controls, export actions.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes with component included
- [x] Playwright spec passes
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-005 - Verify why-safe-evidence-explanation-panel feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `features/triage/` evidence panel components exist (evidence-panel/, confidence-meter, attestation-chain, etc.).
- Tier 1: Build + code review.
- Tier 2c: Write Playwright spec `tests/e2e/why-safe-panel.spec.ts` — evidence panel tabs, confidence meter, attestation chain, evidence pill status.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes with component included
- [x] Playwright spec passes
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-006 - Verify web-gateway-observability-surfaces feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `core/telemetry/` service files exist (telemetry-sampler, ttfs-telemetry).
- Tier 1: Build + code review.
- Tier 2d: Integration check — verify services have non-trivial implementations with correct DI patterns.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes
- [x] Code review confirms non-trivial implementation
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-007 - Verify web-gateway-openapi-discovery feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `core/api/` service files (gateway-metrics, policy-interop, reachability-integration, vuln-export-orchestrator).
- Tier 1: Build + code review.
- Tier 2d: Integration check — verify services implement OpenAPI discovery, ETag, deprecation, idempotency patterns.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes
- [x] Code review confirms non-trivial implementation
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-008 - Verify web-gateway-signals-and-reachability-proxy feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `core/api/signals.client.ts`, `reachability-integration.service.ts`.
- Tier 1: Build + code review.
- Tier 2d: Integration check — verify call-graph query, reachability lookup, fact retrieval APIs.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes
- [x] Code review confirms non-trivial implementation
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
### WEB-FEAT-009 - Verify web-gateway-vex-consensus-proxy feature
Status: DONE
Dependency: none
Owners: QA / Test Automation
Task description:
- Tier 0: Verify `core/api/console-vex.client.ts` and related models.
- Tier 1: Build + code review.
- Tier 2d: Integration check — verify VEX consensus queries, trust scoring, tenant scoping.
Completion criteria:
- [x] Source files verified on disk
- [x] Build passes
- [x] Code review confirms non-trivial implementation
- [x] Tier artifacts produced
- [x] State ledger updated to `done`, feature moved to `checked/`
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Sprint created. 9 unchecked web features queued for verification. | QA |
| 2026-02-12 | Preflight: Angular build passes (exit 0). State ledger updated with 9 queued features. | QA |
| 2026-02-12 | Tier 0: Source files verified for all 9 features. tier0-source-check.json artifacts created. | QA |
| 2026-02-12 | Tier 1: Build check + code review completed for all 9 features. tier1 artifacts created. | QA |
| 2026-02-12 | Tier 2c (Batch 1): 5 Playwright specs written and run. 25/25 tests pass after 4 fix iterations. | QA |
| 2026-02-12 | Tier 2d (Batch 2): 4 integration checks completed. DI, service interfaces, API contracts verified. | QA |
| 2026-02-12 | All 9 features transitioned to `done`. Feature files moved to `checked/`. Sprint complete. | QA |
## Decisions & Risks
- All 9 features have status IMPLEMENTED in their markdown. Source code verified present.
- Playwright specs use established patterns: `__stellaopsTestSession`, `config.json` mock, authority blocking.
- Batch 2 features (69) share overlapping service files; code review may find common-root pass/fail.
## Next Checkpoints
- All 9 features verified and moved to `checked/` with tier evidence.

110
docs/implplan/SPRINT_20260212_002_Scanner_unchecked_feature_verification_batch1.md
View File

@@ -91,9 +91,109 @@ Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
- [x] Feature file moved to `docs/features/checked/scanner/` with `VERIFIED` status and fresh verification notes.
### QA-SCANNER-VERIFY-008 - Verify `binary-intelligence-engine`
Status: DONE
Dependency: QA-SCANNER-VERIFY-007
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Re-verify `binary-intelligence-engine` after implementation remediation, ensuring entry-trace graph contract enrichment, worker execution wiring, serializer round-trip, and endpoint payload behavior are all covered by deterministic Tier 1/Tier 2 evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed with passing run artifacts under `docs/qa/feature-checks/runs/scanner/binary-intelligence-engine/run-002/`.
