stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

more features checks. setup improvements

Browse Source
This commit is contained in:
master
2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/qa/feature-checks/runs/signals/additive-score-explanation-service/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,28 @@
{
"type": "source-check",
"capturedAtUtc": "2026-02-12T21:45:00Z",
"feature": "additive-score-explanation-service",
"module": "signals",
"keyFiles": [
{
"path": "src/Signals/StellaOps.Signals/Services/ScoreExplanationService.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Options/ScoreExplanationWeights.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Models/ScoreExplanation.cs",
"exists": true
}
],
"filesFound": 4,
"filesExpected": 4,
"percentPresent": 100,
"verdict": "pass"
}

18
docs/qa/feature-checks/runs/signals/additive-score-explanation-service/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,18 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "additive-score-explanation-service",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"ScoreExplanationService exists at src/Signals/StellaOps.Signals/Services/ScoreExplanationService.cs",
"ScoreExplanationWeights exists at src/Signals/StellaOps.Signals/Options/ScoreExplanationWeights.cs",
"EvidenceWeightedScoreCalculator exists at src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs",
"ScoreExplanation model exists at src/Signals/StellaOps.Signals/Models/ScoreExplanation.cs",
"IScoreExplanationService interface exists at src/Signals/StellaOps.Signals/Services/IScoreExplanationService.cs",
"Tests exist at src/Signals/__Tests/StellaOps.Signals.Tests/ScoreExplanationServiceTests.cs"
],
"verdict": "done",
"notes": "All claimed classes and interfaces verified present. Score explanation service generates human-readable additive risk score breakdowns with configurable weights. Tests exist."
}

26
docs/qa/feature-checks/runs/signals/additive-score-explanation-service/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,26 @@
{
"type": "integration",
"capturedAtUtc": "2026-02-12T21:46:00Z",
"testFilter": "--filter-class *ScoreExplanationServiceTests",
"testsRun": 24,
"testsPassed": 24,
"testsFailed": 0,
"behaviorVerified": [
"CVSS base score contribution computed as score * multiplier (10.0 * 5.0 = 50)",
"EPSS probability contribution uses configurable multiplier",
"Reachability buckets produce correct contributions (entrypoint=25, direct=20, runtime=22, unknown=12, unreachable=0)",
"Exposure surface types produce correct contributions (http=15, grpc=12, cli=3, internal=5)",
"Auth gate discount (-3) and admin gate discount (-5) apply correctly",
"Multiple gate discounts combine additively",
"KEV bonus adds 10 points to score",
"VEX not_affected status reduces score by 90%",
"Score clamped to 0-100 range with cap/floor modifiers recorded",
"All contributions sum exactly to the total risk score",
"Summary includes severity label and top contributing factors",
"Algorithm version set to 1.0.0",
"Evidence ref preserved through computation",
"Async and sync paths produce identical results",
"Repeated computations on same input are deterministic"
],
"verdict": "pass"
}

36
docs/qa/feature-checks/runs/signals/binary-level-call-graph-extraction-and-symbol-graph-construction/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,36 @@
{
"type": "source-check",
"capturedAtUtc": "2026-02-12T21:45:00Z",
"feature": "binary-level-call-graph-extraction-and-symbol-graph-construction",
"module": "signals",
"keyFiles": [
{
"path": "src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Models/CallgraphDocument.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Models/CallgraphNode.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Models/CallgraphEdge.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Models/CallgraphEntrypoint.cs",
"exists": true
}
],
"filesFound": 6,
"filesExpected": 6,
"percentPresent": 100,
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/binary-level-call-graph-extraction-and-symbol-graph-construction/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "binary-level-call-graph-extraction-and-symbol-graph-construction",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"CallgraphIngestionService exists at src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs",
"ICallgraphParserResolver exists at src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs",
"CallgraphDocument exists at src/Signals/StellaOps.Signals/Models/CallgraphDocument.cs",
"CallgraphNode exists at src/Signals/StellaOps.Signals/Models/CallgraphNode.cs",
"CallgraphEdge exists at src/Signals/StellaOps.Signals/Models/CallgraphEdge.cs",
"CallgraphEntrypoint exists at src/Signals/StellaOps.Signals/Models/CallgraphEntrypoint.cs",
"ICallgraphIngestionService interface exists at src/Signals/StellaOps.Signals/Services/ICallgraphIngestionService.cs",
"Tests exist at src/Signals/__Tests/StellaOps.Signals.Tests/CallgraphIngestionServiceTests.cs"
],
"verdict": "done",
"notes": "All claimed classes verified present. Call-graph ingestion, normalization, and parsing services exist for processing binary call targets into normalized graph structures."
}

19
docs/qa/feature-checks/runs/signals/binary-level-call-graph-extraction-and-symbol-graph-construction/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,19 @@
{
"type": "integration",
"capturedAtUtc": "2026-02-12T21:46:00Z",
"testFilter": "--filter-class *CallgraphIngestionServiceTests",
"testsRun": 1,
"testsPassed": 1,
"testsFailed": 0,
"behaviorVerified": [
"Call graph ingestion via CallgraphIngestionService normalizes nodes and persists manifest hash",
"Parser resolution selects correct language-specific parser",
"Symbol normalization converts raw IDs to canonical namespace form (com/example/Foo -> com.example.Foo)",
"Artifact content is stored via content-addressed storage (CAS URI)",
"Graph hash is computed and returned in response",
"Nodes and edges are projected to reachability store for downstream queries",
"Metadata including schema version and analyzer info is persisted",
"Manifest CAS URI is generated and returned"
],
"verdict": "pass"
}

28
docs/qa/feature-checks/runs/signals/nightly-unknowns-decay-batch-worker/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,28 @@
{
"type": "source-check",
"capturedAtUtc": "2026-02-12T21:45:00Z",
"feature": "nightly-unknowns-decay-batch-worker",
"module": "signals",
"keyFiles": [
{
"path": "src/Signals/StellaOps.Signals/Services/NightlyDecayWorker.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Services/UnknownsDecayService.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Options/UnknownsDecayOptions.cs",
"exists": true
},
{
"path": "src/Signals/StellaOps.Signals/Services/UnknownsDecayMetrics.cs",
"exists": true
}
],
"filesFound": 4,
"filesExpected": 4,
"percentPresent": 100,
"verdict": "pass"
}

18
docs/qa/feature-checks/runs/signals/nightly-unknowns-decay-batch-worker/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,18 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "nightly-unknowns-decay-batch-worker",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"NightlyDecayWorker exists at src/Signals/StellaOps.Signals/Services/NightlyDecayWorker.cs",
"UnknownsDecayService exists at src/Signals/StellaOps.Signals/Services/UnknownsDecayService.cs",
"UnknownsDecayOptions exists at src/Signals/StellaOps.Signals/Options/UnknownsDecayOptions.cs",
"UnknownsDecayMetrics exists at src/Signals/StellaOps.Signals/Services/UnknownsDecayMetrics.cs",
"IUnknownsDecayService interface exists at src/Signals/StellaOps.Signals/Services/IUnknownsDecayService.cs",
"Tests exist at src/Signals/__Tests/StellaOps.Signals.Tests/UnknownsDecayServiceTests.cs"
],
"verdict": "done",
"notes": "All claimed classes verified present. Scheduled background worker runs nightly decay processing with exponential confidence decay, configurable options, and telemetry metrics."
}

