stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Enhance traceability and logging in Risk and Vulnerability clients

Browse Source 
- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.
This commit is contained in:
StellaOps Bot
2025-12-02 19:24:26 +02:00
parent 76ecea482e
commit acbb0ff637
20 changed files with 186 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
View File

@@ -33,11 +33,11 @@
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | TODO |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | BLOCKED (awaiting Lens field list/examples) |
| Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | BLOCKED (awaiting advisory_key spec) |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | TODO |
| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | TODO |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | TODO |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | BLOCKED (depends on 29-002 endpoint shape) |
| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | DONE |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | BLOCKED (mirror registration + bundle schema) |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -46,6 +46,7 @@
| 2025-11-23 | Marked Vuln Explorer chain (29-001/002/004) BLOCKED pending `advisory_key` canonicalization spec from Vuln Explorer; Action Tracker updated. | Project Mgmt |
| 2025-11-25 | Added `$jsonSchema` validator migration (`20251125-vex-raw-json-schema`) plus schema doc and rollback/runbook; marked EXCITITOR-STORE-AOC-19-001/002 DONE. | Implementer |
| 2025-11-25 | Marked VEX Lens export (30-001) BLOCKED awaiting Lens field list; set AirGap 56-001/58-001 BLOCKED until mirror registration + bundle schema arrive. | Project Mgmt |
| 2025-12-02 | Synced Action Tracker with Delivery Tracker (Lens/Observability/AirGap now BLOCKED; Storage validation DONE). | Implementer |
## Decisions & Risks
- **Decisions**

1
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -46,6 +46,7 @@
| 2025-12-01 | Completed 18-506: WebService `/scans/{id}/entrytrace` and CLI rendering now expose EntryTrace graph + confidence summaries alongside NDJSON stream. | Implementer |
| 2025-12-01 | ZASTAVA-SURFACE-02: Observer resolves Surface manifest digests and `cas://` URIs, enriches drift evidence with artifact metadata, and counts failures via `zastava_surface_manifest_failures_total`. | Implementer |
| 2025-12-01 | SCANNER-SORT-02: ComponentGraphBuilder sorts layer fragments by digest; regression test added. | Implementer |
| 2025-12-02 | Surface FS determinism plumbing verified: injected ICryptoHash into FileSurfaceManifestStore test harness; `dotnet test …SurfaceManifestDeterminismVerifierTests` (2/2 pass) and full `StellaOps.Scanner.Surface.FS.Tests` suite (7/7 pass). | Implementer |
## Decisions & Risks
- EntryTrace NDJSON export and replay completed; relies on deterministic `/proc` capture and preserved ordering for confidence adjustments.

18
docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -30,18 +30,21 @@
| 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
| 5 | DECAY-GAPS-140-005 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); proceed to sign `confidence_decay_config.yaml` by 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); sign unknowns scoring manifest by 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
| 7 | UNKNOWN-HEUR-GAPS-140-007 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); sign heuristic catalog/schema + fixtures by 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
| 5 | DECAY-GAPS-140-005 | BLOCKED (2025-12-02) | cosign binary unavailable in environment; cannot sign `confidence_decay_config.yaml`. Needs cosign (or offline signer) to proceed by 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | BLOCKED (2025-12-02) | cosign binary unavailable; cannot sign unknowns scoring manifest. Needs cosign/offline signer before 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
| 7 | UNKNOWN-HEUR-GAPS-140-007 | BLOCKED (2025-12-02) | cosign binary unavailable; cannot sign heuristic catalog/schema + fixtures. Needs cosign/offline signer before 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
| 9 | COSIGN-INSTALL-140 | TODO | Install/provide cosign binary (or offline signer) in build environment by 2025-12-03 to unblock DSSE signing for tasks 57. | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
| 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Refreshed Decisions & Risks after signer assignment; DSSE signing fixed for 2025-12-05 and decay/unknowns/heuristics remain BLOCKED pending `cosign` availability in offline kit. | Project Mgmt |
| 2025-12-02 | Marked DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 as BLOCKED pending DSSE signer assignment; added task SIGNER-ASSIGN-140 (BLOCKED) and DSSE signing checkpoint (2025-12-05). | Implementer |
| 2025-12-02 | Flagged cascading risk to SPRINT_0143/0144/0150 if signer not assigned by 2025-12-03; will mirror BLOCKED status to dependent tasks if missed. | Implementer |
| 2025-12-02 | Signer still unassigned; tasks 57 remain BLOCKED. Reminder: assignment due 2025-12-03 or BLOCKED will be mirrored into dependent sprints. | Implementer |
| 2025-12-02 | Signer assigned: Alice Carter (Signals Guild). SIGNER-ASSIGN-140 set to DONE; proceed to DSSE signing on 2025-12-05. | Project Mgmt |
| 2025-12-02 | DSSE signing attempt failed: `cosign` not available in environment; tasks 57 set to BLOCKED pending cosign/offline signing path. | Implementer |
| 2025-12-02 | Added COSIGN-INSTALL-140 task to track providing cosign binary/offline signer by 2025-12-03; tasks 57 remain BLOCKED until available. | Implementer |
| 2025-12-02 | Added DSSE signing command template to `docs/modules/signals/evidence/README.md` to streamline signing once signer is assigned. | Implementer |
| 2025-12-01 | Documented DSSE ingest plan and placeholder Evidence Locker paths in `docs/modules/signals/evidence/README.md`; waiting on signer assignment. | Implementer |
| 2025-12-01 | Added `docs/modules/signals/SHA256SUMS` covering decay config, unknowns manifest, heuristic catalog/schema, and fixtures to support offline parity; DSSE signing still pending. | Implementer |
@@ -76,8 +79,8 @@
- Link-Not-Merge v1 schema frozen 2025-11-17; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review scheduled for 2025-11-23 (see Next Checkpoints) must record hashes to fully unblock.
- SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
- CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
- Decay/Unknowns/heuristics remediation (U1U10, UN1UN10, UT1UT10) now BLOCKED pending DSSE signer assignment. If signed configs/catalogs are not published by 2025-12-05, SIGNALS-24-004/005 readiness and Unknowns registry rollout slip. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); DSSE signatures pending. Hashes recorded in `docs/modules/signals/SHA256SUMS` for offline/air-gap parity; Evidence Locker ingest plan staged at `docs/modules/signals/evidence/README.md` and will be populated post-signing. Task SIGNER-ASSIGN-140 added and BLOCKED until signer is named; if not cleared by 2025-12-03, mirror BLOCKED status into SPRINT_0143/0144/0150 dependencies.
- DSSE signing is currently unassigned; Signals/Policy signer must be designated by 2025-12-03 to keep 12-05 publication target; otherwise extend checkpoint and reflect slip in downstream sprints (0143/0144/0150).
- Decay/Unknowns/heuristics remediation (U1U10, UN1UN10, UT1UT10) remain BLOCKED on missing `cosign` binary even though signer is assigned (Alice Carter); DSSE signing scheduled for 2025-12-05. If the signing tool (or offline alternative) is not available by 2025-12-03, mirror BLOCKED status into SPRINT_0143/0144/0150. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); DSSE signatures pending. Hashes recorded in `docs/modules/signals/SHA256SUMS` for offline/air-gap parity; Evidence Locker ingest plan staged at `docs/modules/signals/evidence/README.md` and will be populated post-signing. COSIGN-INSTALL-140 added to track tool availability.
- DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
- Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
- Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
- AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
@@ -102,7 +105,8 @@
| 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | Publish signed heuristic catalog + golden outputs/fixtures for UT1UT10; gate Signals scoring adoption. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | Sign decay config, unknowns manifest, heuristic catalog/schema with required predicates; upload envelopes + SHA256SUMS to Evidence Locker paths in `docs/modules/signals/evidence/README.md`. | Signals Guild · Policy Guild |
| 2025-12-03 | Assign DSSE signer | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
| 2025-12-03 | Provide cosign/offline signer | Deliver cosign binary (or offline signing path) for tasks 57; otherwise slip DSSE signing. | Platform / Build Guild |
| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
---

1
docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
View File

@@ -86,6 +86,7 @@
| 2025-12-02 | ORCH-GAPS-151-016: added replay inputs lock record + deterministic hashing to capture inputs.lock (policy/graph/tool images/seeds/env) tied to replay manifest hash. | Implementer |
| 2025-12-02 | ORCH-GAPS-151-016: added replay inputs lock schema, DSSE hash recipe, and conformance tests to ensure hash/manifest alignment. | Implementer |
| 2025-12-02 | ORCH-GAPS-151-016: added pack-run log integrity fields (canonical SHA-256 + size) with deterministic hashing and updated log tests. | Implementer |
| 2025-12-02 | ORCH-GAPS-151-016: enforced artifact digest+size validation on pack-run completion and included artifact digests/sizes in completion events. | Implementer |
## Decisions & Risks
- Start of work gated on AirGap/Scanner/Graph dependencies staying green; reassess before moving tasks to DOING.

9
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -45,9 +45,9 @@
| 15f | SBOM-TESTS-186-015F | BLOCKED (2025-11-30) | BLOCKED by 15a-15e. | Sbomer Guild · QA Guild (`src/Sbomer/__Tests`) | Roundtrip tests: SPDX→CDX→SPDX with diff assertion; determinism tests (same input → same hash); SPDX 3.0.1 spec compliance validation. |
| 16 | DOCS-REPLAY-186-004 | BLOCKED (2025-11-30) | BLOCKED until replay schema settled (depends on 186-001). | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
| 17 | DOCS-SBOM-186-017 | BLOCKED (2025-11-30) | BLOCKED by 15a-15f and scope extension to Sbomer docs. | Docs Guild (`docs/modules/sbomer/spdx-3.md`) | Document SPDX 3.0.1 implementation: data model, serialization formats, CDX mapping table, storage schema, hash computation, migration guide from SPDX 2.3. |
| 18 | SCANNER-GAPS-186-018 | TODO | None; informs tasks 117. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
| 19 | SPINE-GAPS-186-019 | TODO | None; informs tasks 118. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
| 20 | COMPETITOR-GAPS-186-020 | TODO | None; informs ingest/normalization tasks. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
| 18 | SCANNER-GAPS-186-018 | TODO | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
| 19 | SPINE-GAPS-186-019 | TODO | Findings doc now available; derive SP1SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
| 20 | COMPETITOR-GAPS-186-020 | TODO | Findings doc now available; derive CM1CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -72,6 +72,8 @@
| 2025-12-01 | Added SCANNER-GAPS-186-018 to capture SC1SC10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added SPINE-GAPS-186-019 to capture SP1SP10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added COMPETITOR-GAPS-186-020 to capture CM1CM10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-02 | Added `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC/SP/CM gap details) and unblocked tasks 1820 to TODO. | Implementer |
| 2025-12-02 | Replaced legacy sprint file `SPRINT_186_record_deterministic_execution.md` with a stub pointing to this canonical file to prevent divergence. | Implementer |
## Decisions & Risks
| Item | Impact | Mitigation / Next Step | Status |
@@ -84,6 +86,7 @@
| BLOCKER (186-013): Cache key/DSSE validation contract missing. | Layer cache work cannot start. | Define shared schema; keep 186-013 BLOCKED. | OPEN |
| Risk (SPDX 3.0.1 canonicalisation). | Non-deterministic output could break hashing. | Keep 15a15f BLOCKED until scope includes `src/Sbomer` and canonical rules reviewed. | OPEN |
| Scope gap: sprint working directory excludes `src/Sbomer`. | Tasks 15/15a15f/17 cannot start. | PM to extend scope or move tasks to Sbomer sprint; logged in Execution Log. | OPEN |
| Missing findings doc for tasks 1820. | Cannot scope SC/ SP/ CM gap remediation without source content. | RESOLVED 2025-12-02: `docs/product-advisories/31-Nov-2025 FINDINGS.md` added; tasks 1820 set to TODO. | CLOSED |
## Next Checkpoints
- Kickoff after Replay Core scaffolding begins (date TBD).

2
docs/implplan/SPRINT_0216_0001_0001_web_v.md
View File

@@ -70,6 +70,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Risk/Vuln clients now share trace ID generator util; vulnerability client emits trace headers across list/detail/stats; spec asserts header. | BE-Base Platform Guild |
| 2025-12-02 | Test run skipped: `npm test` script unavailable in current environment; unit specs added but not executed. | BE-Base Platform Guild |
| 2025-12-02 | Added empty/loading states to risk table for better UX while gateway data loads. | BE-Base Platform Guild |
| 2025-12-02 | Risk client now prefers `crypto.randomUUID()` for trace IDs with ULID fallback; keeps correlation without external deps. | BE-Base Platform Guild |
| 2025-12-02 | Added unit specs for vulnerability HTTP client headers and vulnerability detail component rendering; tests not executed locally. | BE-Base Platform Guild |

40
docs/implplan/SPRINT_186_record_deterministic_execution.md
View File

@@ -1,39 +1,3 @@
# Sprint 186 - Scanner Replay · 186.A) Record & Deterministic Execution
# Legacy Redirect
[Scanner Replay] 186.A) Record & Deterministic Execution
Depends on: Sprint 185 Replay Core Foundations, Sprint 130 Scanner & Surface
Summary: Enable Scanner services to emit replay manifests/bundles, wire deterministic analyzer execution, and align signing flows.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCAN-REPLAY-186-001 | DONE (2025-11-26) | Implement `record` mode in `StellaOps.Scanner.WebService` (manifest assembly, policy/feed/tool hash capture, CAS uploads) and document the workflow in `docs/modules/scanner/architecture.md` with references to `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
SCAN-REPLAY-186-002 | DOING (2025-11-27) | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) |
SIGN-REPLAY-186-003 | TODO | Extend Signer/Authority DSSE flows to cover replay manifest/bundle payload types with multi-profile support; refresh `docs/modules/signer/architecture.md` and `docs/modules/authority/architecture.md` to capture the new signing/verification path referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 5. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/Authority/StellaOps.Authority`)
SIGN-CORE-186-004 | TODO | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography`)
SIGN-CORE-186-005 | TODO | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Signing Guild (`src/Signer/StellaOps.Signer.Core`)
SIGN-TEST-186-006 | TODO | Upgrade signer integration tests to run against the real crypto abstraction and fixture predicates (promotion, SBOM, replay), replacing stub tokens/digests with deterministic test data. | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`)
AUTH-VERIFY-186-007 | TODO | Expose an Authority-side verification helper/service that validates DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints, enabling offline audit flows. | Authority Guild, Provenance Guild (`src/Authority/StellaOps.Authority`, `src/Provenance/StellaOps.Provenance.Attestation`)
SCAN-DETER-186-008 | DONE (2025-11-26) | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`)
SCAN-DETER-186-009 | DONE (2025-11-27) | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`)
SCAN-DETER-186-010 | DONE (2025-11-27) | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`)
SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`)
SCAN-ENTROPY-186-012 | DONE (2025-11-26) | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`)
SCAN-CACHE-186-013 | TODO | Implement layer-level SBOM/VEX cache keyed by (layer digest + manifest hash + tool/feed/policy IDs); re-verify DSSE attestations on cache hits and persist indexes for reuse/diagnostics; document in `docs/modules/scanner/architecture.md` referencing the 16-Nov-2026 layer cache advisory. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`)
SCAN-DIFF-CLI-186-014 | TODO | Add deterministic diff-aware rescan workflow (writes `scan.lock.json`, emits JSON Patch diffs, CLI verbs `stella scan --emit-diff` and `stella diff`) with replayable tests and docs aligned to the 15/16-Nov diff-aware advisories. | Scanner Guild · CLI Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Cli/StellaOps.Cli`, `tests/Scanner`, `docs/modules/scanner/operations/release.md`)
SBOM-BRIDGE-186-015 | TODO | Establish SPDX 3.0.1 as canonical SBOM persistence and build a deterministic CycloneDX 1.6 exporter (mapping table + library); update scanner/SBOM docs and wire snapshot hashes into replay manifests. | Sbomer Guild · Scanner Guild (`src/Sbomer`, `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
DOCS-REPLAY-186-004 | DONE (2025-11-26) | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Docs Guild (`docs`) |
> 2025-11-03: `docs/replay/TEST_STRATEGY.md` drafted — Scanner/Signer guilds should shift replay tasks to **DOING** when engineering picks up implementation.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | DOCS-REPLAY-186-004 completed: added `docs/replay/TEST_STRATEGY.md` covering golden replay, feed drift, tool upgrade, offline runs, and checklists. | Docs Guild |
| 2025-11-26 | Added `docs/modules/scanner/deterministic-execution.md` with deterministic switches, ordering rules, hashing, and offline guidance; supports SCAN-REPLAY-186-002 planning. | Docs Guild |
| 2025-11-26 | SCAN-REPLAY-186-001 completed: RecordModeService now assembles replay manifests, writes input/output CAS bundles with policy/feed/tool pins, reachability refs, attaches to scan snapshots; architecture doc updated. | Scanner Guild |
| 2025-11-26 | SCAN-ENTROPY-186-011/012 completed: entropy stage emits windowed metrics; WebService surfaces entropy reports/layer summaries via surface manifest, status API; docs already published. | Scanner Guild |
| 2025-11-27 | Surface manifest now emits `determinism.json` (pins + runtime toggles) to support replay verification; worker determinism context carries concurrency cap. | Scanner Guild |
| 2025-11-27 | SCAN-DETER-186-010 completed: determinism.json now published with per-payload hashes in surface manifest, satisfying determinism evidence requirements for release bundles. | Scanner Guild |
| 2025-11-27 | SCAN-REPLAY-186-002 moved to DOING: starting worker sealed-bundle consumption and Merkle metadata wiring. | Scanner Guild |
| 2025-11-27 | SCAN-DETER-186-009 completed: added determinism harness library/tests to compute per-run hash matrices and scores for release bundles. | Scanner Guild |
| 2025-11-26 | SCAN-DETER-186-008 implemented: determinism pins for feed/policy metadata, policy pin enforcement, concurrency clamp, validation/tests. | Scanner Guild |
This sprint file was renamed to `SPRINT_0186_0001_0001_record_deterministic_execution.md` on 2025-11-19 to comply with the standard template and naming rules. Do not edit this legacy copy; update the canonical file instead.

4
docs/implplan/SPRINT_507_ops_devops_v.md
View File

@@ -10,7 +10,7 @@ DEVOPS-TEN-49-001 | DOING (2025-12-02) | Deploy audit pipeline, scope usage metr
DEVOPS-VEX-30-001 | DONE (2025-12-02) | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops)
DEVOPS-VULN-29-001 | DONE (2025-12-02) | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-VULN-29-002 | DONE (2025-12-02) | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | DevOps Guild, Vuln Explorer API Guild (ops/devops)
DEVOPS-VULN-29-003 | DOING (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
DEVOPS-VULN-29-003 | DONE (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
DOCKER-44-001 | DOING (2025-12-01) | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops)
DOCKER-44-002 | DONE (2025-12-02) | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | DevOps Guild (ops/devops)
DOCKER-44-003 | DONE (2025-12-02) | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Concelier/Excitior. Dependencies: DOCKER-44-002. | DevOps Guild (ops/devops)
@@ -45,3 +45,5 @@ OPS-SECRETS-02 | DONE (2025-12-02) | Embed Surface.Secrets material (encrypted b
- Tenant chaos drill requires iptables/root access; run only in isolated CI agents or staging clusters. Ensure JWKS cache TTL is monitored so chaos window does not trigger widespread auth failures.
| 2025-12-02 | Started DEVOPS-VULN-29-003: drafted analytics ingest/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`). | DevOps |
| 2025-12-02 | Updated Vuln Explorer observability runbook with query-hash metrics and PII guards to support DEVOPS-VULN-29-003. | DevOps |
| 2025-12-02 | Progress DEVOPS-VULN-29-003: added query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`) and updated observability runbook to include PII-safe query hashing and payload metrics. | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-003: published analytics/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`), query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`), and updated runbook for PII-safe metrics. | DevOps |

6
docs/implplan/tasks-all.md
View File

@@ -29,8 +29,8 @@
| --JOB-ORCH-ENG-0001 | DONE | | SPRINT_0323_0001_0001_docs_modules_orchestrator | Module Team (docs/modules/orchestrator) | docs/modules/orchestrator | ORGR0102 outline | | DOOR0101 |
| --JOB-ORCH-OPS-0001 | DONE | | SPRINT_0323_0001_0001_docs_modules_orchestrator | Ops Guild (docs/modules/orchestrator) | docs/modules/orchestrator | DOOR0101 doc structure | | DOOR0101 |
| 24-001 | DONE | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | — | — | SGSI0101 |
| 24-002 | DOING | 2025-11-07 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Surface cache availability | Surface cache availability | SGSI0101 |
| 24-003 | DOING | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
| 24-002 | BLOCKED (2025-11-19) | 2025-11-07 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Surface cache availability | CAS promotion (PREP-SIGNALS-24-002) pending | SGSI0101 |
| 24-003 | BLOCKED (2025-11-19) | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Runtime facts ingestion + provenance enrichment | CAS promotion + provenance schema pending | SGSI0101 |
| 24-004 | BLOCKED | 2025-10-27 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
| 24-005 | BLOCKED | 2025-10-27 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
| 29-007 | DONE | 2025-11-17 | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-007 | LEDGER-29-006 | PLLG0104 |
@@ -59,7 +59,7 @@
| 45-001 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
| 45-002 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
| 45-003 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
| 50-002 | DOING | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
| 50-002 | DONE (2025-11-27) | | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
| 51-002 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | Waiting on OBS-50 baselines and ORCH-OBS-50-001 schemas | TLTY0101 |
| 54-001 | BLOCKED | 2025-11-25 | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
| 56-001 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | Blocked: SGSI0101 provenance feed/contract pending | TLTY0101 |

54
docs/product-advisories/31-Nov-2025 FINDINGS.md Normal file
View File

@@ -0,0 +1,54 @@
# 31-Nov-2025 FINDINGS (Gap Consolidation)
## Purpose
This advisory consolidates late-November gap findings across Scanner, SBOM/VEX spine, competitor ingest, and other cross-cutting areas. It enumerates remediation tracks referenced by multiple sprints (for example SPRINT_0186_0001_0001_record_deterministic_execution.md) so implementation teams can scope work without waiting on scattered notes.
## Scope & Status
- **Created:** 2025-12-02 (retroactive to 2025-11-30 findings review)
- **Applies to:** Scanner, Sbomer, Policy/Authority, CLI/UI, Observability, Offline/Release
- **Priority sets included:** SC1SC10 (Scanner), SP1SP10 (SBOM/VEX spine), CM1CM10 (Competitor ingest). Other gap families remain to be catalogued; see "Pending families" below.
## SC (Scanner Blueprint) Gaps — SC1SC10
1. **SC1 — Standards convergence roadmap**: Land coordinated adoption of CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 in scanner outputs and docs.
2. **SC2 — CDX 1.7 + CBOM exports**: Produce deterministic CycloneDX 1.7 with CBOM sections and embedded evidence citations.
3. **SC3 — SLSA Source Track capture**: Capture source-trace fields (build provenance, source repo refs, build-id) in replay bundles.
4. **SC4 — Compatibility adapters**: Provide downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with deterministic mapping tables.
5. **SC5 — Determinism CI for new formats**: Add CI checks/harnesses ensuring stable ordering/hashes for new schemas.
6. **SC6 — Binary/source evidence alignment**: Align binary evidence (build-id, symbols, patch oracle) with source SBOM/VEX outputs.
7. **SC7 — API/UI surfacing**: Expose the new metadata in surface API and console (filters, columns, download endpoints).
8. **SC8 — Baseline fixtures**: Curate fixture set covering v4 scoring, CBOM, SLSA 1.2, and evidence chips for regression.
9. **SC9 — Governance/approvals**: Define review gates/approvers for schema bumps and downgrade mappings.
10. **SC10 — Offline-kit parity**: Ensure offline kits ship frozen schemas, mappings, and fixtures for the above.
## SP (SBOM/VEX Spine) Gaps — SP1SP10
1. **SP1 — Versioned API/DTO schemas**: Introduce versioned SBOM/VEX spine schemas with explicit migration rules.
2. **SP2 — Predicate/edge evidence requirements**: Mandate evidence fields per predicate/edge (e.g., reachability proof, package identity, build metadata).
3. **SP3 — Unknowns workflow contract**: Define lifecycle/SLA for Unknowns registry entries and their surfacing in spine APIs.
4. **SP4 — DSSE-signed bundle manifest**: Require DSSE-signed manifest including hash listings for every spine artifact.
5. **SP5 — Deterministic diff rules/fixtures**: Specify canonical diff rules and fixtures for SBOM/VEX deltas.
6. **SP6 — Feed snapshot freeze/staleness**: Codify snapshot/policy freshness guarantees and staleness thresholds.
7. **SP7 — Mandated DSSE per stage**: Enforce DSSE signatures per processing stage with Rekor/mirror policies (online/offline).
8. **SP8 — Policy lattice versioning**: Version the policy lattice and embed version refs into spine objects.
9. **SP9 — Performance/pagination limits**: Set deterministic pagination/ordering and perf budgets for API queries.
10. **SP10 — Crosswalk mappings**: Provide crosswalk between SBOM/VEX/graph/policy outputs for auditors and tooling.
## CM (Competitor Ingest) Gaps — CM1CM10
1. **CM1 — Normalization adapters**: Harden ingest adapters for Syft/Trivy/Clair (SBOM + vuln scan) into StellaOps schemas.
2. **CM2 — Signature/provenance verification**: Verify external SBOM/scan signatures and provenance before acceptance; reject/flag unverifiable payloads.
3. **CM3 — Snapshot governance**: Enforce DB snapshot versioning, freshness SLAs, and rollback plans for imported feeds.
4. **CM4 — Anomaly regression tests**: Add regression tests for known ingest anomalies (schema drift, nullables, encoding, ordering).
5. **CM5 — Offline ingest kits**: Provide offline kits with DSSE-signed adapters, mappings, and fixtures for external SBOM/scan imports.
6. **CM6 — Fallback rules**: Define fallback hierarchy when external data is incomplete (prefer signed SBOM → unsigned SBOM → scan results → policy defaults).
7. **CM7 — Source transparency**: Persist source tool/version/hash metadata and expose it in APIs/exports.
8. **CM8 — Benchmark parity**: Maintain benchmark parity with upstream tool baselines (version-pinned, hash-logged runs).
9. **CM9 — Ecosystem coverage**: Track coverage per ecosystem (container, Java, Python, .NET, Go, OS packages) and gaps for ingest support.
10. **CM10 — Error resilience & retries**: Standardize retry/backoff/error classification for ingest pipeline; surface diagnostics deterministically.
## Pending Families (to be expanded)
The following gap families were referenced in November indices and still need detailed findings written out:
- CV1CV10 (CVSS v4 receipts), CVM1CVM10 (momentum), FC1FC10 (SCA fixture gaps), OB1OB10 (onboarding), IG1IG10 (implementor guidance), RR1RR10 (Rekor receipts), SK1SK10 (standups), MI1MI10 (UI micro-interactions), PVX1PVX10 (Proof-linked VEX UI), TTE1TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1BP10 (SBOM→VEX proof pipeline), UT1UT10 (unknown heuristics), CE1CE10 (evidence patterns), ET1ET10 (ecosystem fixtures), RB1RB10 (reachability fixtures), G1G12 / RD1RD10 (reachability benchmark/dataset), UN1UN10 (unknowns registry), U1U10 (decay), EX1EX10 (explainability), VEX1VEX10 (VEX claims), BR1BR10 (binary reachability), VT1VT10 (triage), PL1PL10 (plugin arch), EB1EB10 (evidence baseline), EC1EC10 (export center), AT1AT10 (automation), OK1OK10 / RK1RK10 / MS1MS10 (offline/mirror/Rekor kits), TP1TP10 (task packs), AU1AU10 (auth), CL1CL10 (CLI), OR1OR10 (orchestrator), ZR1ZR10 (Zastava), NR1NR10 (Notify), GA1GA10 (graph analytics), TO1TO10 (telemetry), PS1PS10 (policy), FL1FL10 (ledger), CI1CI10 (Concelier ingest).
Each pending family should be expanded in this document (or split into dedicated, linked supplements) with numbered findings, recommended evidence, and deterministic test/fixture expectations.
## Decision Trace
- This document was created to satisfy sprint and index references to “31-Nov-2025 FINDINGS.md” and unblock gap-remediation tasks across Scanner/SBOM/VEX and ingest tracks.