- [x] Feature dossier promoted from `docs/features/unimplemented/scanner/` to `docs/features/checked/scanner/` with `VERIFIED` status.
### QA-SCANNER-VERIFY-009 - Verify `binary-sbom-and-build-id-to-purl-mapping`
Status: DONE
Dependency: QA-SCANNER-VERIFY-008
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Re-verify `binary-sbom-and-build-id-to-purl-mapping` against FLOW Tier 0/1/2 and close the previously triaged runtime wiring gaps for patch verification invocation, Build-ID lookup integration, and unified binary finding mapping in worker execution.
Completion criteria:
- [x] Runtime wiring gaps are implemented in production worker paths with deterministic tests.
- [x] `run-002` Tier 0/1/2 artifacts pass, including semantic code-review checks.
- [x] Feature dossier promoted to `docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md`.
### QA-SCANNER-VERIFY-010 - Verify `bug-id-to-cve-mapping-in-changelog-parsing`
Status: DONE
Dependency: QA-SCANNER-VERIFY-009
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Verify the feature contract for changelog bug-reference extraction (`Closes: #...`, `RHBZ#...`, `LP: #...`) and bug-to-CVE correlation evidence in Scanner OS analyzer outputs.
- If runtime extraction or mapping behavior is missing, implement deterministic parsing and metadata emission, add focused tests, and re-run Tier 0/1/2 before advancing.
Completion criteria:
- [x] Tier 0/1/2 verification completed with fresh run artifacts under `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`.
- [x] Feature dossier moved to `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md` with `VERIFIED` status.
### QA-SCANNER-VERIFY-011 - Verify `build-provenance-verification-module-with-slsa-level-evaluator`
Status: DONE
Dependency: QA-SCANNER-VERIFY-010
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `build-provenance-verification-module-with-slsa-level-evaluator` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-012 - Verify `bun-call-graph-extractor`
Status: DONE
Dependency: QA-SCANNER-VERIFY-011
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `bun-call-graph-extractor` against source, build/tests, and user-surface behavioral evidence.
- If Bun-specific extraction, entrypoint classification, or sink matching behavior is incomplete in runtime call graph outputs, implement deterministic fixes and re-run Tier 0/1/2 before moving on.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-013 - Verify `bun-language-analyzer`
Status: DONE
Dependency: QA-SCANNER-VERIFY-012
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `bun-language-analyzer` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-014 - Verify `byos-ingestion-workflow`
Status: DONE
Dependency: QA-SCANNER-VERIFY-013
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `byos-ingestion-workflow` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-015 - Verify `canonical-node-hash-and-path-hash-recipes-for-reachability`
Status: DOING
Dependency: QA-SCANNER-VERIFY-014
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `canonical-node-hash-and-path-hash-recipes-for-reachability` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal decision recorded.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Claimed `canonical-node-hash-and-path-hash-recipes-for-reachability` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-015` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-014`: implemented BYOS ingestion parity fix by aligning `PostgresArtifactBomRepository` schema contract with `scanner` migration bindings, added focused BYOS endpoint behavioral tests, and passed Tier 0/1/2 API verification in `run-001`; dossier promoted to `docs/features/checked/scanner/byos-ingestion-workflow.md`. | QA |
| 2026-02-12 | Claimed `byos-ingestion-workflow` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-014` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-013`: `bun-language-analyzer` run-001 reached terminal `not_implemented`; Tier 0 file checks and Tier 1 builds passed, but Bun deterministic suite failed (`98/115`) and code review/Tier 2 confirmed `bun.lockb` is remediation-only rather than binary parsing support. Dossier moved to `docs/features/unimplemented/scanner/bun-language-analyzer.md`. | QA |
| 2026-02-12 | Claimed `bun-language-analyzer` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-013` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-012`: `bun-call-graph-extractor` run-001 reached terminal `not_implemented`; Tier 0/1 passed with new Bun extractor behavior tests, but semantic parity failed because Bun extractor is not registered in call-graph DI and source-mode extraction does not link entrypoints to sinks via edges. Dossier moved to `docs/features/unimplemented/scanner/bun-call-graph-extractor.md`. | QA |
| 2026-02-12 | Claimed `bun-call-graph-extractor` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-012` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-011`: `build-provenance-verification-module-with-slsa-level-evaluator` run-001 reached terminal `not_implemented`; Tier 0/1 passed with focused BuildProvenance behavior checks, but runtime no-provenance worker-stage contract parity failed and dossier moved to `docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-010`: implemented deterministic changelog bug-reference extraction and bug-to-CVE mapping wiring for RPM/DPKG analyzers (including `.gz` changelog ingestion), added focused OS analyzer tests, captured passing Tier 0/1/2 artifacts in `run-001`, and promoted dossier to `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md`. | QA |
| 2026-02-12 | Claimed `build-provenance-verification-module-with-slsa-level-evaluator` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-011` to DOING. | QA |
| 2026-02-12 | Terminalized this lane for `bug-id-to-cve-mapping-in-changelog-parsing` as `skipped` (`owned_by_other_agent`) after detecting active ownership in sprint/task boards; recorded obstacle artifact in `run-001/obstacle.json` and moved to the next eligible queued feature per FLOW 0.1. | QA |
| 2026-02-12 | Claimed `bug-id-to-cve-mapping-in-changelog-parsing` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-010` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-009`: implemented worker runtime wiring for patch verification orchestration, Build-ID mapping publication, and unified binary finding mapping in `BinaryLookupStageExecutor`; added deterministic worker test coverage and passed `binary-sbom-and-build-id-to-purl-mapping` run-002 Tier 0/1/2 with semantic checks. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-008`: regenerated `binary-intelligence-engine` run-002 evidence with corrected command invocation, validated Tier 1/Tier 2 pass, and promoted dossier to `docs/features/checked/scanner/binary-intelligence-engine.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-007`: implemented deterministic fuzzy recommendation scoring + bulk recommendation APIs for `IBaseImageDetector`, added focused behavioral tests (`BaseImageRecommendationTests`), captured fresh Tier 1/Tier 2 artifacts in `run-001`, and moved dossier to `docs/features/checked/scanner/base-image-detection-and-recommendations.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-006`: implemented missing SmartDiff API wiring (endpoint mapping + DI repositories + scan-scoped candidate/review routes + SARIF VEX embedding), passed targeted SmartDiff/WebService Tier 1/Tier 2 checks in `run-001`, and moved dossier to `docs/features/checked/scanner/`. | QA |
| 2026-02-12 | Claimed `auto-vex-generation-from-smart-diff` as next queued Scanner feature (`run-001`) and moved `QA-SCANNER-VERIFY-006` to DOING. | QA |
@@ -118,6 +218,14 @@ Completion criteria:
- Decision: `api-gateway-boundary-extractor` achieved full Tier 0/1/2 verification in `run-001` and was promoted to `docs/features/checked/scanner/`.
- Decision: `auto-vex-generation-from-smart-diff` required implementation before verification; added Program route/DI wiring for SmartDiff endpoints, scan-scoped VEX candidate/review API compatibility, and SARIF VEX candidate embedding; validated with targeted SmartDiff and WebService API tests (`run-001` artifacts).
- Decision: `base-image-detection-and-recommendations` required implementation updates before verification; added deterministic fuzzy matching tie-break logic, ranked recommendation and bulk recommendation APIs on `IBaseImageDetector`, and `BaseImageMatchEngine` with focused behavioral tests.
- Decision: `binary-intelligence-engine` implementation was re-verified with fresh `run-002` evidence; Tier 1/Tier 2 now pass after entry-trace binary intelligence wiring across worker, serializer/store, and endpoint contract surface.
- Decision: `binary-sbom-and-build-id-to-purl-mapping` moved to `done` after implementing worker-stage runtime wiring for `AddPatchVerification` registration, patch verification execution, Build-ID mapping publication, and binary finding mapper call-path; validated by new worker-stage behavior test and passing `run-002` semantic checks (docs: `docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md`, `docs/modules/scanner/architecture.md`).
- Decision: For `bug-id-to-cve-mapping-in-changelog-parsing`, this lane observed active ownership markers in both sprint/task boards and terminalized as `skipped` (`owned_by_other_agent`) with an obstacle artifact (`run-001/obstacle.json`) to avoid conflicting concurrent edits.
- Decision: `bug-id-to-cve-mapping-in-changelog-parsing` was subsequently completed in this lane with implementation + recheck: added shared changelog regex extraction, RPM/DPKG metadata wiring (`changelogBugRefs`, `changelogBugToCves`), deterministic tests, and passing `run-001` Tier 0/1/2 evidence (docs: `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md`, `docs/modules/scanner/architecture.md`).
- Decision: `build-provenance-verification-module-with-slsa-level-evaluator` was terminalized as `not_implemented`; library-level BuildProvenance analyzers are present and tested, but worker runtime skips no-provenance SBOMs before analyzer invocation, so the documented L0 assignment path is not satisfied (`docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md`).
- Decision: `bun-call-graph-extractor` was terminalized as `not_implemented`; Bun extractor classes exist and pass focused behavior tests, but runtime extractor registration and source-mode edge-linking contract are incomplete (`docs/features/unimplemented/scanner/bun-call-graph-extractor.md`).
- Decision: `bun-language-analyzer` was terminalized as `not_implemented`; runtime explicitly handles `bun.lockb` as unsupported remediation-only input, and deterministic Bun fixture parity is currently failing (`17/115` tests), so binary lockfile parser and stable behavioral contract claims are unmet (`docs/features/unimplemented/scanner/bun-language-analyzer.md`).
- Decision: `byos-ingestion-workflow` reached `done` after fixing BYOS ingestion runtime schema parity (`PostgresArtifactBomRepository` now targets the default `scanner` schema used by artifact BOM migrations/functions) and adding deterministic API behavioral tests for CycloneDX/SPDX upload + retrieval + invalid-format rejection (`docs/features/checked/scanner/byos-ingestion-workflow.md`, `docs/modules/scanner/byos-ingestion.md`).
- Decision: Added missing module-local charter `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/AGENTS.md` before editing manifest contracts.
- Risk: Concurrent lanes may claim the same Scanner feature and create ownership collisions.
- Risk (resolved): prior AGENTS charter blockers for Reachability/SmartDiff/AiMlSecurity test directories were removed by adding module-local charters.
@@ -126,4 +234,4 @@ Completion criteria:
- Mitigation: Record ownership in state notes before Tier 0 and terminalize collisions per FLOW 0.1.
## Next Checkpoints
- Claim and execute the next Scanner queued feature after `base-image-detection-and-recommendations` using global problems-first lock.
- Continue with next Scanner queued feature after `byos-ingestion-workflow` (`canonical-node-hash-and-path-hash-recipes-for-reachability`) using global problems-first lock.

145
docs/implplan/SPRINT_20260212_004_Router_configurable_route_table.md Normal file
View File

@@ -0,0 +1,145 @@
# Sprint 20260212_004 - Router Configurable Route Table
## Topic & Scope
- Add a configurable route table (`StellaOpsRoute[]`) to the Gateway supporting 7 route types: Microservice, ReverseProxy, StaticFiles, StaticFile, WebSocket, NotFoundPage, ServerErrorPage.
- Enable the gateway to serve static content, reverse-proxy to upstream services, handle WebSocket upgrades, and serve custom error pages — all driven by configuration.
- Working directory: `src/Router/`
- Cross-module writes: `docs/modules/router/`, `docs/implplan/`
- Expected evidence: unit tests, integration tests, build passing.
## Dependencies & Concurrency
- No upstream sprint dependencies.
- All route types are independent and can be developed in parallel once the config model and resolver are in place.
## Documentation Prerequisites
- `docs/modules/router/architecture.md` (existing)
- `src/Router/AGENTS.md` (existing)
## Delivery Tracker
### TASK-001 - Route configuration model
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create `StellaOpsRouteType` enum and `StellaOpsRoute` model class in the Router.Gateway library.
- Add `Routes` property to `GatewayOptions`.
- Add route-specific validation rules to `GatewayOptionsValidator`.
Completion criteria:
- [x] `StellaOpsRoute.cs` created in `__Libraries/StellaOps.Router.Gateway/Configuration/`
- [x] `GatewayOptions.Routes` property added
- [x] Validator covers all 7 route types with correct rules
- [x] Builds without errors
### TASK-002 - Route resolution engine
Status: DONE
Dependency: TASK-001
Owners: Developer
Task description:
- Create `StellaOpsRouteResolver` that maps incoming request paths to configured routes.
- First-match-wins ordering. Supports both prefix and regex matching.
- Excludes NotFoundPage and ServerErrorPage from path resolution.
Completion criteria:
- [x] `StellaOpsRouteResolver.cs` created in `Routing/`
- [x] Registered as singleton in DI
- [x] 9 unit tests pass
### TASK-003 - Route dispatch middleware
Status: DONE
Dependency: TASK-002
Owners: Developer
Task description:
- Create `RouteDispatchMiddleware` that dispatches to handlers based on route type.
- Handles: StaticFiles (with SPA fallback), StaticFile, ReverseProxy, WebSocket.
- Falls through to existing microservice pipeline for unmatched or Microservice routes.
Completion criteria:
- [x] `RouteDispatchMiddleware.cs` created in `Middleware/`
- [x] All route type handlers implemented inline
- [x] Builds without errors
### TASK-004 - Error page fallback middleware
Status: DONE
Dependency: TASK-001
Owners: Developer
Task description:
- Create `ErrorPageFallbackMiddleware` that serves custom HTML error pages for 404 and 500 responses.
- Fast-path: skips body wrapping when no error pages are configured.
- Falls back to JSON error responses when page file is missing.
Completion criteria:
- [x] `ErrorPageFallbackMiddleware.cs` created in `Middleware/`
- [x] Fast-path for no-error-page configuration
- [x] Builds without errors
### TASK-005 - Pipeline integration
Status: DONE
Dependency: TASK-003, TASK-004
Owners: Developer
Task description:
- Wire `RouteDispatchMiddleware` and `ErrorPageFallbackMiddleware` into `Program.cs`.
- Register `StellaOpsRouteResolver`, error routes, and `IHttpClientFactory` in DI.
- Add `UseWebSockets()` to pipeline.
Completion criteria:
- [x] Program.cs updated with new middleware
- [x] DI registrations for resolver, error routes, HTTP client factory
- [x] Existing pipeline unaffected
- [x] Builds without errors
### TASK-006 - E2E integration tests
Status: DONE
Dependency: TASK-005
Owners: QA
Task description:
- Create `RouteTableWebApplicationFactory` with in-process upstream server.
- Create `RouteTableIntegrationTests` covering all 7 route types.
- 28 test cases covering StaticFiles, StaticFile, ReverseProxy, WebSocket, error pages, and route resolution.
Completion criteria:
- [x] 28 integration tests pass
- [x] StaticFiles: 8 tests (serve, nested, 404, MIME types, SPA fallback, isolation)
- [x] StaticFile: 3 tests (serve, sub-path rejection, content type)
- [x] ReverseProxy: 7 tests (forward, strip prefix, headers, status codes, injection, regex)
- [x] WebSocket: 4 tests (upgrade, text round-trip, binary, close handshake)
- [x] Microservice: 2 tests (health, metrics still work)
- [x] Route resolution: 2 tests (no match fallback, exact path priority)
- [x] Existing 11 integration tests unaffected
### TASK-007 - Unit tests (resolver + validation)
Status: DONE
Dependency: TASK-001, TASK-002
Owners: QA
Task description:
- Create `StellaOpsRouteResolverTests` with 9 unit tests.
- Add 11 route validation tests to existing `GatewayOptionsValidatorTests`.
Completion criteria:
- [x] 9 resolver tests pass (exact, prefix, regex, first-match, excluded types, case-insensitive, empty)
- [x] 11 validation tests pass (URL validation, path, regex, file path requirements)
- [x] All 224 tests in the project pass
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Sprint created and all tasks implemented. | Developer |
| 2026-02-12 | All 224 tests pass (0 failures). Build succeeds. | QA |
## Decisions & Risks
- Route dispatch middleware is always registered in the pipeline (even when no routes are configured) to support test-time DI overrides. The resolver returns null for no match, which falls through to the existing microservice pipeline.
- Error page fallback middleware has a fast-path that skips response body buffering when no error pages are configured, avoiding performance impact on the default case.
- WebSocket middleware (`UseWebSockets()`) is always registered since it has negligible overhead and simplifies pipeline logic.
- Regex routes forward the full request path to upstream (no prefix stripping), as there is no fixed prefix to strip for regex patterns.
## Next Checkpoints
- Integration with configuration files (appsettings.json) for route definitions.
- Documentation update in `docs/modules/router/architecture.md`.

118
docs/implplan/SPRINT_20260212_005_Router_nginx_replacement_front_door.md Normal file
View File

@@ -0,0 +1,118 @@
# Sprint 20260212-005 - Router Gateway as Single Front Door (nginx Replacement)
## Topic & Scope
- Replace nginx console proxy with the Router Gateway as the single HTTP entry point for the StellaOps platform.
- The Angular SPA, all API reverse proxy routes, and WebSocket proxy are served from the Router Gateway.
- The `web-ui` (nginx) Docker service is replaced by a `console-builder` init container + shared volume.
- Working directory: `src/Router/`, `devops/compose/`, `src/Web/StellaOps.Web/`, `docs/modules/router/`.
- Expected evidence: 224/224 gateway tests pass, architecture docs updated, docker-compose updated.
## Dependencies & Concurrency
- Depends on the configurable route table infrastructure (StellaOpsRoute model, resolver, RouteDispatchMiddleware, ErrorPageFallbackMiddleware) being implemented and QA-verified.
- No upstream sprint dependencies.
## Documentation Prerequisites
- `docs/modules/router/architecture.md` - updated with Front Door section.
## Delivery Tracker
### TASK-001 - Add production route table to appsettings.json
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Added `Gateway:Routes` array to `src/Router/StellaOps.Gateway.WebService/appsettings.json` with 51 entries:
- 48 ReverseProxy routes covering all backend services (platform, authority, scanner, gateway, policyGateway, etc.)
- 1 StaticFiles catch-all route for `/` serving `/app/wwwroot` with SPA fallback
- 1 NotFoundPage route serving `/app/wwwroot/index.html` on 404
- 1 ServerErrorPage route serving `/app/wwwroot/index.html` on 500
- Routes use natural camelCase key names matching `StellaOpsEnvVarPostConfigure` output (e.g., `/excititor` not `/excitor/`, `/findingsLedger` not `/ledger/`).
- Authority OIDC routes (`/connect`, `/.well-known`, `/jwks`) use HTTP (not HTTPS) for internal Docker traffic, eliminating cert verification issues.
Completion criteria:
- [x] Routes array added to appsettings.json
- [x] All services from STELLAOPS_*_URL env vars have corresponding routes
- [x] Authority routes use HTTP for internal traffic
### TASK-002 - Fix RouteDispatchMiddleware to skip system paths
Status: DONE
Dependency: TASK-001
Owners: Developer
Task description:
- `RouteDispatchMiddleware` was intercepting system paths (`/openapi.json`, `/openapi.yaml`, `/.well-known/openapi`) via the catch-all `/` StaticFiles route, preventing OpenAPI endpoints from being reached.
- Added `GatewayRoutes.IsSystemPath()` check at the top of `InvokeAsync()` to bypass route dispatch for system paths.
- This ensures health, metrics, and OpenAPI endpoints always take priority over the configurable route table.
Completion criteria:
- [x] System paths bypass route dispatch
- [x] OpenAPI endpoints work with route table configured
- [x] All 224 gateway tests pass
### TASK-003 - Fix GatewayIntegrationTests for route table compatibility
Status: DONE
Dependency: TASK-001
Owners: Developer
Task description:
- `GatewayWebApplicationFactory` was loading production routes from `appsettings.json`, causing `UnknownRoute_WithNoRegisteredMicroservices_Returns404` to fail (request to `/api/v1/unknown` matched the `/api` ReverseProxy route).
- Added route table override in `GatewayWebApplicationFactory.ConfigureTestServices()` to clear routes (empty StellaOpsRouteResolver and error routes).
Completion criteria:
- [x] GatewayWebApplicationFactory clears route table
- [x] All existing integration tests pass unchanged
### TASK-004 - Update Docker Compose for front door architecture
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Added `console-builder` init container service that copies Angular dist from `stellaops/console:dev` image to shared `console-dist` volume.
- Updated `router-gateway` service: port changed from `127.1.0.2:80` to `127.1.0.1:80` (front door slot), added `console-dist:/app/wwwroot:ro` volume, added `stella-ops.local` network alias, added `depends_on: console-builder: condition: service_completed_successfully`.
- Added `console-dist` named volume to volumes section.
- Replaced `web-ui` nginx service with a comment explaining the migration.
Completion criteria:
- [x] console-builder init container defined
- [x] router-gateway takes over front-door port and alias
- [x] console-dist shared volume added
- [x] web-ui service replaced with comment
### TASK-005 - Update Angular dev proxy configuration
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Updated `src/Web/StellaOps.Web/proxy.conf.json` to use natural camelCase key paths matching the route table.
- Added missing service paths: `/connect`, `/.well-known`, `/jwks`, `/policyEngine`, `/excititor`, `/findingsLedger`, `/vexhub`, `/vexlens`, `/orchestrator`, `/graph`, `/doctor`, `/integrations`, `/replay`, `/exportcenter`.
- Replaced `/api/v1/setup` with broader `/api` prefix.
- Replaced `/policy` with `/policyGateway`.
Completion criteria:
- [x] Dev proxy paths match production route table paths
- [x] All browser-facing services have proxy entries
### TASK-006 - Update Router architecture documentation
Status: DONE
Dependency: TASK-001
Owners: Developer
Task description:
- Added "Front Door (Configurable Route Table)" section to `docs/modules/router/architecture.md`.
- Documents route table model, route types, pipeline order, and Docker architecture.
Completion criteria:
- [x] Architecture doc updated with front door section
- [x] Route table model and pipeline documented
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Sprint created and all tasks executed. 224/224 tests pass. | Developer |
## Decisions & Risks
- **Decision: Use HTTP for internal authority routes.** Instead of configuring `HttpClientHandler.DangerousAcceptAnyServerCertificateValidator`, all authority reverse proxy routes use `http://authority.stella-ops.local` (port 80) within the Docker network. This avoids TLS cert issues without weakening security.
- **Decision: Natural camelCase key paths.** Routes use the key names generated by `StellaOpsEnvVarPostConfigure` (e.g., `/excititor`, `/findingsLedger`) instead of the nginx shorthand paths (e.g., `/excitor/`, `/ledger/`). Angular's `normalizeApiBaseUrls()` already converts absolute URLs to `/${key}` paths, so no `sub_filter` rewriting is needed.
- **Decision: System path bypass.** `RouteDispatchMiddleware` skips paths identified by `GatewayRoutes.IsSystemPath()` to ensure health, metrics, and OpenAPI endpoints always work regardless of route table configuration.
- **Risk: `console-builder` init container depends on `stellaops/console:dev` image having Angular dist at `/usr/share/nginx/html/browser/` or `/usr/share/nginx/html/`.** The `cp` command handles both layouts.
## Next Checkpoints
- Docker Compose `docker compose up -d` smoke test with full stack.
- Browser verification: Angular SPA loads, setup wizard works, API calls proxy correctly.