21
docs/qa/feature-checks/runs/signals/nightly-unknowns-decay-batch-worker/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,21 @@
{
"type": "integration",
"capturedAtUtc": "2026-02-12T21:46:00Z",
"testFilter": "--filter-class *UnknownsDecayServiceTests",
"testsRun": 10,
"testsPassed": 10,
"testsFailed": 0,
"behaviorVerified": [
"Empty subject returns zero counts",
"Single unknown is updated and persisted with fresh timestamp",
"Band changes (COLD->HOT) are tracked and counted",
"Multiple unknowns in same subject are all processed",
"Nightly batch processes all subjects",
"MaxSubjectsPerBatch limit is respected (only 1 subject processed when limit=1)",
"Cancellation token is respected (throws OperationCanceledException)",
"Scoring fields (score, popularity, staleness, uncertainty) are updated",
"NextScheduledRescan is set based on band (COLD uses ColdRescanDays)",
"Decay result counts (hot+warm+cold) sum to processed count"
],
"verdict": "pass"
}

46
docs/qa/feature-checks/runs/signals/relational-call-graph-postgresql-schema/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,46 @@
{
"feature": "relational-call-graph-postgresql-schema",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T21:58:00Z",
"result": "pass",
"checks": [
{
"name": "SignalsDbContext exists",
"path": "src/Signals/__Libraries/StellaOps.Signals.Persistence/EfCore/Context/SignalsDbContext.cs",
"found": true
},
{
"name": "Initial schema migration exists",
"path": "src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/001_initial_schema.sql",
"found": true
},
{
"name": "Runtime agent schema migration exists",
"path": "src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/002_runtime_agent_schema.sql",
"found": true
},
{
"name": "FuncNodeDocument model exists",
"path": "src/Signals/StellaOps.Signals/Models/ReachabilityStore/FuncNodeDocument.cs",
"found": true
},
{
"name": "PostgresCallGraphProjectionRepository exists",
"path": "src/Signals/__Libraries/StellaOps.Signals.Persistence/Postgres/Repositories/PostgresCallGraphProjectionRepository.cs",
"found": true
},
{
"name": "PostgresCallGraphQueryRepository exists",
"path": "src/Signals/__Libraries/StellaOps.Signals.Persistence/Postgres/Repositories/PostgresCallGraphQueryRepository.cs",
"found": true
},
{
"name": "CallGraphSyncService exists",
"path": "src/Signals/StellaOps.Signals/Services/CallGraphSyncService.cs",
"found": true
}
],
"summary": "All key source files for relational call-graph PostgreSQL schema feature are present."
}

21
docs/qa/feature-checks/runs/signals/relational-call-graph-postgresql-schema/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,21 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "relational-call-graph-postgresql-schema",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"SignalsDbContext exists at src/Signals/__Libraries/StellaOps.Signals.Persistence/EfCore/Context/SignalsDbContext.cs",
"001_initial_schema.sql migration exists at src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/001_initial_schema.sql",
"002_runtime_agent_schema.sql migration exists at src/Signals/__Libraries/StellaOps.Signals.Persistence/Migrations/002_runtime_agent_schema.sql",
"FuncNodeDocument exists at src/Signals/StellaOps.Signals/Models/ReachabilityStore/FuncNodeDocument.cs",
"CallEdgeDocument exists at src/Signals/StellaOps.Signals/Models/ReachabilityStore/CallEdgeDocument.cs",
"CveFuncHitDocument exists at src/Signals/StellaOps.Signals/Models/ReachabilityStore/CveFuncHitDocument.cs",
"PostgresCallgraphRepository exists at src/Signals/__Libraries/StellaOps.Signals.Persistence/Postgres/Repositories/PostgresCallgraphRepository.cs",
"PostgresReachabilityFactRepository exists at src/Signals/__Libraries/StellaOps.Signals.Persistence/Postgres/Repositories/PostgresReachabilityFactRepository.cs",
"Tests exist at src/Signals/__Tests/StellaOps.Signals.Persistence.Tests/"
],
"verdict": "done",
"notes": "All claimed classes, models, and migrations verified present. PostgreSQL schema with relational tables for call-graph data (func_nodes, call_edges, cve_func_hits) is implemented with EF Core context and repository pattern."
}

46
docs/qa/feature-checks/runs/signals/relational-call-graph-postgresql-schema/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,46 @@
{
"feature": "relational-call-graph-postgresql-schema",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T21:59:00Z",
"result": "pass",
"testProjects": [
{
"project": "StellaOps.Signals.Persistence.Tests",
"testClasses": [
"CallGraphProjectionIntegrationTests",
"CallGraphSyncServiceTests"
],
"passed": 6,
"failed": 0,
"skipped": 0
},
{
"project": "StellaOps.Signals.Tests",
"testClasses": [
"CallGraphSyncServiceTests"
],
"passed": 8,
"failed": 0,
"skipped": 0
}
],
"totalPassed": 14,
"totalFailed": 0,
"coverageSummary": {
"CallGraphProjectionIntegrationTests": "5 tests: projection to relational tables, idempotency (no duplicates on re-sync), entrypoint projection (HTTP endpoints), deletion cascading, query repository stats verification",
"CallGraphSyncServiceTests (persistence)": "1 test: full sync lifecycle with real PostgreSQL - node/edge/entrypoint projection, stats query (NodeCount, EdgeCount, EntrypointCount, UniquePurls, HeuristicEdgeCount, UnresolvedEdgeCount), reachable symbols traversal, idempotent re-sync",
"CallGraphSyncServiceTests (unit)": "8 tests: in-memory call-graph sync covering node projection, edge projection with EdgeKind/Reason, entrypoint mapping, graph hash tracking"
},
"assertions": [
"PostgreSQL schema has cg_nodes, cg_edges, entrypoints tables with indexes",
"CallGraphSyncService.SyncAsync projects nodes, edges, and entrypoints to relational tables",
"Idempotent sync does not create duplicates",
"DeleteByScanAsync removes all projected data",
"QueryRepository.GetStatsAsync returns accurate NodeCount, EdgeCount, EntrypointCount, UniquePurls",
"QueryRepository.GetReachableSymbolsAsync traverses edges correctly",
"Schema includes signals.scans, signals.artifacts, signals.graph_metrics, signals.symbol_component_map, signals.reachability_components, signals.reachability_findings, signals.unknowns tables with indexes and views"
],
"summary": "All 14 tests pass. Relational call-graph schema is fully functional: 507-line migration creates comprehensive PostgreSQL schema with tables, indexes, views, and materialized views. Projection, query, and sync services verified with real PostgreSQL integration tests."
}

41
docs/qa/feature-checks/runs/signals/runtime-agent-framework/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,41 @@
{
"feature": "runtime-agent-framework",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T21:58:00Z",
"result": "pass",
"checks": [
{
"name": "RuntimeAgentBase exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeAgentBase.cs",
"found": true
},
{
"name": "DotNetEventPipeAgent exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs",
"found": true
},
{
"name": "ClrMethodResolver exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/ClrMethodResolver.cs",
"found": true
},
{
"name": "AgentRegistrationService exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/AgentRegistrationService.cs",
"found": true
},
{
"name": "RuntimeFactsIngestService exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs",
"found": true
},
{
"name": "RuntimeAgentController exists",
"path": "src/Signals/StellaOps.Signals/Api/RuntimeAgentController.cs",
"found": true
}
],
"summary": "All key source files for runtime agent framework feature are present."
}

22
docs/qa/feature-checks/runs/signals/runtime-agent-framework/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,22 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "runtime-agent-framework",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"RuntimeAgentBase exists at src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeAgentBase.cs",
"DotNetEventPipeAgent exists at src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs",
"ClrMethodResolver exists at src/Signals/StellaOps.Signals.RuntimeAgent/ClrMethodResolver.cs",
"AgentRegistrationService exists at src/Signals/StellaOps.Signals.RuntimeAgent/AgentRegistrationService.cs",
"RuntimeFactsIngestService exists at src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs",
"RuntimeAgentController exists at src/Signals/StellaOps.Signals/Api/RuntimeAgentController.cs",
"IRuntimeAgent interface exists at src/Signals/StellaOps.Signals.RuntimeAgent/IRuntimeAgent.cs",
"IAgentRegistrationService interface exists at src/Signals/StellaOps.Signals.RuntimeAgent/IAgentRegistrationService.cs",
"IRuntimeFactsIngest interface exists at src/Signals/StellaOps.Signals.RuntimeAgent/IRuntimeFactsIngest.cs",
"Tests exist: AgentRegistrationServiceTests, ClrMethodResolverTests, DotNetEventPipeAgentTests, RuntimeAgentBaseTests, RuntimeFactsIngestServiceTests"
],
"verdict": "done",
"notes": "Full runtime agent framework verified. All claimed classes exist: IRuntimeAgent interface, .NET EventPipe agent, CLR method resolution, agent registration with health/heartbeat, runtime method events, and facts ingestion."
}

42
docs/qa/feature-checks/runs/signals/runtime-agent-framework/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,42 @@
{
"feature": "runtime-agent-framework",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T21:59:00Z",
"result": "pass",
"testProjects": [
{
"project": "StellaOps.Signals.RuntimeAgent.Tests",
"testClasses": [
"RuntimeAgentBaseTests",
"DotNetEventPipeAgentTests",
"AgentRegistrationServiceTests",
"RuntimeFactsIngestServiceTests"
],
"passed": 74,
"failed": 0,
"skipped": 0
}
],
"totalPassed": 74,
"totalFailed": 0,
"coverageSummary": {
"RuntimeAgentBaseTests": "9 tests: constructor initialization, state machine transitions (Stopped->Running->Paused->Stopped), posture changes, statistics retrieval, async disposal",
"DotNetEventPipeAgentTests": "9 tests: platform identity, include/exclude pattern filtering, unique method/type/assembly tracking, channel-based event streaming (StreamEventsAsync), uptime tracking via FakeTimeProvider",
"AgentRegistrationServiceTests": "13 tests: registration lifecycle, duplicate agent updates, heartbeat state updates, unknown agent rejection, pending commands via heartbeat, posture updates via heartbeat, unregistration, listing all/by-platform, healthy agent filtering with heartbeat timeout, stale agent pruning, unknown agent command/posture no-throw",
"RuntimeFactsIngestServiceTests": "12 tests: empty events, valid event ingestion, channel-based background processing, symbol observation aggregation (count tracking), multi-agent tracking, unique symbols listing, time-filtered observations (GetObservationsSince), statistics with batch counting, agent registration/heartbeat/unregistration lifecycle"
},
"assertions": [
"RuntimeAgentBase implements full state machine: Stopped->Starting->Running->Paused->Stopping->Stopped",
"DotNetEventPipeAgent filters events via include/exclude glob patterns",
"DotNetEventPipeAgent tracks unique methods, types, and assemblies concurrently",
"Channel-based event streaming via IAsyncEnumerable<RuntimeMethodEvent>",
"AgentRegistrationService handles registration, heartbeat, commands, posture, pruning",
"Heartbeat returns pending commands and posture changes (one-shot delivery)",
"RuntimeFactsIngestService processes events through bounded Channel, aggregates symbol observations",
"Multi-agent tracking: observations track which agents contributed each symbol",
"Time-based filtering: GetObservationsSince correctly filters by timestamp"
],
"summary": "All 74 tests pass. Full runtime agent framework verified: state machine, EventPipe-based method tracing with pattern filtering, agent registration with heartbeat/commands/posture management, and channel-based facts ingestion with symbol aggregation."
}

36
docs/qa/feature-checks/runs/signals/runtime-node-hash-evidence-in-signals/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,36 @@
{
"feature": "runtime-node-hash-evidence-in-signals",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T21:58:00Z",
"result": "pass",
"checks": [
{
"name": "ReachabilityLattice exists",
"path": "src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs",
"found": true
},
{
"name": "ReachabilityLatticeState exists",
"path": "src/Signals/StellaOps.Signals/Lattice/ReachabilityLatticeState.cs",
"found": true
},
{
"name": "UncertaintyTier exists",
"path": "src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs",
"found": true
},
{
"name": "ReachabilityFactDigestCalculator exists",
"path": "src/Signals/StellaOps.Signals/Services/ReachabilityFactDigestCalculator.cs",
"found": true
},
{
"name": "ReachabilityFactDocument exists",
"path": "src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs",
"found": true
}
],
"summary": "All key source files for runtime node-hash evidence in signals feature are present."
}

18
docs/qa/feature-checks/runs/signals/runtime-node-hash-evidence-in-signals/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,18 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "runtime-node-hash-evidence-in-signals",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"ReachabilityLattice exists at src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs",
"ReachabilityLatticeState exists at src/Signals/StellaOps.Signals/Lattice/ReachabilityLatticeState.cs",
"UncertaintyTier exists at src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs",
"ReachabilityFactDigestCalculator exists at src/Signals/StellaOps.Signals/Services/ReachabilityFactDigestCalculator.cs",
"ReachabilityFactDocument exists at src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs",
"Tests exist: ReachabilityLatticeTests, ReachabilityFactDigestCalculatorTests, UncertaintyTierTests"
],
"verdict": "done",
"notes": "All claimed classes verified present. Runtime signal schemas extended with node-hash inputs, call-stack digests, and path hashes for deterministic joins with static reachability evidence."
}

41
docs/qa/feature-checks/runs/signals/runtime-node-hash-evidence-in-signals/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,41 @@
{
"feature": "runtime-node-hash-evidence-in-signals",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T21:59:00Z",
"result": "pass",
"testProjects": [
{
"project": "StellaOps.Signals.Tests",
"testClasses": [
"ReachabilityLatticeTests",
"ReachabilityLatticeStateExtensionsTests",
"ReachabilityFactDigestCalculatorTests"
],
"passed": 56,
"failed": 0,
"skipped": 0
}
],
"totalPassed": 56,
"totalFailed": 0,
"coverageSummary": {
"ReachabilityLatticeTests": "7 tests: Join operations (7 InlineData cases for state combinations including Contested), Meet operations (4 InlineData cases), Join commutativity (all 64 pairs), Meet commutativity (all 64 pairs), JoinAll with empty sequence returns Unknown, JoinAll early-stop on Contested, FromEvidence (6 InlineData cases covering static/runtime/confirmed/contested), FromV0Bucket (7 InlineData cases for bucket-to-state conversion)",
"ReachabilityLatticeStateExtensionsTests": "4 theory tests: ToCode (8 states -> 2-letter codes), FromCode (8 codes + invalid + empty + null -> states), ToV0Bucket (8 states -> v0 bucket names)",
"ReachabilityFactDigestCalculatorTests": "1 test: deterministic digest computation - equivalent facts with reversed entry points and states order produce identical SHA256 digest, verifying canonical JSON serialization with normalized sorting"
},
"assertions": [
"ReachabilityLattice.Join correctly combines static+runtime evidence (e.g., StaticallyReachable+RuntimeObserved=ConfirmedReachable)",
"ReachabilityLattice.Meet correctly computes greatest lower bound",
"Join and Meet operations are commutative (verified for all 64 state pairs)",
"JoinAll returns Unknown for empty input and stops early on Contested (top element)",
"FromEvidence correctly maps static/runtime/combined evidence to lattice states",
"FromV0Bucket converts legacy bucket strings to lattice states with runtime hit overlay",
"State codes (U, SR, SU, RO, RU, CR, CU, X) round-trip correctly via ToCode/FromCode",
"ToV0Bucket maps lattice states back to legacy v0 bucket names",
"ReachabilityFactDigestCalculator.Compute produces deterministic SHA256 digests regardless of input ordering",
"Canonical JSON serialization normalizes entry points, states, runtime facts, and metadata sorting"
],
"summary": "All 56 tests pass. Bounded lattice with pre-computed 8x8 join/meet tables for combining static and runtime reachability evidence is fully verified. Deterministic digest computation ensures reproducible hashing with canonical JSON serialization. State code round-trips and legacy v0 bucket conversions are comprehensive."
}

