stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add documentation and task tracking for Sprints 508 to 514 in Ops & Offline

Browse Source 
- Created detailed markdown files for Sprints 508 (Ops Offline Kit), 509 (Samples), 510 (AirGap), 511 (Api), 512 (Bench), 513 (Provenance), and 514 (Sovereign Crypto Enablement) outlining tasks, dependencies, and owners.
- Introduced a comprehensive Reachability Evidence Delivery Guide to streamline the reachability signal process.
- Implemented unit tests for Advisory AI to block known injection patterns and redact secrets.
- Added AuthoritySenderConstraintHelper to manage sender constraints in OpenIddict transactions.
This commit is contained in:
master
2025-11-08 23:18:28 +02:00
parent 536f6249a6
commit ae69b1a8a1
187 changed files with 4326 additions and 3196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

220
docs/implplan/archived_sprints_tasks.md
View File

@@ -1538,3 +1538,223 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
| Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | DONE | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). |
| Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. |
| Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. |
## Sprint 110 - Ingestion & Evidence
### Completed or Dropped Tasks
| Theme | Task ID | Status | Owners/Path | Notes |
| --- | --- | --- | --- | --- |
| 110.A) AdvisoryAI | AIAI-31-001 | DONE (2025-11-02) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. (Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001.) |
| 110.A) AdvisoryAI | AIAI-31-002 | DONE (2025-11-04) | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). (Dependencies: SBOM-VULN-29-001.) |
| 110.A) AdvisoryAI | AIAI-31-003 | DONE (2025-11-04) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. (Dependencies: AIAI-31-001..002.) |
| 110.A) AdvisoryAI | AIAI-31-004 | DONE (2025-11-04) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). (Dependencies: AIAI-31-001..003, AUTH-VULN-29-001.) |
| 110.A) AdvisoryAI | AIAI-31-004A | DONE (2025-11-04) | Advisory AI Guild, Platform Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Wire orchestrator into WebService/Worker, expose API + queue contract, emit metrics, stub cache. (Dependencies: AIAI-31-004, AIAI-31-002.) |
| 110.A) AdvisoryAI | AIAI-31-004B | DONE (2025-11-06) | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement prompt assembler, guardrails, cache persistence, DSSE provenance, golden outputs. (Dependencies: AIAI-31-004A, DOCS-AIAI-31-003, AUTH-AIAI-31-004.) |
| 110.A) AdvisoryAI | AIAI-31-004C | DONE (2025-11-06) | Advisory AI Guild, CLI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Deliver CLI `stella advise run` command, renderer, docs, CLI golden tests. (Dependencies: AIAI-31-004B, CLI-AIAI-31-003.) |
| 110.A) AdvisoryAI | DOCS-AIAI-31-002 | DONE (2025-11-03) | Docs Guild, Advisory AI Guild (docs/TASKS.md) | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministic tooling, caching, model profiles. (Dependencies: AIAI-31-004.) |
| 110.A) AdvisoryAI | DOCS-AIAI-31-001 | DONE (2025-11-03) | Docs Guild, Advisory AI Guild (docs/TASKS.md) | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC personas, and offline posture. |
| 110.A) AdvisoryAI | DOCS-AIAI-31-003 | DONE (2025-11-03) | Docs Guild, Advisory AI Guild (docs/TASKS.md) | Write `/docs/advisory-ai/api.md` covering endpoints, schemas, errors, rate limits, and imposed-rule banner. (Dependencies: DOCS-AIAI-31-002.) |
| 110.A) AdvisoryAI | DOCS-AIAI-31-007 | DONE (2025-11-07) | Docs Guild, Security Guild (docs/TASKS.md) | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. (Dependencies: AIAI-31-005.) |
| 110.A) AdvisoryAI | AIAI-31-005 | DONE (2025-11-04) | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. (Dependencies: AIAI-31-004.) |
| 110.A) AdvisoryAI | AIAI-31-006 | DONE (2025-11-04) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Expose REST API endpoints (`/advisory/ai/*`) with RBAC, rate limits, OpenAPI schemas, and batching support. (Dependencies: AIAI-31-004..005.) |
| 110.A) AdvisoryAI | AIAI-31-007 | DONE (2025-11-06) | Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Instrument metrics (`advisory_ai_latency`, `guardrail_blocks`, `validation_failures`, `citation_coverage`), logs, and traces; publish dashboards/alerts. (Dependencies: AIAI-31-004..006.) |
| 110.A) AdvisoryAI | AIAI-31-010 | DONE (2025-11-02) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement Concelier advisory raw document provider mapping CSAF/OSV payloads into structured chunks for retrieval. (Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001.) |
| 110.A) AdvisoryAI | AIAI-31-011 | DONE (2025-11-02) | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) | Implement Excititor VEX document provider to surface structured VEX statements for retrieval. (Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-CORE-AOC-19-002.) |
| 110.B) Concelier.I | CONCELIER-AIAI-31-001 `Paragraph anchors` | DONE | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. |
| 110.B) Concelier.I | CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | DONE (2025-11-06) | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.… (Dependencies: CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003.) |
| 110.B) Concelier.III | CONCELIER-OBS-50-001 `Telemetry adoption` | DONE (2025-11-07) | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. |
| 110.B) Concelier.IV | CONCELIER-VULN-29-001 `Advisory key canonicalization` | DONE (2025-11-07) | Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no (Dependencies: CONCELIER-LNM-21-001.) |
| 110.B) Concelier.IV | CONCELIER-VULN-29-002 `Evidence retrieval API` | DONE (2025-11-07) | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. (Dependencies: CONCELIER-VULN-29-001, VULN-API-29-003.) |
| 110.B) Concelier.V | CONCELIER-WEB-AOC-19-002 `AOC observability` | DONE (2025-11-07) | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include |
| 110.B) Concelier.V | CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | DONE (2025-11-02) | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. |
| 110.B) Concelier.V | CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | DONE (2025-11-07) | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. |
| 110.B) Concelier.VI | FEEDCONN-ICSCISA-02-012 Version range provenance | **DONE (2025-11-03)** Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance identifiers (`ics-cisa:{advisoryId}:{product}`). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.<br>2025-10-29: Follow `docs/dev/normalized-rule-recipes.md` §2 to build observation version entries and log failures without invoking the retired merge helpers.<br>2025-11-03: Completed connector now normalizes semver ranges with provenance notes, RSS fallback content clears the AOC guard, and end-to-end Fetch/Parse/Map integration tests pass. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md) | **DONE (2025-11-03)** Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance… |
| 110.B) Concelier.VI | FEEDCONN-KISA-02-008 Firmware range provenance | **DONE (2025-11-04)** Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]` with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema.<br>2025-11-03: Analysis in progress auditing existing mapper output/fixtures ahead of implementing firmware range normalization and provenance wiring.<br>2025-11-03: SemVer normalization helper wired through `KisaMapper` with provenance slugs + vendor extensions; integration tests updated and green, follow-up capture for additional Hangul exclusivity markers queued before completion.<br>2025-11-03: Extended connector tests to cover single-ended (`이상`, `초과`, `이하`, `미만`) and non-numeric phrases, verifying normalized rule types (`gt`, `gte`, `lt`, `lte`) and fallback behaviour; broader corpus review remains before transitioning to DONE.<br>2025-11-03: Captured the top 10 `detailDos.do?IDX=` pages into `seed-data/kisa/html/` via `scripts/kisa_capture_html.py`; JSON endpoint (`rssDetailData.do?IDX=…`) now returns error pages, so connector updates must parse the embedded HTML or secure authenticated API access before closing.<br>2025-11-04: Fetch + parse pipeline now consumes the HTML detail pages end to end (metadata persisted, DOM parser extracts vendor/product ranges); fixtures/tests operate on the HTML snapshots to guard normalized SemVer + vendor extension expectations and severity extraction. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md) | **DONE (2025-11-04)** Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]`… |
| 110.B) Concelier.VI | FEEDCONN-SHARED-STATE-003 Source state seeding helper | **DONE (2025-11-04)** Delivered `SourceStateSeeder` CLI + processor APIs, Mongo fixtures, and MSRC runbook updates. Seeds raw docs + cursor state deterministically; tests cover happy/path/idempotent flows (`dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Common.Tests/...` note: requires `libcrypto.so.1.1` when running Mongo2Go locally). | Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md) | **DONE (2025-11-04)** Delivered `SourceStateSeeder` CLI + processor APIs, Mongo fixtures, and MSRC runbook updates. Seeds raw docs + cursor state deterministically; tests cover… |
| 110.B) Concelier.VI | FEEDMERGE-COORD-02-901 Connector deadline check-ins | DROPPED (2025-11-07) | — | Scope removed: FeedMerge coordination requires an AOC policy that does not exist yet. Re-open once governance/ownership is defined. |
| 110.B) Concelier.VI | FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | DROPPED (2025-11-07) | — | Blocked on FEEDMERGE policy/ownership; dropped alongside 02-901. |
| 110.B) Concelier.VI | FEEDMERGE-COORD-02-903 KISA firmware scheme review | DROPPED (2025-11-07) | — | Blocked on FEEDMERGE policy/ownership; dropped alongside 02-901. |
| 110.B) Concelier.VI | Fixture validation sweep | **DONE (2025-11-04)** Regenerated RHSA CSAF goldens via `scripts/update-redhat-fixtures.sh` (sets `UPDATE_GOLDENS=1`) and re-ran connector tests `dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests.csproj --no-restore` to confirm snapshot parity. | None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md) | **DONE (2025-11-04)** Regenerated RHSA CSAF goldens via `scripts/update-redhat-fixtures.sh` (sets `UPDATE_GOLDENS=1`) and re-ran connector tests `dotnet test… |
| 110.B) Concelier.VI | Link-Not-Merge version provenance coordination | **DONE (2025-11-04)** Published connector status tracker + follow-up IDs in `docs/dev/normalized-rule-recipes.md`, enabled `Normalized version rules missing` diagnostics in Merge, and aligned dashboards on `LinksetVersionCoverage`. Remaining gaps (ACSC/CCCS/CERTBUND/Cisco/RU-BDU) documented as upstream data deficiencies awaiting feed updates. Dependencies: CONCELIER-LNM-21-203. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) | **DONE (2025-11-04)** Published connector status tracker + follow-up IDs in `docs/dev/normalized-rule-recipes.md`, enabled `Normalized version rules missing` diagnostics in… (Dependencies: CONCELIER-LNM-21-203.) |
| 110.B) Concelier.VI | MERGE-LNM-21-001 | DONE (2025-11-03) | BE-Merge, Architecture Guild (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) | Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. 2025-11-03: Authored… |
| 110.B) Concelier.VII | MERGE-LNM-21-002 | DONE (2025-11-07) | BE-Merge (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) | Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.… |
| 110.B) Concelier.VII | MERGE-LNM-21-003 Determinism/test updates | DONE (2025-11-07) | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) | Replaced the retired merge determinism harness with observation/linkset/export regressions. `AdvisoryObservationFactoryTests` now assert raw reference parity + conflict notes,… |
| 110.B) Concelier.VII | WEB-AOC-19-001 (dependency) | DONE (2025-11-07) | BE-Base Platform Guild (docs/aoc/guard-library.md, src/Web/StellaOps.Web/TASKS.md) | Shared guard primitives now enforce the top-level allowlist (`_id`, tenant, source, upstream, content, identifiers, linkset, supersedes, created/ingested timestamps, attributes)… |
| 110.C) Excititor.III | EXCITITOR-OBS-50-001 `Telemetry adoption` | DONE (2025-11-07) | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. |
| 110.C) Excititor.VI | EXCITITOR-WEB-AOC-19-001 `Raw VEX ingestion APIs` | DONE (2025-11-08) | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Implement `POST /ingest/vex`, `GET /vex/raw*`, and `POST /aoc/verify` endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts… |
| 110.C) Excititor.VI | EXCITITOR-WEB-AOC-19-002 `AOC observability + metrics` | DONE (2025-11-08) | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Export metrics (`ingestion_write_total`, `aoc_violation_total`, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes… (Dependencies: EXCITITOR-WEB-AOC-19-001.) |
| 110.C) Excititor.VI | EXCITITOR-WEB-AOC-19-003 `Guard + schema test harness` | DONE (2025-11-08) | QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Add unit/integration tests for schema validation, forbidden field rejection (`ERR_AOC_001/006/007`), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic… (Dependencies: EXCITITOR-WEB-AOC-19-002.) |
| 110.C) Excititor.VI | EXCITITOR-WEB-AOC-19-004 `Batch ingest validation` | DONE (2025-11-08) | Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI `aoc verify` compatibility. Document load test/runbook updates. (Dependencies: EXCITITOR-WEB-AOC-19-003.) |
| 110.C) Excititor.VI | EXCITITOR-WEB-OBS-50-001 `Telemetry adoption` | DONE (2025-11-07) | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. |
| 110.C) Excititor.VI | EXCITITOR-WEB-OBS-51-001 `Observability health endpoints` | DONE (2025-11-08) | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) | Implement `/obs/excititor/health` summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. (Dependencies: EXCITITOR-WEB-OBS-50-001.) |
### Progress Notes
- **110.A) AdvisoryAI** 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (`/api/v1/advisory/plan`, `/api/v1/advisory/queue`), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator.
- **110.A) AdvisoryAI** 2025-11-04: SBOM base address now flows via `SbomContextClientOptions.BaseAddress`, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs.
- **110.A) AdvisoryAI** 2025-11-07: Draft doc committed (`docs/advisory-ai/console.md`) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship.
- **110.A) AdvisoryAI** 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests.
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-003 moved to DOING drafting Advisory AI API reference (endpoints, rate limits, error model) for sprint 110.
- **110.A) AdvisoryAI** 2025-11-04: AIAI-31-005 DONE guardrail pipeline redacts secrets, enforces citation/injection policies, emits block counters, and tests (`AdvisoryGuardrailPipelineTests`) cover redaction + citation validation.
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-003 marked DONE `docs/advisory-ai/api.md` published with scopes, request/response schemas, rate limits, and error catalogue (Docs Guild).
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-001 marked DONE `docs/advisory-ai/overview.md` published with value, personas, guardrails, observability, and roadmap checklists (Docs Guild).
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-002 marked DONE `docs/advisory-ai/architecture.md` published describing pipeline, deterministic tooling, caching, and profile governance (Docs Guild).
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-004 marked BLOCKED Console widgets/endpoints (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) still pending; cannot document UI flows yet.
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-005 marked BLOCKED CLI implementation (`stella advise run`, CLI-VULN-29-001, CLI-VEX-30-001) plus AIAI-31-004C not shipped; doc blocked until commands exist.
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-006 marked BLOCKED Advisory AI parameter knobs (POLICY-ENGINE-31-001) absent; doc deferred.
- **110.A) AdvisoryAI** 2025-11-07: DOCS-AIAI-31-007 marked DONE `/docs/security/assistant-guardrails.md` now documents redaction rules, blocked phrases, telemetry, and alert procedures.
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-008 marked BLOCKED Waiting on SBOM heuristics delivery (SBOM-AIAI-31-001).
- **110.A) AdvisoryAI** 2025-11-03: DOCS-AIAI-31-009 marked BLOCKED DevOps runbook inputs (DEVOPS-AIAI-31-001) outstanding.
- **110.A) AdvisoryAI** 2025-11-03: Shipped `/api/v1/advisory/{task}` execution and `/api/v1/advisory/outputs/{cacheKey}` retrieval endpoints with guardrail integration, provenance hashes, and metrics (RBAC & rate limiting still pending Authority scope delivery).
- **110.A) AdvisoryAI** 2025-11-06: AIAI-31-007 completed Advisory AI WebService/Worker emit latency histograms, guardrail/validation counters, citation coverage ratios, and OTEL spans; Grafana dashboard + burn-rate alerts refreshed.
- **110.A) AdvisoryAI** 2025-11-02: AIAI-31-004 kicked off orchestration pipeline design establishing deterministic task sequence (summary/conflict/remediation) and cache key strategy.
- **110.A) AdvisoryAI** 2025-11-02: AIAI-31-004 orchestration prerequisites documented in docs/modules/advisory-ai/orchestration-pipeline.md (tasks 004A/004B/004C).
- **110.A) AdvisoryAI** 2025-11-02: AIAI-31-003 moved to DOING beginning deterministic tooling (comparators, dependency analysis) while awaiting SBOM context client. Semantic & EVR comparators shipped; toolset interface published for orchestrator adoption.
- **110.A) AdvisoryAI** 2025-11-04: AIAI-31-004 DONE orchestrator composes evidence (structured/vector/SBOM) with stable cache keys, metadata, and hashing; tests keep determinism enforced.
- **110.A) AdvisoryAI** 2025-11-02: Structured + vector retrievers landed with deterministic CSAF/OSV/Markdown chunkers, deterministic hash embeddings, and unit coverage for sample advisories.
- **110.A) AdvisoryAI** 2025-11-02: SBOM context request/result models finalized; retriever tests now validate environment-flag toggles and dependency-path dedupe. SBOM guild to wire real context service client.
- **110.A) AdvisoryAI** 2025-11-04: AIAI-31-002 completed `AddSbomContext` typed client registered in WebService/Worker, BaseAddress/tenant headers sourced from configuration, and retriever HTTP-mapping tests extended.
- **110.A) AdvisoryAI** 2025-11-04: AIAI-31-003 completed deterministic toolset integrated with orchestrator cache, property/range tests broadened, and dependency analysis outputs now hashed for replay.
- **110.A) AdvisoryAI** 2025-11-04: AIAI-31-004A ongoing WebService/Worker queue wiring emits initial metrics, SBOM context hashing feeds cache keys, and replay docs updated ahead of guardrail implementation.
- **110.D) Mirror** 2025-11-04: AIAI-31-004A DONE WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`.
- **110.D) Mirror** 2025-11-04: AIAI-31-006 DONE REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE | AirGap Policy Guild | AIRGAP-POL-56-001 | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. |
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE | AirGap Policy Guild, DevEx Guild | AIRGAP-POL-56-002 | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. Dependencies: AIRGAP-POL-56-001. |
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE (2025-11-03) | AirGap Policy Guild, BE-Base Platform Guild | AIRGAP-POL-57-001 | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. Dependencies: AIRGAP-POL-56-002. |
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE (2025-11-03) | AirGap Policy Guild, Task Runner Guild | AIRGAP-POL-57-002 | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list.<br>2025-11-03: Worker wiring pulls `IEgressPolicy`, filesystem dispatcher enforces sealed-mode egress, dispatcher test + grant normalization landed, package versions aligned to rc.2.<br>Next: ensure other dispatchers/executors reuse the injected policy before enabling sealed-mode runs in worker service. Dependencies: AIRGAP-POL-57-001. |
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE (2025-11-03) | AirGap Policy Guild, Observability Guild | AIRGAP-POL-58-001 | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning.<br>2025-11-03: Introduced `StellaOps.Telemetry.Core` with OTLP exporter guard; Registry Token Service consumes new telemetry bootstrap; sealed-mode now skips non-loopback collectors and logs remediation guidance; docs refreshed for telemetry/air-gap playbooks. Dependencies: AIRGAP-POL-57-002. |
| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | DONE (2025-11-03) | AirGap Policy Guild, CLI Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation.<br>2025-11-03: CLI now wires HTTP clients through `StellaOps.AirGap.Policy`, returns `AIRGAP_EGRESS_BLOCKED` with remediation when sealed, and docs updated. Dependencies: AIRGAP-POL-58-001. |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE (2025-11-03) | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures.<br>2025-11-03: Initial migration, canonical fixtures, and schema doc alignment delivered (LEDGER-29-001). |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE (2025-11-03) | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API (`POST /vuln/ledger/events`) with validation, idempotency, hash chaining, and Merkle root computation job.<br>2025-11-03: Web service + domain scaffolding landed with canonical hashing helpers, in-memory repository, Merkle scheduler stub, request/response contracts, and unit tests covering hashing & conflict flows. Dependencies: LEDGER-29-001. |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE (2025-11-03) | Findings Ledger Guild, Scheduler Guild | LEDGER-29-003 | Build projector worker that derives `findings_projection` rows from ledger events + policy determinations; ensure idempotent replay keyed by `(tenant,finding_id,policy_version)`. <br>2025-11-03: Postgres projection services landed with replay checkpoints, fixtures, and unit coverage (LEDGER-29-003). Dependencies: LEDGER-29-002. |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE (2025-11-04) | Findings Ledger Guild, Policy Guild | LEDGER-29-004 | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references.<br>2025-11-04: Ledger service now calls `/api/policy/eval/batch` with resilient HttpClient, shared cache, and inline fallback; documentation/config samples updated; ledger tests executed (`dotnet test src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj --no-restore`). Dependencies: LEDGER-29-003. |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. Dependencies: LEDGER-29-004. |
| Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger/TASKS.md | DONE | Findings Ledger Guild, Security Guild | LEDGER-29-006 | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. Dependencies: LEDGER-29-005. |
| Sprint 120 | [Policy & Reasoning] 120.C) Policy.II | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE | Policy Guild, Security Guild | POLICY-ENGINE-27-003 | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (`ERR_POL_COMPLEXITY`). Dependencies: POLICY-ENGINE-27-002. |
| Sprint 120 | [Policy & Reasoning] 120.C) Policy.II | src/Policy/StellaOps.Policy.Engine/TASKS.md | DONE | Policy Guild, QA Guild | POLICY-ENGINE-27-004 | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. Dependencies: POLICY-ENGINE-27-003. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) | DONE | `SCANNER-ANALYZERS-LANG-10-308R` | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) | DONE | `SCANNER-ANALYZERS-LANG-10-309R` | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. Dependencies: SCANNER-ANALYZERS-LANG-10-308R. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-11-02) | EntryTrace Guild | `ENTRYTRACE-SURFACE-01` | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-11-02) | EntryTrace Guild | `ENTRYTRACE-SURFACE-02` | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. Dependencies: ENTRYTRACE-SURFACE-01. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-11-02) | EntryTrace Guild, QA Guild | `SCANNER-ENTRYTRACE-18-509` | Add regression coverage for EntryTrace surfaces (result store, WebService endpoint, CLI renderer) and NDJSON hashing. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-11-02) | EntryTrace Guild | `SCANNER-ENTRYTRACE-18-507` | Expand candidate discovery beyond ENTRYPOINT/CMD by scanning Docker history metadata and default service directories (`/etc/services/**`, `/s6/**`, `/etc/supervisor/*.conf`, `/usr/local/bin/*-entrypoint`) when explicit commands are absent. Dependencies: SCANNER-ENTRYTRACE-18-509. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-11-02) | EntryTrace Guild | `SCANNER-ENTRYTRACE-18-508` | Extend wrapper catalogue to collapse language/package launchers (`bundle`, `bundle exec`, `docker-php-entrypoint`, `npm`, `yarn node`, `pipenv`, `poetry run`) and vendor init scripts before terminal classification. Dependencies: SCANNER-ENTRYTRACE-18-507. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-11-03) | Language Analyzer Guild | `LANG-SURFACE-01` | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites.<br>2025-11-03: CompositeScanAnalyzerDispatcher now enforces Surface.Validation prior to language analyzers and propagates actionable failure diagnostics. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-11-03) | Language Analyzer Guild | `LANG-SURFACE-02` | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. Dependencies: LANG-SURFACE-01.<br>2025-11-03: Language analyzer runs fingerprint the workspace and persist results via Surface.FS cache helper for deterministic reuse. |
| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-11-03) | Language Analyzer Guild | `LANG-SURFACE-03` | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. Dependencies: LANG-SURFACE-02.<br>2025-11-03: LanguageAnalyzerContext exposes Surface.Secrets-backed helper for registry/feed credentials with unit coverage. |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-11-06) | Scanner WebService Guild | `SCANNER-EVENTS-16-302` | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. Dependencies: SCANNER-EVENTS-16-301.<br>2025-11-06 22:55Z: Dispatcher honours configurable console/API segments; docs and samples refreshed; added regression test for custom segments. `dotnet test` previously blocked by legacy Surface cache ctor signature (tracked under Surface task).<br>2025-11-06 23:30Z: Report DSSE fixtures re-synced; Surface cache ctor drift repaired; `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests --no-build` now green end-to-end. |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-11-06) | Scanner Worker Guild, Security Guild | `SCANNER-SECRETS-01` | Adopt `StellaOps.Scanner.Surface.Secrets` for registry/CAS credentials during scan execution.<br>2025-11-02: Surface.Secrets provider wired for CAS token retrieval; integration tests added.<br>2025-11-06: Replaced registry credential plumbing with shared provider + rotation-aware metrics; introduced registry secret stage and analysis keys.<br>2025-11-06 23:40Z: Installed .NET 10 RC2 runtime, parser/stage unit suites green (`dotnet test` Surface.Secrets + Worker focused filter). |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-11-06) | Scanner WebService Guild, Security Guild | `SCANNER-SECRETS-02` | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). Dependencies: SCANNER-SECRETS-01.<br>2025-11-02: WebService export path now resolves registry credentials via Surface.Secrets stub; CI pipeline hook in progress.<br>2025-11-06: Picking up Surface.Secrets provider usage across report/export flows and removing legacy secret file readers.<br>2025-11-06 21:40Z: WebService options now consume `cas-access` secrets via configurator; storage mirrors updated; targeted tests passing.<br>2025-11-06 23:58Z: Registry + attestation secrets sourced via Surface.Secrets (options extended, configurator + tests updated); Surface.Secrets & configurator test suites executed on .NET 10 RC2 runtime. |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-11-06) | Scanner Worker Guild | `SCANNER-SURFACE-01` | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments.<br>2025-11-02: Worker pipeline emitting draft Surface.FS manifests for sample scans; determinism checks running.<br>2025-11-06: Continuing with manifest writer abstraction + telemetry wiring for Surface.FS persistence.<br>2025-11-06 18:45Z: Resumed work; targeting manifest writer abstraction, CAS persistence hooks, and telemetry/test coverage updates.<br>2025-11-06 20:20Z: Published Surface worker Grafana dashboard + updated design doc; WebService pointer integration test now covers manifest/payload artefacts. |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-11-05) | Scanner WebService Guild | `SCANNER-SURFACE-02` | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. Dependencies: SCANNER-SURFACE-01.<br>2025-11-05: Surface pointer projection wired through WebService endpoints, orchestrator samples & DSSE fixtures refreshed with `surface` manifest block, and regression suite (platform events, report sample, ready check) updated. |
| Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-11-07) | BuildX Plugin Guild | `SCANNER-SURFACE-03` | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. Dependencies: SCANNER-SURFACE-02.<br>2025-11-06: Starting BuildX manifest upload implementation with Surface.FS client abstraction and integration tests.<br>2025-11-07 15:30Z: Resumed BuildX plugin Surface wiring; analyzing Surface.FS models, CAS flow, and upcoming tests before coding.<br>2025-11-07 22:10Z: Added Surface manifest writer + CLI flags to the BuildX plug-in, persisted artefacts into CAS, regenerated docs/fixtures, and shipped new tests covering the writer + descriptor flow. |
## Sprint 100 - Identity & Signing
### Completed or Dropped Tasks
| Theme | Task ID | Status | Owners/Path | Notes |
| --- | --- | --- | --- | --- |
| 100.A) Attestor.I | ATTEST-ENVELOPE-72-001 | DONE (2025-11-01) | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) | Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. |
| 100.A) Attestor.I | ATTEST-ENVELOPE-72-002 | DONE (2025-11-01) | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) | Support compact and expanded JSON output, payload compression, and detached payload references. (Deps: ATTEST-ENVELOPE-72-001.) |
| 100.A) Attestor.I | ATTEST-ENVELOPE-73-001 | DONE | Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) | Implement Ed25519 & ECDSA signature create/verify helpers, key identification (`keyid`) scheme, and error mapping. (Deps: ATTEST-ENVELOPE-72-002.) |
| 100.A) Attestor.I | ATTEST-ENVELOPE-73-002 | DONE | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) | Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. (Deps: ATTEST-ENVELOPE-73-001.) |
| 100.A) Attestor.I | ATTEST-TYPES-72-001 | DONE | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) | Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. |
| 100.A) Attestor.I | ATTEST-TYPES-72-002 | DONE | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) | Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. (Deps: ATTEST-TYPES-72-001.) |
| 100.A) Attestor.I | ATTEST-TYPES-73-001 | DONE | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) | Create golden payload samples for each type; integrate into tests and documentation. (Deps: ATTEST-TYPES-72-002.) |
| 100.A) Attestor.I | ATTEST-TYPES-73-002 | DONE | Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) | Publish schema reference docs (`/docs/modules/attestor/payloads.md`) with annotated JSON examples. (Deps: ATTEST-TYPES-73-001.) |
| 100.A) Attestor.I | ATTEST-VERIFY-73-001 | DONE | Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) | Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. (Deps: VERPOL-73-001, ATTESTOR-73-002.) |
| 100.A) Attestor.I | ATTEST-VERIFY-73-002 | DONE | Verification Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) | Add caching layer keyed by `(subject, envelope_id, policy_version)` with TTL and invalidation on new evidence. (Deps: ATTEST-VERIFY-73-001.) |
| 100.A) Attestor.I | ATTEST-VERIFY-74-001 | DONE | Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) | Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. (Deps: ATTEST-VERIFY-73-001.) |
| 100.A) Attestor.I | ATTEST-VERIFY-74-002 | DONE (2025-11-01) | Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) | Document verification report schema and explainability in `/docs/modules/attestor/workflows.md`. (Deps: ATTEST-VERIFY-73-001.) |
| 100.A) Attestor.I | ATTESTOR-72-001 | DONE | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. (Deps: ATTEST-ENVELOPE-72-001.) |
| 100.A) Attestor.I | ATTESTOR-72-002 | DONE | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. (Deps: ATTESTOR-72-001.) |
| 100.A) Attestor.I | ATTESTOR-72-003 | DONE (2025-11-03) | Attestor Service Guild, QA Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan. (Deps: ATTESTOR-72-002.) |
| 100.A) Attestor.I | ATTESTOR-73-001 | DONE (2025-11-01) | Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. (Deps: ATTESTOR-72-002, KMS-72-001.) |
| 100.A) Attestor.II | ATTESTOR-73-002 | DONE (2025-11-01) | Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. (Deps: ATTESTOR-73-001, VERPOL-73-001.) |
| 100.A) Attestor.II | ATTESTOR-73-003 | DONE | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). (Deps: ATTESTOR-73-002.) |
| 100.A) Attestor.II | ATTESTOR-74-001 | DONE (2025-11-02) | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Integrate transparency witness client, inclusion proof verification, and caching. (Deps: ATTESTOR-73-002, TRANSP-74-001.) |
| 100.A) Attestor.II | ATTESTOR-74-002 | DONE | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Implement bulk verification worker + API with progress tracking, rate limits, and caching. (Deps: ATTESTOR-74-001.) |
| 100.A) Attestor.II | ATTESTOR-75-001 | DONE | Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Add export/import flows for attestation bundles and offline verification mode. (Deps: ATTESTOR-74-002, EXPORT-ATTEST-74-001.) |
| 100.A) Attestor.II | ATTESTOR-75-002 | DONE | Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor/TASKS.md) | Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. (Deps: ATTESTOR-73-002.) |
| 100.B) Authority.I | AUTH-AIAI-31-001 | DONE (2025-11-01) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Define Advisory AI scopes (`advisory-ai:view`, `advisory-ai:operate`, `advisory-ai:admin`) and remote inference toggles; update discovery metadata/offline defaults. (Deps: AUTH-VULN-29-001.) |
| 100.B) Authority.I | AUTH-AIAI-31-002 | DONE (2025-11-01) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. (Deps: AUTH-AIAI-31-001, AIAI-31-006.) |
| 100.B) Authority.I | AUTH-AIRGAP-56-001 | DONE (2025-11-04) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Provision new scopes (`airgap:seal`, `airgap:import`, `airgap:status:read`) in configuration metadata, offline kit defaults, and issuer templates. (Deps: AIRGAP-CTL-56-001.) |
| 100.B) Authority.I | AUTH-AIRGAP-56-002 | DONE (2025-11-04) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Audit import actions with actor, tenant, bundle ID, and trace ID; expose `/authority/audit/airgap` endpoint. (Deps: AUTH-AIRGAP-56-001, AIRGAP-IMP-58-001.) |
| 100.B) Authority.I | AUTH-NOTIFY-38-001 | DONE (2025-11-01) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Define `Notify.Viewer`, `Notify.Operator`, `Notify.Admin` scopes/roles, update discovery metadata, offline defaults, and issuer templates. |
| 100.B) Authority.I | AUTH-NOTIFY-40-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. (Deps: AUTH-NOTIFY-38-001, WEB-NOTIFY-40-001.) |
| 100.B) Authority.I | AUTH-NOTIFY-42-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Investigate ack token rotation 500 errors (test Rotate_ReturnsBadRequest_WhenKeyIdMissing_AndAuditsFailure still failing). Capture logs, identify root cause, and patch handler. (Deps: AUTH-NOTIFY-40-001.) |
| 100.B) Authority.I | AUTH-OAS-62-001 | DONE (2025-11-02) | Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority/TASKS.md) | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. (Deps: AUTH-OAS-61-001, SDKGEN-63-001.) |
| 100.B) Authority.I | AUTH-OAS-63-001 | DONE (2025-11-02) | Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority/TASKS.md) | Emit deprecation headers and notifications for legacy auth endpoints. (Deps: AUTH-OAS-62-001, APIGOV-63-001.) |
| 100.B) Authority.I | AUTH-OBS-50-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Introduce scopes `obs:read`, `timeline:read`, `timeline:write`, `evidence:create`, `evidence:read`, `evidence:hold`, `attest:read`, and `obs:incident` (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. (Deps: AUTH-AOC-19-001.) |
| 100.B) Authority.I | AUTH-OBS-52-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. (Deps: AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003.) |
| 100.B) Authority.I | AUTH-OBS-55-001 | DONE (2025-11-02) | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority/TASKS.md) | Harden incident mode authorization: require `obs:incident` scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. (Deps: AUTH-OBS-50-001, WEB-OBS-55-001.) |
| 100.B) Authority.I | AUTH-ORCH-34-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Introduce `Orch.Admin` role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. (Deps: AUTH-ORCH-33-001.) |
| 100.B) Authority.I | AUTH-PACKS-41-001 | DONE (2025-11-04) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Define CLI SSO profiles and pack scopes (`Packs.Read`, `Packs.Write`, `Packs.Run`, `Packs.Approve`), update discovery metadata, offline defaults, and issuer templates. (Deps: AUTH-AOC-19-001.) |
| 100.B) Authority.II | AUTH-POLICY-23-001 | DONE (2025-10-27) | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) | Introduce fine-grained policy scopes (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`) for CLI/service accounts; update discovery metadata, issuer templates, and offline defaults. (Deps: AUTH-AOC-19-002.) |
| 100.B) Authority.II | AUTH-POLICY-23-002 | DONE (2025-11-08) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Implement optional two-person rule for activation: require two distinct `policy:activate` approvals when configured; emit audit logs. (Deps: AUTH-POLICY-23-001.) |
| 100.B) Authority.II | AUTH-POLICY-23-003 | DONE (2025-11-08) | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) | Update documentation and sample configs for policy roles, approval workflow, and signing requirements. (Deps: AUTH-POLICY-23-001.) |
| 100.B) Authority.II | AUTH-POLICY-27-002 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. (Deps: AUTH-POLICY-27-001, REGISTRY-API-27-007.) |
| 100.B) Authority.II | AUTH-POLICY-27-003 | DONE (2025-11-04) | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) | Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. (Deps: AUTH-POLICY-27-001, AUTH-POLICY-27-002.) |
| 100.B) Authority.II | AUTH-TEN-49-001 | DONE (2025-11-04) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Implement service accounts & delegation tokens (`act` chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. (Deps: AUTH-TEN-47-001.) |
| 100.B) Authority.II | AUTH-VULN-29-001 | DONE (2025-11-03) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Define Vuln Explorer scopes/roles (`vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. (Deps: AUTH-POLICY-27-001.) |
| 100.B) Authority.II | AUTH-VULN-29-002 | DONE (2025-11-03) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) | Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. (Deps: AUTH-VULN-29-001, LEDGER-29-002.) |
| 100.B) Authority.II | AUTH-VULN-29-003 | DONE (2025-11-04) | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) | Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. (Deps: AUTH-VULN-29-001..002.) |
| 100.B) Authority.II | PLG7.IMPL-001 | DONE (2025-11-03) | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) | Scaffold `StellaOps.Authority.Plugin.Ldap` + tests, bind configuration (client certificate, trust-store, insecure toggle) with validation and docs samples. |
| 100.B) Authority.II | PLG7.IMPL-002 | DONE (2025-11-04) | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) | Implement LDAP credential store with TLS/mutual TLS enforcement, deterministic retry/backoff, and structured logging/metrics. |
| 100.C) IssuerDirectory | ISSUER-30-001 | DONE (2025-11-01) | Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. |
| 100.C) IssuerDirectory | ISSUER-30-002 | DONE (2025-11-01) | Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). (Deps: ISSUER-30-001.) |
| 100.C) IssuerDirectory | ISSUER-30-003 | DONE (2025-11-04) | Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. (Deps: ISSUER-30-001.) |
| 100.C) IssuerDirectory | ISSUER-30-004 | DONE (2025-11-01) | Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Integrate with VEX Lens and Excitor signature verification (client SDK, caching, retries). (Deps: ISSUER-30-001..003.) |
| 100.C) IssuerDirectory | ISSUER-30-005 | DONE (2025-11-01) | Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. (Deps: ISSUER-30-001..004.) |
| 100.C) IssuerDirectory | ISSUER-30-006 | DONE (2025-11-02) | Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) | Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. (Deps: ISSUER-30-001..005.) |
| 100.E) Deployment | HELM-45-004 | DONE (2025-11-08) | Deployment Guild, Policy Guild (ops/deployment/TASKS.md) | Mount the new `policy-engine-activation` ConfigMap into the Policy Engine (and Policy Gateway) pods, ensure runtime config loads activation overrides from env/file, and refresh Helm/Compose samples for offline parity. |
### Progress Notes
- 2025-11-03: TTL soak tests captured in `docs/modules/attestor/ttl-validation.md`; Mongo/Redis evidence archived for replay.
- 2025-11-01: ATTESTOR-73-002 completed — verification endpoints emit structured reports, cache hits, and telemetry; Attestor verification test suites cover success, failure, and cached paths. Transparency witness integration continues under ATTESTOR-74-001.
- 2025-11-02: ATTESTOR-74-001 completed — witness client wired into proof refresh, repository model stores witness statements, and verification warns on missing endorsements. Tests updated for witness refresh, bundle export/import, and signing stubs.
- 2025-11-04: Verified discovery metadata now advertises the airgap scope trio, `etc/authority.yaml.sample` + offline kit docs ship the new roles, and Authority tests enforce tenant gating for `airgap:*` scopes (`dotnet test` executed).
- 2025-11-04: `/authority/audit/airgap` minimal APIs persist tenant-scoped records with paging, RBAC checks for `airgap:import`/`airgap:status:read` pass, and Authority integration suite (187 tests) exercised the audit flow.
- 2025-11-01: AUTH-AIRGAP-57-001 blocked pending definition of sealed-confirmation evidence and configuration shape before gating (Authority Core & Security Guild, DevOps Guild).
- 2025-11-08: Flipped to DOING; partnering with DevOps on artifacts so Authority gating tests can consume sealed confirmations once published (target 2025-11-10).
- 2025-11-07: Still waiting on DEVOPS-AIRGAP-57-002 sealed-mode CI suite (`ops/devops/sealed-mode-ci/*`) to publish artefacts so Authority can wire the gating tests.
- 2025-11-08: DevOps sealed-mode CI now uploads `artifacts/sealed-mode-ci/<commit>/authority-sealed-ci.json`; Authority to hook the gating middleware/tests up to that feed next.
- 2025-11-01: AUTH-NOTIFY-38-001 completed—Notify scope catalog, discovery metadata, docs, configuration samples, and service tests updated for new roles.
- 2025-11-02: `/notify/ack-tokens/rotate` (notify.admin) now rotates DSSE keys with audit coverage and integration tests. Webhook allowlist + escalation scope enforcement verified.
- 2025-11-02: Added `StellaOpsBearer` mapping to test harness, fixed bootstrap rotate handler defaults, and reran targeted notify ack rotation test (now returning BadRequest instead of 500).
- 2025-11-02: Added HttpClient auth helper (OAuth2 + PAT) with tenant header support, plus coverage in `StellaOps.Auth.Client.Tests`.
- 2025-11-02: AUTH-OAS-63-001 marked DONE — legacy `/oauth/*` shims now emit Deprecation/Sunset/Warning headers, audit events (`authority.api.legacy_endpoint`) validated by tests, and migration guide `docs/api/authority-legacy-auth-endpoints.md` published (Authority Core & Security Guild, API Governance Guild).
- 2025-11-02: Observability scope bundle published in discovery metadata, OpenAPI, docs, and offline configs; issuer templates + roles updated with deterministic scope ordering and tests refreshed.
- 2025-11-02: Timeline/Evidence/Export resource servers now register observability policies, enforce tenant claims, and emit enriched authorization audit events; config samples + tests updated.
- 2025-11-02: Resource servers now enforce a five-minute fresh-auth window for `obs:incident`, incident reasons are stamped into authorization audits and `/authority/audit/incident`, and sample configs/tests updated to require tenant headers across observability endpoints.
- 2025-11-02: Added `orch:backfill` scope with required `backfill_reason`/`backfill_ticket`, tightened Authority handlers/tests, updated CLI configuration/env vars, and refreshed docs + samples for Orchestrator admins.
- 2025-11-02: Pack scope policies added, Authority samples/roles refreshed, and CLI SSO profiles documented for packs operators/publishers/approvers.
- 2025-11-04: Verified discovery metadata, OpenAPI, `etc/authority.yaml.sample`, and offline kit docs reflect the packs scope set; Authority suite re-run (`dotnet test`) to confirm tenant gating and policy checks.
- 2025-11-02: Shared OpenSSL 1.1 shim now feeds Mongo2Go for Authority & Signals tests, keeping pack scope regressions and other Mongo flows working on OpenSSL 3 hosts.
- 2025-11-07: AUTH-PACKS-41-001 + TASKRUN-42-001 are DONE; remaining blocker is ORCH-SVC-42-101 (still TODO) for log streaming/approvals APIs. Not deleted—waiting on Orchestrator to publish contracts.
- 2025-11-08: Added Policy Engine activation options (force/default/audit toggles), enforced pending-second-approval responses, and emitted `policy.activation.*` telemetry across auditor logs.
- 2025-11-08: Documented dual-control activation steps, new `PolicyEngine.activation.*` knobs, sample YAML defaults, and console/operator guidance for audit visibility.
- 2025-11-07: Scope migration (AUTH-POLICY-23-001) shipped; activation guardrail and documentation updates now waiting on pairing.
- 2025-11-07: Authority + DevOps stand-up aligned on a 2025-11-10 delivery target for AUTH-DPOP-11-001 / AUTH-MTLS-11-002 and DEVOPS-AIRGAP-57-002 so plugin security/air-gap gating can flip to DOING immediately after.
- 2025-11-08: Taking ownership to wire certificate thumbprint persistence + audit logging; blocking issues from AUTH-DPOP-11-001 now resolved, so mTLS enforcement can proceed.
- 2025-11-08: `/token`/`/introspect` now enforce TLS certificate matches for mTLS-bound tokens and emit `authority_mtls_mismatch_total` telemetry when rejections occur.
- 2025-11-02: Added interactive-only `policy:publish`/`policy:promote` scopes with metadata requirements (`policy_reason`, `policy_ticket`, `policy_digest`), fresh-auth validation, audit enrichment, and updated config/docs for operators.
- 2025-11-04: Confirmed Policy Studio role/scope guidance in `docs/11_AUTHORITY.md`, OpenAPI metadata, and samples; compliance checklist appended and Authority tests rerun for fresh-auth + scope enforcement.
- 2025-11-02: Service account store + configuration wired, delegation quotas enforced, token persistence extended with `serviceAccountId`/`tokenKind`/`actorChain`, docs & samples refreshed, and new tests cover delegated issuance/persistence.
- 2025-11-02: Updated bootstrap test fixtures to use AuthorityDelegation seed types and verified `/internal/service-accounts` endpoints respond as expected via targeted Authority tests.
- 2025-11-02: Documented bootstrap admin API usage (`/internal/service-accounts/**`) and clarified that repeated seeding preserves Mongo `_id`/`createdAt` values to avoid immutable field errors.
- 2025-11-03: Patched Authority test harness to seed enabled service-account records deterministically and restored `StellaOps.Authority.Tests` to green (covers `/internal/service-accounts` listing + revocation paths).
- 2025-11-04: Validated service-account docs/configs and Authority Mongo store wiring; reran Authority integration suite to confirm issuance, listing, and revocation happy/negative paths.
- 2025-11-04: Reviewed Vuln Explorer RBAC/ABAC sections in `docs/11_AUTHORITY.md` + security guides, confirmed attachment and anti-forgery docs reflect shipped endpoints, and Authority test pass confirms ledger token flows.
- 2025-11-03: Workflow anti-forgery and attachment token endpoints merged with audit trails; negative-path coverage added (`VulnWorkflowTokenEndpointTests`). Full Authority test suite still running; follow-up execution required after dependency build completes.
- 2025-11-07: Upstream AUTH-DPOP-11-001 / AUTH-MTLS-11-002 now DOING; revisit plugin backlog once sender-constraint hardening lands.
- 2025-11-08: Dependency audit confirmed — AUTH-DPOP-11-001 / AUTH-MTLS-11-002 staffed with 2025-11-10 delivery; no missing SEC2/SEC3/SEC5 subtasks, so these remain BLOCKED only until sender constraints merge.
- 2025-11-03: Initial `StellaOps.Authority.Plugin.Ldap` project/tests scaffolded with configuration options + registrar; sample manifest (`etc/authority.plugins/ldap.yaml`) updated to new schema (client certificate, trust store, insecure toggle).
- 2025-11-03: Review concluded; RFC accepted with audit/mTLS/mapping decisions recorded in `docs/notes/2025-11-03-authority-plugin-ldap-review.md`. Follow-up implementation tasks PLG7.IMPL-001..005 added to plugin board.
- 2025-11-04: Updated connection factory to negotiate StartTLS via `StartTransportLayerSecurity(null)` and normalized LDAP result-code handling (invalid credentials + transient codes) against `System.DirectoryServices.Protocols` 8.0. Plugin unit suite (`dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/StellaOps.Authority.Plugin.Ldap.Tests.csproj`) now passes again after the retry/error-path fixes.
- 2025-11-04: PLG7.IMPL-002 DONE deterministic credential store retries now emit metrics + structured audit context, DirectoryServices factory enforces TLS/mTLS settings (trust store + client cert), and configuration samples/docs refreshed. Tests: `dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/StellaOps.Authority.Plugin.Ldap.Tests.csproj --no-restore`.
- 2025-11-04: Confirmed `/issuer-directory/issuers/{id}/trust` endpoints persist tenant/global overrides with bounds validation, Mongo indexes seeded, docs/config updated, and core tests executed.
- 2025-11-08: Helm template now injects the activation ConfigMap for policy-engine/gateway pods, Policy Engine host loads `/config/policy-engine/activation.yaml`, Policy Engine/Gateway tests are green, and CI now runs `helm lint`/`helm template` over every `values*.yaml`.