stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-04 21:36:12 +02:00
parent f214edff82 75f6942769
commit b018949a8d
301 changed files with 32810 additions and 1128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.claude/settings.local.json
View File

@@ -4,7 +4,23 @@
"Bash(dotnet build:*)",
"Bash(dotnet restore:*)",
"Bash(chmod:*)",
"Bash(cat:*)"
"Bash(cat:*)",
"Bash(dotnet nuget:*)",
"Bash(cd /mnt/c/dev/New\\ folder/git.stella-ops.org && python3:*)",
"Bash(cd:*)",
"Bash(grep:*)",
"Bash(src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs )",
"Bash(src/Cli/StellaOps.Cli/Configuration/CliProfile.cs )",
"Bash(src/Cli/StellaOps.Cli/Configuration/GlobalOptions.cs )",
"Bash(src/Cli/StellaOps.Cli/Output/CliError.cs )",
"Bash(src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs )",
"Bash(src/Cli/StellaOps.Cli/Services/OrchestratorClient.cs )",
"Bash(src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs )",
"Bash(src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs )",
"Bash(src/Cli/StellaOps.Cli/Telemetry/TraceparentHttpMessageHandler.cs)",
"Bash(python3:*)",
"Bash(dotnet list:*)",
"WebSearch"
],
"deny": [],
"ask": []

10
NuGet.config
View File

@@ -3,9 +3,17 @@
<packageSources>
<clear />
<add key="local" value="local-nugets" />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
<add key="ablera-mirror" value="https://mirrors.ablera.dev/nuget/nuget-mirror/v3/index.json" />
</packageSources>
<config>
<add key="globalPackagesFolder" value="local-nugets/packages" />
</config>
<packageSourceMapping>
<packageSource key="local">
<package pattern="*" />
</packageSource>
<packageSource key="ablera-mirror">
<package pattern="*" />
</packageSource>
</packageSourceMapping>
</configuration>

75
docs/07_HIGH_LEVEL_ARCHITECTURE.md
View File

@@ -54,7 +54,8 @@
* **Fulcio** (Sigstore CA) — issues shortlived signing certs (keyless).
* **Rekor v2** (tilebacked transparency log).
* **RustFS** — offline-first object store with deterministic REST API (S3/MinIO fallback available for legacy installs).
* **MongoDB** — catalog, advisories, VEX, scheduler, notify.
* **PostgreSQL** (≥15) — control-plane storage with per-module schema isolation (auth, vuln, vex, scheduler, notify, policy). See [Database Architecture](#database-architecture-postgresql).
* **MongoDB** (≥7) — legacy catalog support; being phased out in favor of PostgreSQL for control-plane domains.
* **Queue** — Redis Streams / NATS / RabbitMQ (pluggable).
* **OCI Registry** — must support **Referrers API** (discover SBOMs/signatures).
@@ -229,7 +230,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
---
## 6) Storage & catalogs (RustFS/Mongo)
## 6) Storage & catalogs (RustFS/PostgreSQL)
**RustFS layout (default)**
@@ -243,16 +244,62 @@ rustfs://stellaops/
attest/<artifactSha256>.dsse.json
```
**Catalog (Mongo)**
### Database Architecture (PostgreSQL)
* `artifacts` (type/format/sha/size/rekor/ttl/immutable/refCount/createdAt)
* `images`, `layers`, `links`, `lifecycleRules`
* **Scheduler:** `schedules`, `runs`, `locks`, `impact_cursors`
* **Notify:** `rules`, `deliveries`, `channels`, `templates`
StellaOps uses PostgreSQL for all control-plane data with **per-module schema isolation**. Each module owns and manages only its own schema, ensuring clear ownership and independent migration lifecycles.
**Schema topology:**
```
┌─────────────────────────────────────────────────────────────────┐
│ PostgreSQL Cluster │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ stellaops (database) ││
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ││
│ │ │ auth │ │ vuln │ │ vex │ │scheduler│ ││
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ ││
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ││
│ │ │ notify │ │ policy │ │ audit │ ││
│ │ └─────────┘ └─────────┘ └─────────┘ ││
│ └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘
```
**Schema ownership:**
| Schema | Owner Module | Purpose |
|--------|--------------|---------|
| `auth` | Authority | Identity, authentication, authorization, licensing, sessions |
| `vuln` | Concelier | Vulnerability advisories, CVSS, affected packages, sources |
| `vex` | Excititor | VEX statements, graphs, observations, evidence, consensus |
| `scheduler` | Scheduler | Jobs, triggers, workers, locks, execution history |
| `notify` | Notify | Channels, templates, rules, deliveries, escalations |
| `policy` | Policy | Policy packs, rules, risk profiles, evaluations |
| `audit` | Shared | Cross-cutting audit log (optional) |
**Key design principles:**
1. **Module isolation** — Each module controls only its own schema. Cross-schema queries are rare and explicitly documented.
2. **Multi-tenancy** — Single database, single schema set, `tenant_id` column on all tenant-scoped tables with row-level security.
3. **Forward-only migrations** — No down migrations; fixes are applied as new forward migrations.
4. **Advisory lock coordination** — Startup migrations use `pg_try_advisory_lock(hashtext('schema_name'))` to prevent concurrent execution.
5. **Air-gap compatible** — All migrations embedded in assemblies, no external network dependencies.
**Migration categories:**
| Category | Prefix | Execution | Description |
|----------|--------|-----------|-------------|
| Startup (A) | `001-099` | Automatic at boot | Non-breaking DDL (CREATE IF NOT EXISTS, ADD COLUMN nullable) |
| Release (B) | `100-199` | Manual via CLI | Breaking changes (DROP, ALTER TYPE), require maintenance window |
| Seed | `S001-S999` | After schema | Reference data with ON CONFLICT DO NOTHING |
| Data (C) | `DM001-DM999` | Background job | Batched data transformations, resumable |
**Detailed documentation:** See [`docs/db/`](db/README.md) for full specification, coding rules, and phase-by-phase conversion tasks.
**Retention**
* RustFS applies retention via `X-RustFS-Retain-Seconds`; Scanner.WebService GC decrements `refCount` and deletes unreferenced metadata; S3/MinIO fallback retains native Object Lock when enabled.
* PostgreSQL retention managed via time-based partitioning for high-volume tables (runs, execution_logs) with monthly partition drops.
---
@@ -381,20 +428,20 @@ Binary header + purl table + roaring bitmaps; optional `usedByEntrypoint` flags
```yaml
services:
authority: { image: stellaops/authority }
authority: { image: stellaops/authority, depends_on: [postgres] }
fulcio: { image: sigstore/fulcio }
rekor: { image: sigstore/rekor-v2 }
minio: { image: minio/minio, command: server /data --console-address ":9001" }
mongo: { image: mongo:7 }
postgres: { image: postgres:15-alpine, environment: { POSTGRES_DB: stellaops, POSTGRES_USER: stellaops } }
signer: { image: stellaops/signer, depends_on: [authority, fulcio] }
attestor: { image: stellaops/attestor, depends_on: [rekor, signer] }
scanner-web: { image: stellaops/scanner-web, depends_on: [mongo, minio, signer, attestor] }
scanner-web: { image: stellaops/scanner-web, depends_on: [postgres, minio, signer, attestor] }
scanner-worker: { image: stellaops/scanner-worker, deploy: { replicas: 4 }, depends_on: [scanner-web] }
concelier: { image: stellaops/concelier-web, depends_on: [mongo] }
excititor: { image: stellaops/excititor-web, depends_on: [mongo] }
scheduler-web: { image: stellaops/scheduler-web, depends_on: [mongo] }
concelier: { image: stellaops/concelier-web, depends_on: [postgres] }
excititor: { image: stellaops/excititor-web, depends_on: [postgres] }
scheduler-web: { image: stellaops/scheduler-web, depends_on: [postgres] }
scheduler-worker:{ image: stellaops/scheduler-worker, deploy: { replicas: 2 }, depends_on: [scheduler-web] }
notify-web: { image: stellaops/notify-web, depends_on: [mongo] }
notify-web: { image: stellaops/notify-web, depends_on: [postgres] }
notify-worker: { image: stellaops/notify-worker, deploy: { replicas: 2 }, depends_on: [notify-web] }
ui: { image: stellaops/ui, depends_on: [scanner-web, concelier, excititor, scheduler-web, notify-web] }
```

207
docs/adr/0001-postgresql-for-control-plane.md Normal file
View File

@@ -0,0 +1,207 @@
# ADR-0001: PostgreSQL for Control-Plane Storage
## Status
Accepted
## Date
2025-12-04
## Authors
- Platform Team
## Deciders
- Architecture Guild
- Platform Team
## Context
StellaOps control-plane services (Authority, Scheduler, Notify, Concelier/Excititor, Policy) require persistent storage for:
- Identity and authorization data (users, roles, tokens, sessions)
- Job scheduling and execution state
- Notification rules, templates, and delivery tracking
- Vulnerability advisories and VEX statements
- Policy packs, rules, and evaluation history
**Triggers for this decision:**
1. **Licensing trust & ecosystem stability** — PostgreSQL is licensed under the permissive PostgreSQL License (similar to MIT/BSD), OSI-approved, with no vendor lock-in concerns. MongoDB's SSPL license (2018) is not OSI-approved and creates uncertainty for self-hosted/sovereign deployments. For a platform emphasizing sovereignty and auditability, database licensing must be beyond reproach.
2. **Schema complexity** — Control-plane domains have well-defined, relational schemas with referential integrity requirements (foreign keys, cascading deletes, constraints).
3. **Query patterns** — Complex joins, aggregations, and window functions are common (e.g., finding all images affected by a newly published CVE).
4. **ACID requirements** — Job scheduling, token issuance, and notification delivery require strong transactional guarantees.
5. **Multi-tenancy** — Row-level security (RLS) needed for tenant isolation without schema-per-tenant overhead.
6. **Migration tooling** — Need deterministic, forward-only migrations with advisory lock coordination for multi-instance deployments.
7. **Air-gap operation** — All schema and data must be embeddable in assemblies without external network dependencies.
8. **Auditability** — PostgreSQL's mature ecosystem includes proven audit logging, compliance tooling, and forensic capabilities trusted by regulated industries.
## Decision
**Adopt PostgreSQL (≥15) as the primary database for all StellaOps control-plane domains.**
Key architectural choices:
### 1. Per-Module Schema Isolation
Each module owns exactly one PostgreSQL schema:
| Schema | Owner | Description |
|--------|-------|-------------|
| `auth` | Authority | Identity, authentication, authorization, licensing |
| `vuln` | Concelier | Vulnerability advisories, sources, affected packages |
| `vex` | Excititor | VEX statements, graphs, observations, consensus |
| `scheduler` | Scheduler | Jobs, triggers, workers, execution history |
| `notify` | Notify | Channels, templates, rules, deliveries |
| `policy` | Policy | Policy packs, rules, risk profiles |
| `audit` | Shared | Cross-cutting audit log (optional) |
**Rationale:**
- Clear ownership boundaries
- Independent migration lifecycles
- Schema-level access control
- Simplified testing and development
### 2. Multi-Tenancy via tenant_id Column
Single database, single schema set, `tenant_id` column on all tenant-scoped tables.
```sql
-- Session-level tenant context
SET app.tenant_id = '<tenant-uuid>';
-- Row-level security (defense in depth)
CREATE POLICY tenant_isolation ON <table>
USING (tenant_id = current_setting('app.tenant_id')::uuid);
```
**Rationale:**
- Simplest operational model
- Shared connection pooling
- Easy cross-tenant queries for admin operations
- Composite indexes on `(tenant_id, ...)` for query performance
### 3. Forward-Only Migrations with Advisory Locks
Migrations are embedded in assemblies and executed at startup with PostgreSQL advisory locks:
```sql
SELECT pg_try_advisory_lock(hashtext('auth')); -- Per-schema lock
```
**Migration categories:**
- **Startup (001-099)**: Automatic, non-breaking DDL
- **Release (100-199)**: Manual CLI, breaking changes
- **Seed (S001-S999)**: Reference data
- **Data (DM001-DM999)**: Batched background jobs
**Rationale:**
- No down migrations needed (forward-only with fix-forward)
- Advisory locks prevent concurrent migrations across instances
- Checksum validation catches unauthorized modifications
- Air-gap compatible (no external migration service needed)
### 4. RustFS for Binary Artifacts
PostgreSQL stores metadata and indexes; RustFS stores binary artifacts (SBOMs, attestations, reports):
```
PostgreSQL: Schema definitions, relationships, indexes, audit trails
RustFS: sbom.cdx.json.zst, inventory.cdx.pb, bom-index.bin, *.dsse.json
```
**Rationale:**
- Right tool for each job
- PostgreSQL excellent for structured queries
- Object storage better for large binary blobs
- Clear separation of concerns
## Consequences
### Positive
1. **Licensing trust** — PostgreSQL License is permissive, OSI-approved, and universally accepted. No vendor lock-in, no license ambiguity for sovereign deployments. Trusted by governments, regulated industries, and security-conscious organizations.
2. **Ecosystem stability** — 30+ years of development, included in all major distributions, no license rug-pulls. Community governance ensures long-term trust.
3. **Relational integrity** — Foreign keys, constraints, and transactions ensure data consistency.
4. **Query flexibility** — Complex joins, CTEs, window functions, and full-text search available natively.
5. **Operational maturity** — Well-understood backup, replication, and monitoring ecosystem.
6. **Row-level security** — Built-in multi-tenancy support without application-layer hacks.
7. **Schema evolution** — Mature migration tooling with online DDL capabilities.
8. **Performance** — Excellent query planning, connection pooling (PgBouncer), and indexing options.
9. **Auditability** — Proven audit logging extensions (pgAudit), compliance certifications, forensic tooling.
### Negative
1. **Schema rigidity** — Changes require migrations; less flexible than document stores for rapidly evolving schemas.
2. **Operational overhead** — Requires PostgreSQL expertise for tuning, vacuuming, and monitoring.
3. **Connection limits** — Need PgBouncer for high-concurrency workloads.
### Follow-up Actions
- [x] Create `docs/db/` documentation directory with specification, rules, and conversion plan
- [x] Define migration infrastructure in `StellaOps.Infrastructure.Postgres`
- [ ] Complete phased conversion from MongoDB per `docs/db/tasks/PHASE_*.md`
- [ ] Update deployment guides for PostgreSQL requirements
- [ ] Add PostgreSQL health checks to all control-plane services
### Rollback Criteria
Revert to MongoDB (or hybrid) if:
- Migration performance unacceptable (> 60s startup time)
- Query complexity exceeds PostgreSQL capabilities
- Operational burden exceeds team capacity
## Alternatives Considered
### Option A: Continue with MongoDB
**Pros:**
- Already in use for some components
- Flexible schema
- Good for document-centric workloads
**Cons:**
- **Licensing uncertainty** — MongoDB's SSPL (Server Side Public License, 2018) is not OSI-approved. Creates legal ambiguity for sovereign/self-hosted deployments, especially in regulated industries and government contexts where license provenance matters.
- **Ecosystem trust erosion** — SSPL switch caused major distributions (Debian, Fedora, RHEL) to drop MongoDB packages. Sovereign customers may have policies against non-OSI licenses.
- No referential integrity (app-enforced)
- Limited join capabilities
- Multi-tenancy requires additional logic
- No row-level security
- Less mature migration tooling
**Rejected because:** Licensing uncertainty is incompatible with StellaOps' sovereign-first positioning. Control-plane domains are also fundamentally relational with strong consistency requirements.
### Option B: Hybrid (PostgreSQL + MongoDB)
**Pros:**
- Use each database for appropriate workloads
- Gradual migration possible
**Cons:**
- Two databases to operate and monitor
- Complex deployment
- Cross-database consistency challenges
- Higher operational burden
**Rejected because:** Unified PostgreSQL approach is simpler and sufficient for all control-plane needs.
### Option C: CockroachDB / YugabyteDB
**Pros:**
- PostgreSQL-compatible
- Built-in horizontal scaling
- Multi-region capabilities
**Cons:**
- Additional operational complexity
- Less mature than PostgreSQL
- Overkill for current scale
- Air-gap deployment challenges
**Rejected because:** PostgreSQL provides sufficient scale and simpler operations for current requirements. Can revisit if horizontal scaling becomes necessary.
## References
- [`docs/db/README.md`](../db/README.md) — Database documentation index
- [`docs/db/SPECIFICATION.md`](../db/SPECIFICATION.md) — Schema design specification
- [`docs/db/MIGRATION_STRATEGY.md`](../db/MIGRATION_STRATEGY.md) — Migration execution strategy
- [`docs/db/RULES.md`](../db/RULES.md) — Database coding rules
- [`docs/07_HIGH_LEVEL_ARCHITECTURE.md`](../07_HIGH_LEVEL_ARCHITECTURE.md) — High-level architecture overview

7
docs/adr/index.md
View File

@@ -34,8 +34,15 @@ Small, module-local refactors that do not modify public behaviour can live in co
- [ ] Consequences call out migration or rollback steps.
- [ ] Announcement posted to Docs Guild updates (or sprint log).
## ADR Index
| ADR | Title | Status | Date |
|-----|-------|--------|------|
| [0001](./0001-postgresql-for-control-plane.md) | PostgreSQL for Control-Plane Storage | Accepted | 2025-12-04 |
## Related resources
- [Docs Guild Task Board](../TASKS.md)
- [High-Level Architecture Overview](../07_HIGH_LEVEL_ARCHITECTURE.md)
- [Database Documentation](../db/README.md)
- [Coding Standards](../18_CODING_STANDARDS.md)
- [Release Engineering Playbook](../13_RELEASE_ENGINEERING_PLAYBOOK.md)

498
docs/db/MIGRATION_STRATEGY.md Normal file
View File

@@ -0,0 +1,498 @@
# PostgreSQL Migration Strategy
**Version:** 1.0
**Last Updated:** 2025-12-03
**Status:** Active
## Overview
This document defines the migration strategy for StellaOps PostgreSQL databases. It covers initial setup, per-release migrations, multi-instance coordination, and air-gapped operation.
## Principles
1. **Forward-Only**: No down migrations. Fixes are applied as new forward migrations.
2. **Idempotent**: All migrations must be safe to re-run (use `IF NOT EXISTS`, `ON CONFLICT DO NOTHING`).
3. **Deterministic**: Same input produces identical schema state across environments.
4. **Air-Gap Compatible**: All migrations embedded in assemblies, no external dependencies.
5. **Zero-Downtime**: Non-breaking migrations run at startup; breaking changes require coordination.
## Migration Categories
### Category A: Startup Migrations (Automatic)
Run automatically when application starts. Must complete within 60 seconds.
**Allowed Operations:**
- `CREATE SCHEMA IF NOT EXISTS`
- `CREATE TABLE IF NOT EXISTS`
- `CREATE INDEX IF NOT EXISTS`
- `CREATE INDEX CONCURRENTLY` (non-blocking)
- `ALTER TABLE ADD COLUMN` (nullable or with default)
- `CREATE TYPE ... IF NOT EXISTS` (enums)
- Adding new enum values (`ALTER TYPE ... ADD VALUE IF NOT EXISTS`)
- Insert seed data with `ON CONFLICT DO NOTHING`
**Forbidden Operations:**
- `DROP TABLE/COLUMN/INDEX`
- `ALTER TABLE DROP COLUMN`
- `ALTER TABLE ALTER COLUMN TYPE`
- `TRUNCATE`
- Large data migrations (> 10,000 rows affected)
- Any operation requiring `ACCESS EXCLUSIVE` lock for extended periods
### Category B: Release Migrations (Manual/CLI)
Require explicit execution via CLI before deployment. Used for breaking changes.
**Typical Operations:**
- Dropping deprecated columns/tables
- Column type changes
- Large data backfills
- Index rebuilds
- Table renames
- Constraint modifications
### Category C: Data Migrations (Batched)
Long-running data transformations that run as background jobs.
**Characteristics:**
- Batched processing (1000-10000 rows per batch)
- Resumable after interruption
- Progress tracking
- Can run alongside application
## Migration File Structure
```
src/<Module>/__Libraries/StellaOps.<Module>.Storage.Postgres/
├── Migrations/
│ ├── 001_initial_schema.sql # Category A
│ ├── 002_add_audit_columns.sql # Category A
│ ├── 003_add_search_index.sql # Category A
│ └── 100_drop_legacy_columns.sql # Category B (100+ = manual)
├── Seeds/
│ ├── 001_default_roles.sql # Seed data
│ └── 002_builtin_policies.sql # Seed data
└── DataMigrations/
└── DM001_BackfillTenantIds.cs # Category C (code-based)
```
### Naming Convention
| Prefix | Category | Description |
|--------|----------|-------------|
| `001-099` | A (Startup) | Automatic, non-breaking |
| `100-199` | B (Release) | Manual, breaking changes |
| `200-299` | B (Release) | Major version migrations |
| `S001-S999` | Seed | Reference data |
| `DM001-DM999` | C (Data) | Batched data migrations |
## Execution Flow
### Application Startup
```
┌─────────────────────────────────────────────────────────────┐
│ Application Startup │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 1. Acquire Advisory Lock (pg_try_advisory_lock) │
│ Key: hash of schema name │
│ If lock fails: wait up to 120s, then fail startup │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 2. Create schema_migrations table if not exists │
│ Columns: migration_name, applied_at, checksum, category │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 3. Load embedded migrations (001-099 only) │
│ - Sort by name │
│ - Compute checksums │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 4. Compare with applied migrations │
│ - Detect checksum mismatches (FATAL ERROR) │
│ - Identify pending migrations │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 5. Check for pending Category B migrations │
│ - If any 100+ migrations are pending: FAIL STARTUP │
│ - Log: "Run 'stellaops migrate' before deployment" │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 6. Execute pending Category A migrations │
│ - Each in transaction │
│ - Record in schema_migrations │
│ - Log timing │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 7. Execute seed data (if not already applied) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 8. Release Advisory Lock │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 9. Continue Application Startup │
└─────────────────────────────────────────────────────────────┘
```
### Release Migration (CLI)
```bash
# Before deployment - run breaking migrations
stellaops system migrations-run --module Authority --category release
# Verify migration state
stellaops system migrations-status --module Authority
# Dry run (show what would be executed)
stellaops system migrations-run --module Authority --dry-run
```
## Multi-Instance Coordination
### Advisory Locks
Each module uses a unique advisory lock key derived from its schema name:
```sql
-- Lock key calculation
SELECT pg_try_advisory_lock(hashtext('auth')); -- Authority
SELECT pg_try_advisory_lock(hashtext('scheduler')); -- Scheduler
SELECT pg_try_advisory_lock(hashtext('vuln')); -- Concelier
SELECT pg_try_advisory_lock(hashtext('policy')); -- Policy
SELECT pg_try_advisory_lock(hashtext('notify')); -- Notify
```
### Race Condition Handling
```
Instance A Instance B
│ │
├─ Acquire lock (success) ──► │
│ ├─ Acquire lock (BLOCKED)
├─ Run migrations │ Wait up to 120s
│ │
├─ Release lock ────────────► │
│ ├─ Acquire lock (success)
│ ├─ Check migrations (none pending)
│ ├─ Release lock
│ │
▼ ▼
Running Running
```
## Schema Migrations Table
Each schema maintains its own migration history:
```sql
CREATE TABLE IF NOT EXISTS {schema}.schema_migrations (
migration_name TEXT PRIMARY KEY,
category TEXT NOT NULL DEFAULT 'startup',
checksum TEXT NOT NULL,
applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
applied_by TEXT,
duration_ms INT,
CONSTRAINT valid_category CHECK (category IN ('startup', 'release', 'seed', 'data'))
);
CREATE INDEX IF NOT EXISTS idx_schema_migrations_applied_at
ON {schema}.schema_migrations(applied_at DESC);
```
## Module-Specific Schemas
| Module | Schema | Lock Key | Tables |
|--------|--------|----------|--------|
| Authority | `auth` | `hashtext('auth')` | tenants, users, roles, tokens, sessions |
| Scheduler | `scheduler` | `hashtext('scheduler')` | jobs, triggers, workers, locks |
| Concelier | `vuln` | `hashtext('vuln')` | advisories, affected, aliases, sources |
| Policy | `policy` | `hashtext('policy')` | packs, versions, rules, evaluations |
| Notify | `notify` | `hashtext('notify')` | templates, channels, deliveries |
| Excititor | `vex` | `hashtext('vex')` | statements, documents, products |
## Release Workflow
### Pre-Deployment
```bash
# 1. Review pending migrations
stellaops system migrations-status --module all
# 2. Backup database (if required)
pg_dump -Fc stellaops > backup_$(date +%Y%m%d).dump
# 3. Run release migrations in maintenance window
stellaops system migrations-run --category release --module all
# 4. Verify schema state
stellaops system migrations-verify --module all
```
### Deployment
1. Deploy new application version
2. Application startup runs Category A migrations automatically
3. Health checks pass after migrations complete
### Post-Deployment
```bash
# Check migration status
stellaops system migrations-status --module all
# Run any data migrations (background)
stellaops system migrations-run --category data --module all
```
## Rollback Strategy
Since we use forward-only migrations, rollback is achieved through:
1. **Fix-Forward**: Deploy a new migration that reverses the problematic change
2. **Blue/Green Deployment**: Switch back to previous version (requires backward-compatible migrations)
3. **Point-in-Time Recovery**: Restore from backup (last resort)
### Backward Compatibility Window
For zero-downtime deployments, migrations must be backward compatible for N-1 version:
```
Version N: Adds new nullable column 'status_v2'
Version N+1: Application uses 'status_v2', keeps 'status' populated
Version N+2: Migration removes 'status' column (Category B)
```
## Air-Gapped Operation
All migrations are embedded as assembly resources:
```xml
<!-- In .csproj file -->
<ItemGroup>
<EmbeddedResource Include="Migrations\*.sql" LogicalName="%(Filename)%(Extension)" />
<EmbeddedResource Include="Seeds\*.sql" LogicalName="%(Filename)%(Extension)" />
</ItemGroup>
```
No network access required during migration execution.
## Monitoring & Observability
### Metrics
| Metric | Type | Description |
|--------|------|-------------|
| `stellaops_migration_duration_seconds` | Histogram | Time to run migration |
| `stellaops_migration_pending_count` | Gauge | Number of pending migrations |
| `stellaops_migration_applied_total` | Counter | Total migrations applied |
| `stellaops_migration_failed_total` | Counter | Total migration failures |
### Logging
```
[INF] Migration: Acquiring lock for schema 'auth'
[INF] Migration: Lock acquired, checking pending migrations
[INF] Migration: 2 pending migrations found
[INF] Migration: Applying 003_add_audit_columns.sql (checksum: a1b2c3...)
[INF] Migration: 003_add_audit_columns.sql completed in 245ms
[INF] Migration: Applying 004_add_search_index.sql (checksum: d4e5f6...)
[INF] Migration: 004_add_search_index.sql completed in 1823ms
[INF] Migration: All migrations applied, releasing lock
```
### Alerts
- Migration lock held > 5 minutes
- Migration failure
- Checksum mismatch detected
- Pending Category B migrations blocking startup
## Development Workflow
### Creating a New Migration
```bash
# 1. Create migration file
touch src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/Migrations/005_add_mfa_columns.sql
# 2. Write idempotent SQL
cat > 005_add_mfa_columns.sql << 'EOF'
-- Migration: 005_add_mfa_columns
-- Category: startup
-- Description: Add MFA support columns to users table
ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_enabled BOOLEAN NOT NULL DEFAULT FALSE;
ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_secret TEXT;
ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_backup_codes TEXT[];
CREATE INDEX IF NOT EXISTS idx_users_mfa_enabled ON auth.users(mfa_enabled) WHERE mfa_enabled = TRUE;
EOF
# 3. Test locally
dotnet run --project src/Authority/StellaOps.Authority.WebService
# 4. Verify migration applied
stellaops system migrations-status --module Authority
```
### Testing Migrations
```bash
# Run integration tests with migrations
dotnet test --filter "Category=Migration"
# Test idempotency (run twice)
stellaops system migrations-run --module Authority
stellaops system migrations-run --module Authority # Should be no-op
```
## Troubleshooting
### Lock Timeout
```
ERROR: Could not acquire migration lock within 120 seconds
```
**Cause**: Another instance is running migrations or crashed while holding lock.
**Resolution**:
```sql
-- Check active locks
SELECT * FROM pg_locks WHERE locktype = 'advisory';
-- Force release (use with caution)
SELECT pg_advisory_unlock_all();
```
### Checksum Mismatch
```
ERROR: Migration checksum mismatch for '003_add_audit_columns.sql'
Expected: a1b2c3d4e5f6...
Found: x9y8z7w6v5u4...
```
**Cause**: Migration file was modified after being applied.
**Resolution**:
1. Never modify applied migrations
2. If intentional, update checksum manually in `schema_migrations`
3. Create new migration with fix instead
### Pending Release Migrations
```
ERROR: Cannot start application - pending release migrations require manual execution
Pending: 100_drop_legacy_columns.sql
Run: stellaops system migrations-run --module Authority --category release
```
**Resolution**: Run CLI migration command before deployment.
## Integration Guide
### Adding Startup Migrations to a Module
```csharp
// In Program.cs or Startup.cs
using StellaOps.Infrastructure.Postgres.Migrations;
// Option 1: Using PostgresOptions
services.AddStartupMigrations(
schemaName: "auth",
moduleName: "Authority",
migrationsAssembly: typeof(AuthorityDataSource).Assembly,
configureOptions: options =>
{
options.LockTimeoutSeconds = 120;
options.FailOnPendingReleaseMigrations = true;
});
// Option 2: Using custom options type
services.AddStartupMigrations<AuthorityOptions>(
schemaName: "auth",
moduleName: "Authority",
migrationsAssembly: typeof(AuthorityDataSource).Assembly,
connectionStringSelector: opts => opts.Storage.ConnectionString);
// Add migration status service for health checks
services.AddMigrationStatus<PostgresOptions>(
schemaName: "auth",
moduleName: "Authority",
migrationsAssembly: typeof(AuthorityDataSource).Assembly,
connectionStringSelector: opts => opts.ConnectionString);
```
### Embedding Migrations in Assembly
```xml
<!-- In .csproj file -->
<ItemGroup>
<EmbeddedResource Include="Migrations\*.sql" LogicalName="%(Filename)%(Extension)" />
<EmbeddedResource Include="Seeds\*.sql" LogicalName="%(Filename)%(Extension)" />
</ItemGroup>
```
### Health Check Integration
```csharp
// Add migration status to health checks
services.AddHealthChecks()
.AddCheck("migrations", async (cancellationToken) =>
{
var status = await migrationStatusService.GetStatusAsync(cancellationToken);
if (status.HasBlockingIssues)
{
return HealthCheckResult.Unhealthy(
$"Pending release migrations: {status.PendingReleaseCount}, " +
$"Checksum errors: {status.ChecksumErrors.Count}");
}
if (status.PendingStartupCount > 0)
{
return HealthCheckResult.Degraded(
$"Pending startup migrations: {status.PendingStartupCount}");
}
return HealthCheckResult.Healthy($"Applied: {status.AppliedCount}");
});
```
## Implementation Files
| File | Description |
|------|-------------|
| `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationRunner.cs` | Core migration execution logic |
| `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationCategory.cs` | Migration category enum and helpers |
| `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/StartupMigrationHost.cs` | IHostedService for automatic migrations |
| `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationServiceExtensions.cs` | DI registration extensions |
## Reference
- [PostgreSQL Advisory Locks](https://www.postgresql.org/docs/current/explicit-locking.html#ADVISORY-LOCKS)
- [Zero-Downtime Migrations](https://docs.stellaops.org/operations/migrations)
- [StellaOps CLI Reference](../09_API_CLI_REFERENCE.md)

2
docs/db/README.md
View File

@@ -2,6 +2,8 @@
This directory contains all documentation related to the StellaOps database architecture, including the MongoDB to PostgreSQL conversion project.
> **ADR Reference:** See [ADR-0001: PostgreSQL for Control-Plane Storage](../adr/0001-postgresql-for-control-plane.md) for the architectural decision rationale.
## Document Index
| Document | Purpose |

502
docs/implplan/BLOCKED_DEPENDENCY_TREE.md Normal file
View File

@@ -0,0 +1,502 @@
# BLOCKED Tasks Dependency Tree
> **Last Updated:** 2025-12-04
> **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
## How to Use This Document
Before starting work on any BLOCKED task, check this tree to understand:
1. What is the **root blocker** (external dependency, missing spec, staffing, etc.)
2. What **chain of tasks** depends on it
3. Which team/guild owns the root blocker
---
## Legend
- **Root Blocker** — External/system cause (missing spec, staffing, disk space, etc.)
- **Chained Blocked** — Blocked by another BLOCKED task
- **Module** — Module/guild name
---
## 1. SIGNALS & RUNTIME FACTS (SGSI0101) — Critical Path
**Root Blocker:** `PREP-SIGNALS-24-002` (CAS promotion pending)
```
PREP-SIGNALS-24-002 (CAS promotion pending)
+-- 24-002: Surface cache availability
+-- 24-003: Runtime facts ingestion + provenance enrichment
+-- 24-004: Authority scopes + 24-003
+-- 24-005: 24-004 scoring outputs
```
**Root Blocker:** `SGSI0101 provenance feed/contract pending`
```
SGSI0101 provenance feed/contract pending
+-- 56-001: Telemetry provenance
+-- 401-004: Replay Core (awaiting runtime facts + GAP-REP-004)
```
**Impact:** 6+ tasks in Signals, Telemetry, Replay Core guilds
**To Unblock:** Deliver CAS promotion and SGSI0101 provenance contract
---
## 2. API GOVERNANCE (APIG0101) — DevPortal & SDK Chain
**Root Blocker:** `APIG0101 outputs` (API baseline missing)
```
APIG0101 outputs (API baseline)
+-- 62-001: DevPortal API baseline
| +-- 62-002: Blocked until 62-001
| +-- 63-001: Platform integration
| +-- 63-002: SDK Generator integration
|
+-- 63-003: SDK Generator (APIG0101 outputs)
+-- 63-004: SDK Generator outstanding
```
**Impact:** 6 tasks in DevPortal + SDK Generator guilds
**To Unblock:** