more features checks. setup improvements
This commit is contained in:
master
@@ -0,0 +1,27 @@
|
||||
# Additive Score Explanation Service
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Service that generates human-readable additive risk score breakdowns showing exactly how CVSS base score, reachability bucket, exposure surface type, and auth gate discounts contribute to a finding's total 0-100 risk score, with configurable weights.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Options/`, `src/Signals/StellaOps.Signals/EvidenceWeightedScore/`
|
||||
- **Key Classes**:
|
||||
- `ScoreExplanationService` (`src/Signals/StellaOps.Signals/Services/ScoreExplanationService.cs`) - generates human-readable additive risk score breakdowns
|
||||
- `ScoreExplanationWeights` (`src/Signals/StellaOps.Signals/Options/ScoreExplanationWeights.cs`) - configurable weight parameters for score components
|
||||
- `EvidenceWeightedScoreCalculator` (`src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs`) - calculates evidence-weighted scores combining CVSS, reachability, exploit, mitigation, and trust inputs
|
||||
- `ScoreExplanation` (`src/Signals/StellaOps.Signals/Models/ScoreExplanation.cs`) - model for score breakdown output
|
||||
- **Interfaces**: `IScoreExplanationService`, `IEvidenceWeightedScoreCalculator`
|
||||
- **Source**: SPRINT_3800_0001_0002_score_explanation_service.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Request a score explanation for a finding and verify the breakdown includes CVSS base, reachability, exposure, and auth gate components
|
||||
- [ ] Verify the component contributions sum to the total 0-100 risk score
|
||||
- [ ] Configure custom `ScoreExplanationWeights` and verify the breakdown reflects the new weights
|
||||
- [ ] Verify score explanation for a reachable vs unreachable finding shows different reachability contributions
|
||||
- [ ] Verify the explanation is human-readable and includes descriptive labels for each component
|
||||
@@ -0,0 +1,29 @@
|
||||
# Binary-level call-graph extraction and symbol graph construction
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Call-graph ingestion, normalization, and parsing services exist for processing binary call targets into normalized graph structures.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Parsing/`, `src/Signals/StellaOps.Signals/Models/`
|
||||
- **Key Classes**:
|
||||
- `CallgraphIngestionService` (`src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs`) - ingests call-graph documents and builds symbol graphs
|
||||
- `CallgraphParserResolver` (`src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs`) - resolves language-specific call-graph parsers
|
||||
- `CallgraphDocument` (`src/Signals/StellaOps.Signals/Models/CallgraphDocument.cs`) - root document model for call-graph data
|
||||
- `CallgraphNode` (`src/Signals/StellaOps.Signals/Models/CallgraphNode.cs`) - represents a function/method node in the call graph
|
||||
- `CallgraphEdge` (`src/Signals/StellaOps.Signals/Models/CallgraphEdge.cs`) - represents a call edge between nodes
|
||||
- `CallgraphEntrypoint` (`src/Signals/StellaOps.Signals/Models/CallgraphEntrypoint.cs`) - entry point into the call graph (API endpoint, main method)
|
||||
- **Interfaces**: `ICallgraphIngestionService`, `ICallgraphParserResolver`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a call-graph document via `CallgraphIngestionService` and verify nodes and edges are stored
|
||||
- [ ] Verify parser resolution: submit call graphs for different languages and confirm the correct parser is selected
|
||||
- [ ] Verify symbol normalization: ingest a binary call graph and confirm symbols are normalized to canonical form
|
||||
- [ ] Verify entry point detection: ingest a call graph with API endpoints and confirm they are identified as entrypoints
|
||||
- [ ] Query the constructed symbol graph and verify call paths from entry to vulnerable function
|
||||
@@ -0,0 +1,27 @@
|
||||
# Nightly Unknowns Decay Batch Worker
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Scheduled background worker that runs nightly to apply exponential confidence decay to unknown/unresolved findings, automatically reducing their priority scores over time based on configurable decay curves and age thresholds.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Options/`
|
||||
- **Key Classes**:
|
||||
- `NightlyDecayWorker` (`src/Signals/StellaOps.Signals/Services/NightlyDecayWorker.cs`) - background service that runs nightly decay processing
|
||||
- `UnknownsDecayService` (`src/Signals/StellaOps.Signals/Services/UnknownsDecayService.cs`) - applies exponential confidence decay to unknown/unresolved findings
|
||||
- `UnknownsDecayOptions` (`src/Signals/StellaOps.Signals/Options/UnknownsDecayOptions.cs`) - configurable decay curves and age thresholds
|
||||
- `UnknownsDecayMetrics` (`src/Signals/StellaOps.Signals/Services/UnknownsDecayMetrics.cs`) - telemetry metrics for decay operations
|
||||
- **Interfaces**: `IUnknownsDecayService`
|
||||
- **Source**: SPRINT_3601_0001_0001_unknowns_decay_algorithm.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Configure `UnknownsDecayOptions` with a decay curve and verify `NightlyDecayWorker` triggers on schedule
|
||||
- [ ] Create unknown findings of varying ages and verify `UnknownsDecayService` reduces scores proportionally to age
|
||||
- [ ] Verify exponential decay: confirm older findings decay faster than newer ones
|
||||
- [ ] Verify age threshold: findings below the threshold are not decayed
|
||||
- [ ] Verify metrics are emitted during decay processing via `UnknownsDecayMetrics`
|
||||
@@ -0,0 +1,28 @@
|
||||
# Relational Call-Graph PostgreSQL Schema
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
PostgreSQL migration scripts define relational tables for call-graph data storage.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/__Libraries/StellaOps.Signals.Persistence/`
|
||||
- **Key Classes**:
|
||||
- `SignalsDbContext` (`src/Signals/__Libraries/StellaOps.Signals.Persistence/EfCore/Context/SignalsDbContext.cs`) - EF Core database context for Signals persistence
|
||||
- **Migrations**:
|
||||
- `001_initial_schema.sql` (`src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/001_initial_schema.sql`) - initial schema with call-graph tables
|
||||
- `002_runtime_agent_schema.sql` (`src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/002_runtime_agent_schema.sql`) - runtime agent tables
|
||||
- `V3102_001__callgraph_relational_tables.sql` (archived) - call-graph relational table definitions (func_nodes, call_edges, cve_func_hits)
|
||||
- **Models**: `FuncNodeDocument`, `CallEdgeDocument`, `CveFuncHitDocument` (`src/Signals/StellaOps.Signals/Models/ReachabilityStore/`)
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Run migration scripts and verify all call-graph tables are created (func_nodes, call_edges, cve_func_hits)
|
||||
- [ ] Insert call-graph data via `SignalsDbContext` and verify round-trip persistence
|
||||
- [ ] Verify relational integrity: insert edges referencing func_nodes and confirm foreign key constraints
|
||||
- [ ] Query call paths using relational joins and verify correct path reconstruction
|
||||
- [ ] Verify index performance: query by CVE ID and confirm results return within acceptable latency
|
||||
30
docs/features/checked/signals/runtime-agent-framework.md
Normal file
30
docs/features/checked/signals/runtime-agent-framework.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Runtime Agent Framework
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Full runtime agent framework with IRuntimeAgent interface, .NET EventPipe agent, CLR method resolution, agent registration, health/heartbeat, runtime method events, and facts ingestion is implemented.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals.RuntimeAgent/`
|
||||
- **Key Classes**:
|
||||
- `RuntimeAgentBase` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeAgentBase.cs`) - abstract base class for runtime agents
|
||||
- `DotNetEventPipeAgent` (`src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs`) - .NET EventPipe-based runtime agent for method-level tracing
|
||||
- `ClrMethodResolver` (`src/Signals/StellaOps.Signals.RuntimeAgent/ClrMethodResolver.cs`) - resolves CLR method tokens to fully qualified method names
|
||||
- `AgentRegistrationService` (`src/Signals/StellaOps.Signals.RuntimeAgent/AgentRegistrationService.cs`) - handles agent registration and health/heartbeat
|
||||
- `RuntimeFactsIngestService` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs`) - ingests runtime method events as reachability facts
|
||||
- `RuntimeAgentController` (`src/Signals/StellaOps.Signals/Api/RuntimeAgentController.cs`) - API controller for agent management
|
||||
- **Interfaces**: `IRuntimeAgent`, `IAgentRegistrationService`, `IRuntimeFactsIngest`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Register a runtime agent via `AgentRegistrationService` and verify it appears in the registry
|
||||
- [ ] Start `DotNetEventPipeAgent` and verify it captures method-level events from a target process
|
||||
- [ ] Verify `ClrMethodResolver` resolves method tokens to fully qualified names
|
||||
- [ ] Verify `RuntimeFactsIngestService` processes runtime events and produces reachability facts
|
||||
- [ ] Verify agent heartbeat: confirm the agent sends periodic health signals
|
||||
- [ ] Manage agents via `RuntimeAgentController` API endpoints
|
||||
@@ -0,0 +1,27 @@
|
||||
# Runtime Node-Hash Evidence in Signals
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Runtime signal schemas extended with node-hash inputs, call-stack digests, and path hashes for deterministic joins with static reachability evidence.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Lattice/`, `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Models/`
|
||||
- **Key Classes**:
|
||||
- `ReachabilityLattice` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`) - lattice-based reachability state combining static and runtime evidence
|
||||
- `ReachabilityLatticeState` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLatticeState.cs`) - state model with node-hash and path-hash inputs
|
||||
- `UncertaintyTier` (`src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs`) - uncertainty tier classification for reachability evidence
|
||||
- `ReachabilityFactDigestCalculator` (`src/Signals/StellaOps.Signals/Services/ReachabilityFactDigestCalculator.cs`) - calculates deterministic digests for reachability facts
|
||||
- `ReachabilityFactDocument` (`src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs`) - document model with node-hash and call-stack digest fields
|
||||
- **Source**: SPRINT_20260112_005_SIGNALS_runtime_nodehash.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a runtime signal with node-hash evidence and verify `ReachabilityFactDigestCalculator` produces a deterministic digest
|
||||
- [ ] Join runtime evidence with static reachability facts using node-hash and verify the join is correct
|
||||
- [ ] Verify call-stack digest: capture a runtime call stack and confirm the digest matches the expected value
|
||||
- [ ] Verify path hash: compute path hashes for runtime traces and confirm they match static analysis paths
|
||||
- [ ] Verify `ReachabilityLattice` correctly merges runtime and static evidence into a combined reachability state
|
||||
@@ -0,0 +1,28 @@
|
||||
# Runtime Reachability Collection
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Runtime collection via .NET EventPipe agent with method-level tracing and facts ingestion is implemented.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals.RuntimeAgent/`, `src/Signals/StellaOps.Signals/Services/`
|
||||
- **Key Classes**:
|
||||
- `DotNetEventPipeAgent` (`src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs`) - .NET EventPipe agent for method-level runtime tracing
|
||||
- `RuntimeFactsIngestService` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs`) - ingests runtime method events into the signals store
|
||||
- `RuntimeMethodEvent` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeMethodEvent.cs`) - event model for captured runtime method calls
|
||||
- `ReachabilityFactEventBuilder` (`src/Signals/StellaOps.Signals/Services/ReachabilityFactEventBuilder.cs`) - builds reachability fact events from runtime data
|
||||
- `ReachabilityFactCacheDecorator` (`src/Signals/StellaOps.Signals/Services/ReachabilityFactCacheDecorator.cs`) - caching layer for reachability fact lookups
|
||||
- **Interfaces**: `IRuntimeAgent`, `IRuntimeFactsIngest`, `IReachabilityFactRepository`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Start `DotNetEventPipeAgent` against a target .NET process and verify method-level events are captured
|
||||
- [ ] Verify `RuntimeFactsIngestService` processes runtime method events and stores reachability facts
|
||||
- [ ] Verify runtime facts include method names, call stacks, and timestamps
|
||||
- [ ] Verify `ReachabilityFactCacheDecorator` caches frequently queried facts
|
||||
- [ ] Verify runtime facts are correlated with static call-graph data to produce combined reachability evidence
|
||||
@@ -0,0 +1,27 @@
|
||||
# SBOM-to-symbol component reachability mapping
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
SBOM correlation and function-level proof linking services map symbols to SBOM components and generate reachability facts.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`
|
||||
- **Key Classes**:
|
||||
- `SbomCorrelationService` (`src/Signals/StellaOps.Signals/Services/ISbomCorrelationService.cs`) - correlates call-graph symbols with SBOM component identifiers
|
||||
- `FuncProofLinkingService` (`src/Signals/StellaOps.Signals/Services/IFuncProofLinkingService.cs`) - links function-level evidence to SBOM components for reachability proof
|
||||
- `HotSymbolsController` (`src/Signals/StellaOps.Signals/Api/HotSymbolsController.cs`) - API for querying hot (reachable) symbols mapped to SBOM components
|
||||
- `HotSymbolIndex` (`src/Signals/StellaOps.Signals/Models/HotSymbolIndex.cs`) - index of frequently called/reachable symbols
|
||||
- **Interfaces**: `ISbomCorrelationService`, `IFuncProofLinkingService`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a call graph and an SBOM, then verify `SbomCorrelationService` maps symbols to their SBOM components
|
||||
- [ ] Verify `FuncProofLinkingService` generates function-level reachability proof linking symbols to components
|
||||
- [ ] Query hot symbols via `HotSymbolsController` and verify reachable symbols are returned with their SBOM component references
|
||||
- [ ] Verify mapping accuracy: submit a known symbol and confirm it maps to the correct SBOM package
|
||||
- [ ] Verify unmapped symbols are flagged as unknown components
|
||||
@@ -0,0 +1,26 @@
|
||||
# SCM/CI Webhook Connector Service (Signals Module)
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Complete SCM/CI webhook connector subsystem in the Signals module with provider-specific webhook signature validators (GitHub HMAC-SHA256, GitLab token, Gitea HMAC), event mappers normalizing repo/pipeline/artifact events into NormalizedScmEvent, and trigger service dispatching scan/SBOM triggers to Orchestrator. Supports GitHub, GitLab, and Gitea with extensible IWebhookSignatureValidator and IScmEventMapper interfaces.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Scm/`
|
||||
- **Key Classes**:
|
||||
- `ScmWebhookService` (`src/Signals/StellaOps.Signals/Scm/Services/ScmWebhookService.cs`) - processes incoming webhooks, validates signatures, maps events, and dispatches triggers
|
||||
- `ScmWebhookEndpoints` (`src/Signals/StellaOps.Signals/Scm/ScmWebhookEndpoints.cs`) - minimal API endpoints for receiving webhook payloads
|
||||
- `GiteaWebhookValidator` (`src/Signals/StellaOps.Signals/Scm/Webhooks/GiteaWebhookValidator.cs`) - Gitea HMAC webhook signature validator
|
||||
- **Interfaces**: `IScmWebhookService`, `IWebhookSignatureValidator` (`src/Signals/StellaOps.Signals/Scm/Webhooks/IWebhookSignatureValidator.cs`), `IScmEventMapper` (`src/Signals/StellaOps.Signals/Scm/Webhooks/IScmEventMapper.cs`)
|
||||
- **Source**: SPRINT_20251229_013_SIGNALS_scm_ci_connectors.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Send a GitHub webhook with valid HMAC-SHA256 signature and verify it is accepted and processed
|
||||
- [ ] Send a Gitea webhook with valid HMAC signature via `GiteaWebhookValidator` and verify validation
|
||||
- [ ] Send a webhook with invalid signature and verify it is rejected
|
||||
- [ ] Verify event normalization: send provider-specific push/PR events and confirm they are mapped to `NormalizedScmEvent`
|
||||
- [ ] Verify trigger dispatch: send a push event and confirm a scan trigger is dispatched to the Orchestrator
|
||||
@@ -0,0 +1,33 @@
|
||||
# Signal State Attachment for CVE Observations (Feedser/VexLens/Graph/Findings Integration)
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Backend integration wiring the Determinization subsystem: Feedser attaches SignalState<EpssEvidence> with query status, VexLens emits SignalUpdatedEvent on VEX changes, Graph nodes carry ObservationState/UncertaintyScore/GuardRails, and Findings persists observation lifecycle with state transitions.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Models/`, `src/Signals/StellaOps.Signals/Lattice/`
|
||||
- **Key Classes**:
|
||||
- `ReachabilityFactDocument` (`src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs`) - document carrying observation state and signal attachments
|
||||
- `ReachabilityFactUpdatedEvent` (`src/Signals/StellaOps.Signals/Models/ReachabilityFactUpdatedEvent.cs`) - event emitted when reachability facts change
|
||||
- `RuntimeUpdatedEventFactory` (`src/Signals/StellaOps.Signals/Models/RuntimeUpdatedEvent.cs`) - factory for runtime update events propagated to downstream modules
|
||||
- `UncertaintyDocument` (`src/Signals/StellaOps.Signals/Models/UncertaintyDocument.cs`) - document model for uncertainty scores attached to observations
|
||||
- `ReachabilityLattice` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`) - lattice-based state merge for observation evidence
|
||||
- **Source**: SPRINT_20260106_001_004_BE_determinization_integration.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Attach a signal state to a CVE observation and verify the state is persisted with the finding
|
||||
- [ ] Emit a `ReachabilityFactUpdatedEvent` and verify downstream modules (VexLens, Graph) receive the update
|
||||
- [ ] Verify observation state transitions: update a finding's signal state and confirm the lifecycle is tracked
|
||||
- [ ] Verify uncertainty score attachment: assign an uncertainty score to an observation and confirm it propagates to graph nodes
|
||||
- [ ] Verify guard rails: attach guard rail metadata and confirm it constrains observation scoring
|
||||
|
||||
## Verification
|
||||
- **Run ID**: run-001
|
||||
- **Date**: 2026-02-12
|
||||
- **Result**: PASS (Tier 0 + Tier 1 + Tier 2d)
|
||||
- **Tests**: RuntimeUpdatedEventTests (12 tests) + ReachabilityLatticeTests (7 tests) + ReachabilityScoringServiceTests (3 tests covering lattice state, uncertainty, guard rails)
|
||||
@@ -0,0 +1,35 @@
|
||||
# Signals Callgraph Ingestion with Content-Addressed Storage
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Callgraph normalization pipeline accepting Java/Node/Python/Go call-graph formats, normalizing to canonical symbol representation, and storing with content-addressed identifiers for deterministic replay.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Parsing/`, `src/Signals/StellaOps.Signals/Models/`
|
||||
- **Key Classes**:
|
||||
- `CallgraphIngestionService` (`src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs`) - ingests call graphs from multiple language formats and normalizes to canonical representation
|
||||
- `CallgraphParserResolver` (`src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs`) - resolves language-specific parsers (Java, Node, Python, Go)
|
||||
- `CallgraphIngestRequest` (`src/Signals/StellaOps.Signals/Models/CallgraphIngestRequest.cs`) - ingest request model
|
||||
- `CallgraphIngestResponse` (`src/Signals/StellaOps.Signals/Models/CallgraphIngestResponse.cs`) - ingest response with content-addressed IDs
|
||||
- `CallgraphManifest` (`src/Signals/StellaOps.Signals/Models/CallgraphManifest.cs`) - manifest tracking ingested call-graph documents
|
||||
- `CallgraphSchemaVersions` (`src/Signals/StellaOps.Signals/Models/CallgraphSchemaVersions.cs`) - schema version constants for call-graph formats
|
||||
- **Interfaces**: `ICallgraphIngestionService`, `ICallgraphParserResolver`
|
||||
- **Source**: SPRINT_0143_0001_0001_signals.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a Java call graph and verify it is normalized to canonical symbol representation
|
||||
- [ ] Ingest call graphs for Node, Python, and Go and verify language-specific parsing
|
||||
- [ ] Verify content-addressed storage: ingest the same call graph twice and confirm the same content ID is returned
|
||||
- [ ] Verify deterministic replay: retrieve a stored call graph by content ID and confirm it matches the original
|
||||
- [ ] Verify schema version handling: ingest call graphs with different schema versions
|
||||
|
||||
## Verification
|
||||
- **Run ID**: run-001
|
||||
- **Date**: 2026-02-12
|
||||
- **Result**: PASS (Tier 0 + Tier 1 + Tier 2d)
|
||||
- **Tests**: CallgraphIngestionServiceTests (1 test) - ingestion, normalization, CAS storage, graph hash, manifest
|
||||
@@ -0,0 +1,34 @@
|
||||
# Signals Reachability Scoring Service
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Reachability scoring service that computes evidence-weighted scores from callgraph facts, runtime observations, and AOC provenance data, with lattice-based merge logic and unified score facade.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/EvidenceWeightedScore/`, `src/Signals/StellaOps.Signals/Lattice/`
|
||||
- **Key Classes**:
|
||||
- `ReachabilityScoringService` (`src/Signals/StellaOps.Signals/Services/ReachabilityScoringService.cs`) - computes evidence-weighted reachability scores from multiple evidence types
|
||||
- `EvidenceWeightedScoreCalculator` (`src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs`) - calculates scores combining reachability, exploit, backport, runtime, mitigation, and source trust inputs
|
||||
- `ReachabilityLattice` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`) - lattice-based merge logic for combining evidence sources
|
||||
- `NormalizerAggregator` (`src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/NormalizerAggregator.cs`) - aggregates normalized evidence inputs
|
||||
- `AocProvenance` (`src/Signals/StellaOps.Signals/Models/AocProvenance.cs`) - attestation of compliance provenance data model
|
||||
- **Interfaces**: `IReachabilityScoringService`, `IEvidenceWeightedScoreCalculator`, `INormalizerAggregator`, `IEvidenceNormalizer`
|
||||
- **Source**: SPRINT_0143_0001_0001_signals.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Score a finding with callgraph evidence and verify `ReachabilityScoringService` produces a score reflecting reachability
|
||||
- [ ] Score a finding with runtime observations and verify the score reflects confirmed runtime activity
|
||||
- [ ] Verify lattice merge: provide conflicting evidence sources and confirm `ReachabilityLattice` resolves to the correct state
|
||||
- [ ] Verify evidence weight configuration: adjust weights via `EvidenceWeightPolicy` and confirm scores change accordingly
|
||||
- [ ] Verify score facade: query a unified score combining all evidence types and confirm the aggregated result
|
||||
|
||||
## Verification
|
||||
- **Run ID**: run-001
|
||||
- **Date**: 2026-02-12
|
||||
- **Result**: PASS (Tier 0 + Tier 1 + Tier 2d)
|
||||
- **Tests**: ReachabilityScoringServiceTests (3 tests) - gate multipliers, configured weights with runtime, uncertainty risk score
|
||||
35
docs/features/checked/signals/signals-router-transport.md
Normal file
35
docs/features/checked/signals/signals-router-transport.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Signals Router Transport
|
||||
|
||||
## Module
|
||||
Signals
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Event routing transport layer for signals enabling alternative message delivery paths beyond Redis, supporting pluggable transport backends for fact propagation.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Options/`
|
||||
- **Key Classes**:
|
||||
- `RouterEventsPublisher` (`src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs`) - routes signal events via configurable transport backend
|
||||
- `RedisEventsPublisher` (`src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs`) - Redis-based transport for signal event delivery
|
||||
- `MessagingEventsPublisher` (`src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs`) - messaging-based transport backend
|
||||
- `InMemoryEventsPublisher` (`src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs`) - in-memory transport for testing
|
||||
- `NullEventsPublisher` (`src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs`) - no-op transport for disabled routing
|
||||
- `SignalsRouterEventsOptions` (`src/Signals/StellaOps.Signals/Options/SignalsRouterEventsOptions.cs`) - configuration for router transport selection
|
||||
- **Interfaces**: `IEventsPublisher` (`src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs`)
|
||||
- **Source**: SPRINT_0143_0001_0001_signals.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Configure `RouterEventsPublisher` with Redis transport and verify signal events are delivered
|
||||
- [ ] Switch transport to `MessagingEventsPublisher` and verify events are delivered via messaging backend
|
||||
- [ ] Verify `InMemoryEventsPublisher` captures events in memory for test assertions
|
||||
- [ ] Publish a reachability fact update and verify it is routed to subscribers via the configured transport
|
||||
- [ ] Verify transport selection via `SignalsRouterEventsOptions` configuration
|
||||
|
||||
## Verification
|
||||
- **Run ID**: run-001
|
||||
- **Date**: 2026-02-12
|
||||
- **Result**: PASS (Tier 0 + Tier 1 + Tier 2d)
|
||||
- **Tests**: RouterEventsPublisherTests (2 tests) + InMemoryEventsPublisherTests (1 test) - HTTP envelope, headers, error handling, structured events
|
||||
@@ -0,0 +1,48 @@
|
||||
# Unified Score Facade Service (combining EWS + Determinization)
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
The advisory proposed a unified facade service (TSF-002) combining EWS scores and Determinization entropy into a single API. This was marked TODO in the sprint and has not been implemented yet.
|
||||
|
||||
## Why Marked as Dropped (Correction)
|
||||
**FINDING: The Unified Score service IS implemented in the Signals module.** The following exist:
|
||||
- `src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreService.cs` -- the unified scoring facade service
|
||||
- `src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreModels.cs` -- unified score data models
|
||||
- `src/Signals/StellaOps.Signals/UnifiedScore/Replay/ReplayLogBuilder.cs` -- replay log support for unified scores
|
||||
- Tests:
|
||||
- `src/Signals/__Tests/StellaOps.Signals.Tests/UnifiedScore/UnifiedScoreServiceTests.cs`
|
||||
- `src/Signals/__Tests/StellaOps.Signals.Tests/UnifiedScore/UnifiedScoreDeterminismTests.cs` -- determinism verification
|
||||
- Platform integration: `src/Platform/StellaOps.Platform.WebService/Services/ScoreEvaluationService.cs` -- platform-level score evaluation
|
||||
- Web UI integration:
|
||||
- `src/Web/StellaOps.Web/src/app/core/api/scoring.models.ts` -- frontend scoring models
|
||||
- `src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.ts` -- score breakdown UI
|
||||
- `src/Web/StellaOps.Web/src/app/shared/components/score/unknowns-tooltip.component.ts` -- unknowns tooltip
|
||||
|
||||
## Implementation Details
|
||||
- Unified score service: `src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreService.cs`
|
||||
- Models: `src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreModels.cs`
|
||||
- Replay support: `src/Signals/StellaOps.Signals/UnifiedScore/Replay/ReplayLogBuilder.cs`
|
||||
- Platform evaluation: `src/Platform/StellaOps.Platform.WebService/Services/ScoreEvaluationService.cs`
|
||||
- Registered in: `src/Platform/StellaOps.Platform.WebService/Program.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- Verify unified score combines EWS and determinization inputs correctly
|
||||
- Test determinism (same inputs produce same scores)
|
||||
- Validate replay log captures all scoring inputs
|
||||
- Test score breakdown popover displays correctly in Web UI
|
||||
|
||||
## Source
|
||||
- Feature matrix scan
|
||||
|
||||
## Notes
|
||||
- Module: Policy
|
||||
- Modules referenced: `src/Signals/StellaOps.Signals/UnifiedScore/`, `src/Platform/`
|
||||
- **Status should be reclassified from NOT_FOUND to IMPLEMENTED**
|
||||
|
||||
## Verification
|
||||
- **Run ID**: run-001
|
||||
- **Date**: 2026-02-12
|
||||
- **Result**: PASS (Tier 0 + Tier 1 + Tier 2d)
|
||||
- **Tests**: UnifiedScoreServiceTests (16 tests) + UnifiedScoreDeterminismTests (14 tests) - score computation, entropy/band mapping, conflict detection, delta-if-present, EWS passthrough, 100-iteration determinism, parallel determinism, golden fixtures
|
||||
Reference in New Issue
Block a user