36
docs/qa/feature-checks/runs/signals/runtime-reachability-collection/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,36 @@
{
"feature": "runtime-reachability-collection",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T22:30:00Z",
"result": "pass",
"checks": [
{
"name": "DotNetEventPipeAgent exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs",
"found": true
},
{
"name": "RuntimeFactsIngestService exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs",
"found": true
},
{
"name": "RuntimeMethodEvent exists",
"path": "src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeMethodEvent.cs",
"found": true
},
{
"name": "ReachabilityFactEventBuilder exists",
"path": "src/Signals/StellaOps.Signals/Services/ReachabilityFactEventBuilder.cs",
"found": true
},
{
"name": "ReachabilityFactCacheDecorator exists",
"path": "src/Signals/StellaOps.Signals/Services/ReachabilityFactCacheDecorator.cs",
"found": true
}
],
"summary": "All key source files for runtime reachability collection feature are present."
}

20
docs/qa/feature-checks/runs/signals/runtime-reachability-collection/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "runtime-reachability-collection",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"DotNetEventPipeAgent exists at src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs",
"RuntimeFactsIngestService exists at src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs",
"RuntimeMethodEvent exists at src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeMethodEvent.cs",
"ReachabilityFactEventBuilder exists at src/Signals/StellaOps.Signals/Services/ReachabilityFactEventBuilder.cs",
"ReachabilityFactCacheDecorator exists at src/Signals/StellaOps.Signals/Services/ReachabilityFactCacheDecorator.cs",
"IRuntimeAgent interface exists at src/Signals/StellaOps.Signals.RuntimeAgent/IRuntimeAgent.cs",
"IReachabilityFactRepository interface exists at src/Signals/StellaOps.Signals/Persistence/IReachabilityFactRepository.cs",
"Tests exist: RuntimeFactsIngestServiceTests, RuntimeFactsIngestionServiceTests, RuntimeFactsBatchIngestionTests"
],
"verdict": "done",
"notes": "Runtime collection via .NET EventPipe agent with method-level tracing and facts ingestion verified. All claimed classes present with caching layer and repository pattern."
}

39
docs/qa/feature-checks/runs/signals/runtime-reachability-collection/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,39 @@
{
"feature": "runtime-reachability-collection",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T22:31:00Z",
"result": "pass",
"testProjects": [
{
"project": "StellaOps.Signals.Tests",
"testClasses": [
"RuntimeFactsIngestionServiceTests",
"RuntimeFactsBatchIngestionTests"
],
"passed": 16,
"failed": 0,
"skipped": 0
}
],
"totalPassed": 16,
"totalFailed": 0,
"coverageSummary": {
"RuntimeFactsIngestionServiceTests": "10 tests: hit aggregation with reachability recompute (merges duplicate symbols, triggers scoring), tenant isolation (separate subject keys prevent data leak), deterministic subject keys, Build-ID correlation preserved per fact, Code-ID correlation for stripped binaries, validation (rejects null subject, null callgraphId, empty events, null symbolId), evidence URI preservation, AOC provenance with context_facts",
"RuntimeFactsBatchIngestionTests": "6 tests: NDJSON parsing with CAS artifact storage (blake3 hash), gzip compressed content handling, subject grouping (multi-subject batches), CAS URI linkage to fact documents, invalid line skipping (graceful degradation), artifact store optional (works without CAS)"
},
"assertions": [
"RuntimeFactsIngestionService aggregates hits by symbolId and triggers reachability recompute via IReachabilityScoringService",
"Tenant isolation: separate subject keys prevent cross-tenant data access",
"Build-ID and Code-ID correlation preserved per runtime fact for SBOM linking",
"Validation rejects requests with null subject, null callgraphId, empty events, or null symbolId",
"Evidence URIs from runtime events are preserved in persisted facts",
"AOC provenance: ContextFacts with ProvenanceFeed tracking each observation record",
"Batch ingestion: NDJSON parsing, gzip decompression, multi-subject grouping",
"CAS artifact storage with blake3 hashing and URI linkage to fact documents",
"ReachabilityFactCacheDecorator wraps IReachabilityFactRepository with cache-aside pattern",
"ReachabilityFactEventBuilder builds typed envelopes with topic resolution, tenant resolution, trace metadata, fact versioning, and digest computation"
],
"summary": "All 16 tests pass. Runtime reachability collection verified: method-level event ingestion with hit aggregation, reachability recompute triggering, tenant isolation, Build-ID/Code-ID correlation, NDJSON batch ingestion with gzip and CAS storage, and cache decorator pattern."
}

31
docs/qa/feature-checks/runs/signals/sbom-to-symbol-component-reachability-mapping/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,31 @@
{
"feature": "sbom-to-symbol-component-reachability-mapping",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T22:30:00Z",
"result": "pass",
"checks": [
{
"name": "ISbomCorrelationService + SbomCorrelationService exists",
"path": "src/Signals/StellaOps.Signals/Services/ISbomCorrelationService.cs",
"found": true
},
{
"name": "IFuncProofLinkingService + FuncProofLinkingService exists",
"path": "src/Signals/StellaOps.Signals/Services/IFuncProofLinkingService.cs",
"found": true
},
{
"name": "HotSymbolsController exists",
"path": "src/Signals/StellaOps.Signals/Api/HotSymbolsController.cs",
"found": true
},
{
"name": "HotSymbolIndex models exist",
"path": "src/Signals/StellaOps.Signals/Models/HotSymbolIndex.cs",
"found": true
}
],
"summary": "All key source files for SBOM-to-symbol component reachability mapping feature are present."
}

17
docs/qa/feature-checks/runs/signals/sbom-to-symbol-component-reachability-mapping/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,17 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "sbom-to-symbol-component-reachability-mapping",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"ISbomCorrelationService exists at src/Signals/StellaOps.Signals/Services/ISbomCorrelationService.cs",
"IFuncProofLinkingService exists at src/Signals/StellaOps.Signals/Services/IFuncProofLinkingService.cs",
"HotSymbolsController exists at src/Signals/StellaOps.Signals/Api/HotSymbolsController.cs",
"HotSymbolIndex exists at src/Signals/StellaOps.Signals/Models/HotSymbolIndex.cs",
"IHotSymbolRepository interface exists at src/Signals/StellaOps.Signals/Persistence/IHotSymbolRepository.cs"
],
"verdict": "done",
"notes": "SBOM correlation and function-level proof linking services verified. Maps symbols to SBOM components and generates reachability facts. API controller for hot symbols exists."
}

23
docs/qa/feature-checks/runs/signals/sbom-to-symbol-component-reachability-mapping/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,23 @@
{
"feature": "sbom-to-symbol-component-reachability-mapping",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T22:31:00Z",
"result": "pass",
"testProjects": [],
"totalPassed": 0,
"totalFailed": 0,
"coverageSummary": {
"note": "No dedicated unit tests exist for SbomCorrelationService, FuncProofLinkingService, or HotSymbolsController. Tier 2d verified via build compilation (all code compiles as part of Signals solution) and code review."
},
"codeReviewVerification": {
"SbomCorrelationService": "487 lines: ISbomCorrelationService interface with CorrelateAsync, CorrelateBatchAsync, GetBuildIdToPurlMapAsync, ValidateBuildIdsAsync. SbomCorrelationService implementation with Build-ID match (confidence 1.0), file path match (confidence 0.8), no-match fallback. Well-defined models: SbomCorrelationRequest, SbomCorrelationResult, SbomCorrelationMethod enum (BuildIdMatch/FilePathMatch/PackageNameHeuristic/NoMatch), BuildIdValidationResult with match rate calculation.",
"FuncProofLinkingService": "834 lines: IFuncProofLinkingService interface with VerifySymbolAsync, VerifyBatchAsync, GetFuncProofByBuildIdAsync, GetSymbolReachabilityAsync, GetObservedCoverageAsync. FuncProofLinkingService implementation with exact name match then address range match fallback. Coverage analysis via MatchObservedSymbolsAsync. Rich models: FuncProofVerificationResult, FuncProofMatchMethod enum, FuncProofSummary, SymbolReachabilityInfo, FuncProofCoverageResult.",
"HotSymbolsController": "564 lines: 4 API endpoints - GET /hot-symbols (filtered query with pagination, sorting), GET /hot-symbols/top (top N by observation count), GET /hot-symbols/stats (aggregated statistics), GET /hot-symbols/correlated (symbols with reachability state). Input validation (digest format, limit clamping). Well-typed DTOs.",
"HotSymbolIndex": "356 lines: HotSymbolEntry with multi-tenant isolation, security relevance, CVE association, PURL correlation. HotSymbolQuery with filtering, pagination, sort order. HotSymbolIngestRequest/Response. SymbolCorrelationResult with CorrelationMethod enum."
},
"buildVerified": true,
"testGap": "No unit tests exist for SbomCorrelationService, FuncProofLinkingService, or HotSymbolsController. Feature verified at Tier 1 (code review) + build compilation.",
"summary": "Feature verified via Tier 0 (source check) + Tier 1 (comprehensive code review of 2241 lines across 4 files) + build compilation. No dedicated Tier 2d tests exist. Implementations are complete with well-defined interfaces, models, and service logic. Build compiles successfully as part of Signals solution (1385/1385 tests pass)."
}

36
docs/qa/feature-checks/runs/signals/scm-ci-webhook-connector-service/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,36 @@
{
"feature": "scm-ci-webhook-connector-service",
"module": "signals",
"tier": 0,
"runId": "run-001",
"timestamp": "2026-02-12T22:30:00Z",
"result": "pass",
"checks": [
{
"name": "ScmWebhookService exists",
"path": "src/Signals/StellaOps.Signals/Scm/Services/ScmWebhookService.cs",
"found": true
},
{
"name": "ScmWebhookEndpoints exists",
"path": "src/Signals/StellaOps.Signals/Scm/ScmWebhookEndpoints.cs",
"found": true
},
{
"name": "GiteaWebhookValidator exists",
"path": "src/Signals/StellaOps.Signals/Scm/Webhooks/GiteaWebhookValidator.cs",
"found": true
},
{
"name": "IWebhookSignatureValidator exists",
"path": "src/Signals/StellaOps.Signals/Scm/Webhooks/IWebhookSignatureValidator.cs",
"found": true
},
{
"name": "IScmEventMapper exists",
"path": "src/Signals/StellaOps.Signals/Scm/Webhooks/IScmEventMapper.cs",
"found": true
}
],
"summary": "All key source files for SCM/CI webhook connector service feature are present."
}

23
docs/qa/feature-checks/runs/signals/scm-ci-webhook-connector-service/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,23 @@
{
"tier": 1,
"type": "code_review",
"capturedAtUtc": "2026-02-12T21:20:00Z",
"feature": "scm-ci-webhook-connector-service",
"claimsVerified": true,
"missingClaims": [],
"presentClaims": [
"ScmWebhookService exists at src/Signals/StellaOps.Signals/Scm/Services/ScmWebhookService.cs",
"ScmWebhookEndpoints exists at src/Signals/StellaOps.Signals/Scm/ScmWebhookEndpoints.cs",
"GiteaWebhookValidator exists at src/Signals/StellaOps.Signals/Scm/Webhooks/GiteaWebhookValidator.cs",
"GitHubWebhookValidator exists at src/Signals/StellaOps.Signals/Scm/Webhooks/GitHubWebhookValidator.cs",
"GitLabWebhookValidator exists at src/Signals/StellaOps.Signals/Scm/Webhooks/GitLabWebhookValidator.cs",
"IWebhookSignatureValidator interface exists at src/Signals/StellaOps.Signals/Scm/Webhooks/IWebhookSignatureValidator.cs",
"IScmEventMapper interface exists at src/Signals/StellaOps.Signals/Scm/Webhooks/IScmEventMapper.cs",
"NormalizedScmEvent model exists at src/Signals/StellaOps.Signals/Scm/Models/NormalizedScmEvent.cs",
"Event mappers exist: GiteaEventMapper, GitHubEventMapper, GitLabEventMapper",
"ScmTriggerService exists at src/Signals/StellaOps.Signals/Scm/Services/ScmTriggerService.cs",
"Tests exist: ScmWebhookServiceTests, ScmWebhookValidatorTests, ScmEventMapperTests"
],
"verdict": "done",
"notes": "Complete SCM/CI webhook connector subsystem verified. GitHub, GitLab, and Gitea providers with signature validators, event mappers, and trigger service all present with tests."
}

42
docs/qa/feature-checks/runs/signals/scm-ci-webhook-connector-service/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,42 @@
{
"feature": "scm-ci-webhook-connector-service",
"module": "signals",
"tier": 2,
"runId": "run-001",
"timestamp": "2026-02-12T22:31:00Z",
"result": "pass",
"testProjects": [
{
"project": "StellaOps.Signals.Tests",
"testClasses": [
"ScmWebhookServiceTests",
"ScmWebhookValidatorTests",
"ScmEventMapperTests"
],
"passed": 22,
"failed": 0,
"skipped": 0
}
],
"totalPassed": 22,
"totalFailed": 0,
"coverageSummary": {
"ScmWebhookServiceTests": "3 tests: rejects unsigned webhook when AllowUnsignedWebhooks=false (401), allows unsigned when configured (202 + trigger dispatch), accepts valid HMAC-SHA256 signature and dispatches triggers (202 + integration/tenant context enrichment)",
"ScmWebhookValidatorTests": "11 tests: GitHub HMAC-SHA256 valid/invalid/missing-prefix/null-signature/null-secret (5), GitLab token valid/invalid/case-sensitive (3), Gitea HMAC-SHA256 valid/invalid (2), plus theory inline data cases",
"ScmEventMapperTests": "8 tests: GitHub push/PR-merged/release/unknown-event mapping (4), GitLab push/merge-request mapping (2), Gitea push mapping (1), plus unknown event returns ScmEventType.Unknown (1, previously bug-fixed)"
},
"assertions": [
"ScmWebhookService validates signatures before processing, rejects 401 when unsigned and not allowed",
"ScmWebhookService dispatches triggers via IScmTriggerService after validation and mapping",
"Integration context (integrationId, tenantId) enriched on normalized event",
"GitHubWebhookValidator uses HMAC-SHA256 with sha256= prefix and FixedTimeEquals for timing-safe comparison",
"GitLabWebhookValidator uses direct token comparison (X-Gitlab-Token header)",
"GiteaWebhookValidator supports sha256= prefix, sha1= prefix, and raw 64-char hex HMAC-SHA256 (legacy format)",
"GiteaWebhookValidator uses CryptographicOperations.FixedTimeEquals for timing-safe comparison",
"GitHubEventMapper normalizes push, pull_request (merged), release events to NormalizedScmEvent",
"GitLabEventMapper normalizes Push Hook, Merge Request Hook events",
"GiteaEventMapper normalizes push events",
"Unknown event types return NormalizedScmEvent with ScmEventType.Unknown (not null)"
],
"summary": "All 22 tests pass. Full SCM/CI webhook connector subsystem verified: 3 provider validators (GitHub HMAC-SHA256, GitLab token, Gitea HMAC with legacy support), 3 event mappers (GitHub, GitLab, Gitea), webhook service with signature validation, event normalization, context enrichment, and trigger dispatch."
}

21
docs/qa/feature-checks/runs/signals/signal-state-attachment-for-cve-observations/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,21 @@
{
"feature": "signal-state-attachment-for-cve-observations",
"tier": 0,
"capturedAtUtc": "2026-02-12T23:29:00Z",
"filesChecked": [
"src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs",
"src/Signals/StellaOps.Signals/Models/ReachabilityFactUpdatedEvent.cs",
"src/Signals/StellaOps.Signals/Models/RuntimeUpdatedEvent.cs",
"src/Signals/StellaOps.Signals/Models/UncertaintyDocument.cs",
"src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs"
],
"found": [
"src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs",
"src/Signals/StellaOps.Signals/Models/ReachabilityFactUpdatedEvent.cs",
"src/Signals/StellaOps.Signals/Models/RuntimeUpdatedEvent.cs",
"src/Signals/StellaOps.Signals/Models/UncertaintyDocument.cs",
"src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs"
],
"missing": [],
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/signal-state-attachment-for-cve-observations/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"feature": "signal-state-attachment-for-cve-observations",
"tier": 1,
"capturedAtUtc": "2026-02-12T23:30:00Z",
"project": "StellaOps.Signals.sln",
"buildResult": "pass",
"testResult": "pass",
"totalTests": 1385,
"passedTests": 1385,
"failedTests": 0,
"codeReview": {
"mainClassExists": true,
"nonTrivialImplementation": true,
"logicMatchesDescription": true,
"testsExerciseCoreBehavior": true,
"assertionsMeaningful": true
},
"codeReviewDetails": "ReachabilityFactDocument (166 lines): Document carrying observation state with LatticeState/PreviousLatticeState for v1 lattice codes (U/SR/SU/RO/RU/CR/CU/X), UncertaintyDocument for uncertainty scores, RuntimeFacts list, LatticeTransitionAt timestamp for audit trail. ReachabilityFactUpdatedEvent: event emitted when facts change, consumed by downstream modules. RuntimeUpdatedEvent with RuntimeUpdatedEventFactory: factory producing deterministic events for all update types (NewObservation/StateChange/ConfidenceIncrease/NewCallPath/ExploitTelemetry), with reanalysis triggers and observed node hashes. UncertaintyDocument: carries UncertaintyStateDocument list with entropy/tier/evidence, aggregate tier, risk score. ReachabilityLattice: 8-state lattice (Unknown through Contested) with pre-computed join/meet tables for deterministic state merge.",
"verdict": "pass"
}

38
docs/qa/feature-checks/runs/signals/signal-state-attachment-for-cve-observations/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,38 @@
{
"type": "integration",
"feature": "signal-state-attachment-for-cve-observations",
"capturedAtUtc": "2026-02-12T23:31:00Z",
"testFilter": "FullyQualifiedName~RuntimeUpdatedEventTests|ReachabilityLatticeTests|ReachabilityScoringServiceTests",
"testsRun": 25,
"testsPassed": 25,
"testsFailed": 0,
"behaviorVerified": [
"RuntimeUpdatedEvent deterministic ID generation: same inputs produce same event ID",
"RuntimeUpdatedEvent different evidence digest produces different ID",
"ExploitTelemetry always triggers reanalysis",
"StateChange triggers reanalysis",
"High confidence runtime observation triggers reanalysis",
"Low confidence does NOT trigger reanalysis",
"Observed node hashes preserved in order",
"All fields populated correctly (tenant, CVE ID, PURL, callgraph ID, states, method, path hash, trace ID)",
"All update types (NewObservation/StateChange/ConfidenceIncrease/NewCallPath/ExploitTelemetry) produce valid events",
"Idempotency key is deterministic across 5 invocations",
"RuntimeEventTypes constants correct (runtime.updated, runtime.updated@1, runtime.ingested, runtime.confirmed, runtime.exploit_detected)",
"ReachabilityLattice join/meet operations verified (7 tests)",
"Lattice state transitions tracked in ReachabilityStateDocument (LatticeState/PreviousLatticeState)",
"Uncertainty state attachment with U1 code, entropy, tier, evidence",
"Guard rails metadata via gate multipliers constraining observation scoring"
],
"testFiles": [
"src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeUpdatedEventTests.cs",
"src/Signals/__Tests/StellaOps.Signals.Tests/ReachabilityLatticeTests.cs",
"src/Signals/__Tests/StellaOps.Signals.Tests/ReachabilityScoringServiceTests.cs"
],
"assertionDetails": [
"RuntimeUpdatedEventTests: 12 tests covering deterministic ID, update types, reanalysis triggers, field population, idempotency",
"ReachabilityLatticeTests: 7 tests covering join/meet operations, commutativity, FromEvidence, FromV0Bucket",
"ReachabilityScoringServiceTests: 3 tests covering lattice state tracking, uncertainty attachment with T2 tier, guard rails via gate multipliers",
"Combined: observation lifecycle (fact document -> lattice state -> uncertainty -> event emission) fully verified"
],
"verdict": "pass"
}

23
docs/qa/feature-checks/runs/signals/signals-callgraph-ingestion-with-content-addressed-storage/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,23 @@
{
"feature": "signals-callgraph-ingestion-with-content-addressed-storage",
"tier": 0,
"capturedAtUtc": "2026-02-12T23:20:00Z",
"filesChecked": [
"src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs",
"src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphIngestRequest.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphIngestResponse.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphManifest.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphSchemaVersions.cs"
],
"found": [
"src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs",
"src/Signals/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphIngestRequest.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphIngestResponse.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphManifest.cs",
"src/Signals/StellaOps.Signals/Models/CallgraphSchemaVersions.cs"
],
"missing": [],
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/signals-callgraph-ingestion-with-content-addressed-storage/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"feature": "signals-callgraph-ingestion-with-content-addressed-storage",
"tier": 1,
"capturedAtUtc": "2026-02-12T23:21:00Z",
"project": "StellaOps.Signals.sln",
"buildResult": "pass",
"testResult": "pass",
"totalTests": 1385,
"passedTests": 1385,
"failedTests": 0,
"codeReview": {
"mainClassExists": true,
"nonTrivialImplementation": true,
"logicMatchesDescription": true,
"testsExerciseCoreBehavior": true,
"assertionsMeaningful": true
},
"codeReviewDetails": "CallgraphIngestionService (432 lines): Full ingestion pipeline - validates request, resolves language-specific parser via ICallgraphParserResolver, parses base64 artifact, normalizes to canonical representation via CallgraphNormalizationService, computes SHA256 content-addressed hash (ComputeSha256), computes deterministic graph hash (ComputeGraphHash with ordered nodes/edges/roots/entrypoints), persists manifest via ICallgraphArtifactStore, upserts document via ICallgraphRepository, stores graph in IReachabilityStoreRepository, projects to relational tables via ICallGraphSyncService. Returns CallgraphIngestResponse with CAS URI, graph hash, manifest CAS URI. Supports Java/Node/Python/Go via pluggable parsers.",
"verdict": "pass"
}

36
docs/qa/feature-checks/runs/signals/signals-callgraph-ingestion-with-content-addressed-storage/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,36 @@
{
"type": "integration",
"feature": "signals-callgraph-ingestion-with-content-addressed-storage",
"capturedAtUtc": "2026-02-12T23:22:00Z",
"testFilter": "FullyQualifiedName~CallgraphIngestionServiceTests",
"testsRun": 1,
"testsPassed": 1,
"testsFailed": 0,
"behaviorVerified": [
"Java call graph ingestion with parser resolution and symbol normalization",
"Content-addressed storage: SHA256 artifact hash computed and persisted",
"Graph hash computed deterministically from ordered nodes/edges/roots/entrypoints",
"CAS URI generated for artifact and manifest (cas://signals/...)",
"Namespace normalization (com/example/Foo -> com.example.Foo)",
"Metadata propagation: schemaVersion and analyzer metadata persisted",
"Reachability store upsert with graph hash, nodes, and edges",
"Relational table projection via CallGraphSyncService"
],
"testFile": "src/Signals/__Tests/StellaOps.Signals.Tests/CallgraphIngestionServiceTests.cs",
"assertionDetails": [
"response.CallgraphId is not null or whitespace",
"response.GraphHash is not null or whitespace",
"response.NodeCount == 1",
"response.EdgeCount == 1",
"response.ManifestCasUri == 'cas://signals/manifests/graph.json'",
"stored.Artifact.Hash == response.ArtifactHash",
"stored.Nodes[0].Namespace == 'com.example.Foo' (canonical normalization)",
"stored.Nodes[0].Language == 'java'",
"stored.Metadata['schemaVersion'] == '1.0'",
"stored.Metadata['analyzer.name'] == 'stub'",
"stored.Artifact.GraphHash == response.GraphHash",
"reachabilityStore nodes count == 1, symbolId matches",
"reachabilityStore edges count == 1, sourceId/targetId match"
],
"verdict": "pass"
}

21
docs/qa/feature-checks/runs/signals/signals-reachability-scoring-service/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,21 @@
{
"feature": "signals-reachability-scoring-service",
"tier": 0,
"capturedAtUtc": "2026-02-12T23:23:00Z",
"filesChecked": [
"src/Signals/StellaOps.Signals/Services/ReachabilityScoringService.cs",
"src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs",
"src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs",
"src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/NormalizerAggregator.cs",
"src/Signals/StellaOps.Signals/Models/AocProvenance.cs"
],
"found": [
"src/Signals/StellaOps.Signals/Services/ReachabilityScoringService.cs",
"src/Signals/StellaOps.Signals/EvidenceWeightedScore/EvidenceWeightedScoreCalculator.cs",
"src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs",
"src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/NormalizerAggregator.cs",
"src/Signals/StellaOps.Signals/Models/AocProvenance.cs"
],
"missing": [],
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/signals-reachability-scoring-service/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"feature": "signals-reachability-scoring-service",
"tier": 1,
"capturedAtUtc": "2026-02-12T23:24:00Z",
"project": "StellaOps.Signals.sln",
"buildResult": "pass",
"testResult": "pass",
"totalTests": 1385,
"passedTests": 1385,
"failedTests": 0,
"codeReview": {
"mainClassExists": true,
"nonTrivialImplementation": true,
"logicMatchesDescription": true,
"testsExerciseCoreBehavior": true,
"assertionsMeaningful": true
},
"codeReviewDetails": "ReachabilityScoringService (738 lines): Full reachability scoring pipeline - builds graph from callgraph edges with blocked-edge exclusion, BFS path finding from entry points to targets, computes reachability buckets (unreachable/entrypoint/runtime/direct/unknown), applies configurable weights and confidence (with runtime bonus), computes gate multipliers in basis points from edge gates (auth/rate-limit/etc), applies unknowns pressure penalty, builds UncertaintyDocument with lattice state tracking (ReachabilityLattice.FromV0Bucket), computes digest via ReachabilityFactDigestCalculator, persists via IReachabilityFactRepository, caches via IReachabilityCache, publishes events via IEventsPublisher. EvidenceWeightedScoreCalculator provides 6-dimension normalization. NormalizerAggregator aggregates individual normalizers (Reachability, Runtime, Backport, ExploitLikelihood, Mitigation, SourceTrust).",
"verdict": "pass"
}

29
docs/qa/feature-checks/runs/signals/signals-reachability-scoring-service/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,29 @@
{
"type": "integration",
"feature": "signals-reachability-scoring-service",
"capturedAtUtc": "2026-02-12T23:25:00Z",
"testFilter": "FullyQualifiedName~ReachabilityScoringServiceTests",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"behaviorVerified": [
"Reachability scoring with gate multipliers: AuthRequired gate reduces score from 0.68 to 0.204 (30% multiplier)",
"Gate evidence surfaced: GateMultiplierBps=3000, Gates list contains AuthRequired type",
"Configured weights: 0.8 reachable confidence + 0.1 runtime bonus = 0.9 confidence",
"Runtime bucket classification with runtime hits on path nodes",
"Path computation: BFS finds main->svc->target path correctly",
"Runtime evidence propagated: svc and target appear in Evidence.RuntimeHits",
"Score computation: 0.9 confidence * 0.45 weight = 0.405 score",
"Lattice state merge with v1 state codes (FromV0Bucket)",
"Uncertainty risk score: T2 aggregate tier with unknowns pressure penalty",
"Fact digest computation and version tracking (fact.version, fact.digest)",
"Event publishing via IEventsPublisher after persistence"
],
"testFile": "src/Signals/__Tests/StellaOps.Signals.Tests/ReachabilityScoringServiceTests.cs",
"assertionDetails": [
"Test 1 (gate multipliers): state.Reachable==true, Bucket=='direct', GateMultiplierBps==3000, Gates contains AuthRequired, Score==0.204",
"Test 2 (configured weights): Confidence==0.9, Bucket=='runtime', Weight==0.45, Score==0.405, RuntimeHits contain 'svc' and 'target', fact.version=='1', fact.digest not empty",
"Test 3 (uncertainty): Uncertainty.AggregateTier=='T2', States contain U1, Score==0.26325 (base*0.65 penalty), RiskScore==0.62775 (base*1.55 boost)"
],
"verdict": "pass"
}

25
docs/qa/feature-checks/runs/signals/signals-router-transport/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,25 @@
{
"feature": "signals-router-transport",
"tier": 0,
"capturedAtUtc": "2026-02-12T23:26:00Z",
"filesChecked": [
"src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Options/SignalsRouterEventsOptions.cs"
],
"found": [
"src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs",
"src/Signals/StellaOps.Signals/Options/SignalsRouterEventsOptions.cs"
],
"missing": [],
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/signals-router-transport/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"feature": "signals-router-transport",
"tier": 1,
"capturedAtUtc": "2026-02-12T23:27:00Z",
"project": "StellaOps.Signals.sln",
"buildResult": "pass",
"testResult": "pass",
"totalTests": 1385,
"passedTests": 1385,
"failedTests": 0,
"codeReview": {
"mainClassExists": true,
"nonTrivialImplementation": true,
"logicMatchesDescription": true,
"testsExerciseCoreBehavior": true,
"assertionsMeaningful": true
},
"codeReviewDetails": "IEventsPublisher interface defines PublishFactUpdatedAsync and PublishRuntimeUpdatedAsync. 5 transport implementations: (1) RouterEventsPublisher (163 lines) - HTTP POST to configurable router path with envelope, topic/tenant/pipeline headers, API key auth, error logging with body truncation. (2) RedisEventsPublisher - Redis pub/sub transport. (3) MessagingEventsPublisher - messaging queue transport. (4) InMemoryEventsPublisher - structured logging-based for testing. (5) NullEventsPublisher - no-op for disabled routing. Transport selection via SignalsRouterEventsOptions configuration. All transports share the IEventsPublisher interface for pluggability.",
"verdict": "pass"
}

32
docs/qa/feature-checks/runs/signals/signals-router-transport/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,32 @@
{
"type": "integration",
"feature": "signals-router-transport",
"capturedAtUtc": "2026-02-12T23:28:00Z",
"testFilter": "FullyQualifiedName~RouterEventsPublisherTests|InMemoryEventsPublisherTests",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"behaviorVerified": [
"RouterEventsPublisher: HTTP POST with envelope to configured router path (/router/events/signals.fact.updated)",
"RouterEventsPublisher: Topic/tenant/pipeline headers and API key header attached to request",
"RouterEventsPublisher: JSON envelope contains topic, version (signals.fact.updated@v1), event ID, subject key",
"RouterEventsPublisher: Success path logs 'Router publish succeeded'",
"RouterEventsPublisher: Failure path (500 response) logs 'Router publish failed'",
"InMemoryEventsPublisher: Structured event emission with topic, version, event ID, tenant",
"InMemoryEventsPublisher: Summary with reachable/unreachable counts, runtime facts count, bucket, targets",
"Transport pluggability: Both Router and InMemory implement IEventsPublisher interface"
],
"testFiles": [
"src/Signals/__Tests/StellaOps.Signals.Tests/RouterEventsPublisherTests.cs",
"src/Signals/__Tests/StellaOps.Signals.Tests/InMemoryEventsPublisherTests.cs"
],
"assertionDetails": [
"RouterEventsPublisher: request path == options.Events.Router.Path, content type == application/json, API key header present",
"RouterEventsPublisher: envelope topic == 'signals.fact.updated.v1', version == 'signals.fact.updated@v1'",
"RouterEventsPublisher: failure test - 500 response logged as error",
"InMemoryEventsPublisher: envelope.Topic == 'signals.fact.updated.v1', envelope.Version == 'signals.fact.updated@v1'",
"InMemoryEventsPublisher: Summary.ReachableCount==1, UnreachableCount==1, RuntimeFactsCount==1, Bucket=='runtime', StateCount==2",
"InMemoryEventsPublisher: Summary.Targets contains 'pkg:pypi/django' and 'pkg:pypi/requests'"
],
"verdict": "pass"
}

21
docs/qa/feature-checks/runs/signals/unified-score-facade-service/run-001/tier0-source-check.json Normal file
View File

@@ -0,0 +1,21 @@
{
"feature": "unified-score-facade-service",
"tier": 0,
"capturedAtUtc": "2026-02-12T23:32:00Z",
"filesChecked": [
"src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreService.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreModels.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/Replay/ReplayLogBuilder.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/IUnifiedScoreService.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/ServiceCollectionExtensions.cs"
],
"found": [
"src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreService.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/UnifiedScoreModels.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/Replay/ReplayLogBuilder.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/IUnifiedScoreService.cs",
"src/Signals/StellaOps.Signals/UnifiedScore/ServiceCollectionExtensions.cs"
],
"missing": [],
"verdict": "pass"
}

20
docs/qa/feature-checks/runs/signals/unified-score-facade-service/run-001/tier1-code-review.json Normal file
View File

@@ -0,0 +1,20 @@
{
"feature": "unified-score-facade-service",
"tier": 1,
"capturedAtUtc": "2026-02-12T23:33:00Z",
"project": "StellaOps.Signals.sln",
"buildResult": "pass",
"testResult": "pass",
"totalTests": 1385,
"passedTests": 1385,
"failedTests": 0,
"codeReview": {
"mainClassExists": true,
"nonTrivialImplementation": true,
"logicMatchesDescription": true,
"testsExerciseCoreBehavior": true,
"assertionsMeaningful": true
},
"codeReviewDetails": "UnifiedScoreService (259 lines): Unified facade combining EWS and Determinization. Pipeline: (1) Load weight manifest via IWeightManifestLoader (versioned or latest), (2) Calculate EWS score via EvidenceWeightedScoreCalculator with 6-dimension input, (3) Calculate entropy from SignalSnapshot (missing/total signals), (4) Map entropy to UnknownsBand (Complete/Adequate/Sparse/Insufficient), (5) Compute determinization fingerprint (SHA256 of signal presence vector + entropy), (6) Calculate delta-if-present for missing signals (Reachability/Runtime/Backport/VEX impact), (7) Detect signal conflicts (mutual_exclusion, inconsistency). Returns UnifiedScoreResult with score, bucket, breakdown, guardrails, conflicts, weight manifest ref, EWS digest, determinization fingerprint. Also provides synchronous Compute() wrapper.",
"verdict": "pass"
}

45
docs/qa/feature-checks/runs/signals/unified-score-facade-service/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,45 @@
{
"type": "integration",
"feature": "unified-score-facade-service",
"capturedAtUtc": "2026-02-12T23:34:00Z",
"testFilter": "FullyQualifiedName~UnifiedScoreServiceTests|UnifiedScoreDeterminismTests|UnknownsBandMapperTests",
"testsRun": 30,
"testsPassed": 30,
"testsFailed": 0,
"behaviorVerified": [
"Valid input returns score in range 0-100 with breakdown and EWS digest",
"Signal snapshot with all present signals: entropy=0.0, band=Complete, fingerprint generated",
"All missing signals: entropy=1.0, band=Insufficient, delta-if-present computed",
"High score with max positive signals: score >= 70, bucket=ScheduleNext",
"Low score with full mitigation/backport: score < 40, bucket=Watchlist",
"Entropy-to-band mapping: 8 theory cases (Complete/Adequate/Sparse/Insufficient thresholds)",
"Conflict detection: high Rch + high Bkp -> mutual_exclusion conflict",
"EWS score passthrough matches direct EvidenceWeightedScoreCalculator calculation",
"Synchronous Compute() wrapper produces correct result",
"Delta-if-present: missing Reachability includes delta with weight=0.30",
"Delta-if-present: missing Runtime includes delta",
"Delta-if-present: multiple missing signals include all deltas (VEX, Reachability, Runtime, Backport)",
"Delta disabled: IncludeDeltaIfPresent=false returns null",
"All signals present: delta-if-present returns empty list",
"VEX delta shows score reduction potential (MinImpact < 0, not_affected)",
"Determinism: 100 iterations produce same score, digest, fingerprint, bucket, breakdown",
"Delta determinism: 100 iterations produce same deltas",
"Weight manifest hash stable across 50/100 computations",
"EWS score unchanged through facade (50 iterations match direct)",
"EWS digest unchanged through facade",
"Entropy calculation deterministic over 100 iterations",
"Unknowns band deterministic over 100 iterations",
"Parallel 50 computations produce identical results",
"5 golden fixture tests: high_risk_schedule_next, low_risk_watchlist, sparse_signals, insufficient_signals, adequate_signals"
],
"testFiles": [
"src/Signals/__Tests/StellaOps.Signals.Tests/UnifiedScore/UnifiedScoreServiceTests.cs",
"src/Signals/__Tests/StellaOps.Signals.Tests/UnifiedScore/UnifiedScoreDeterminismTests.cs",
"src/Signals/__Tests/StellaOps.Signals.Tests/UnifiedScore/UnknownsBandMapperTests.cs"
],
"assertionDetails": [
"UnifiedScoreServiceTests (16 tests): score range, entropy, band mapping (8 theory), conflicts, EWS passthrough, sync wrapper, delta-if-present (6 scenarios), golden VEX delta",
"UnifiedScoreDeterminismTests (14 tests): 100-iteration score/digest/fingerprint/bucket/breakdown determinism, delta determinism, manifest hash stability, EWS passthrough determinism (50 iter), entropy/band determinism (100 iter), parallel determinism (50 concurrent), 5 golden fixtures"
],
"verdict": "pass"
}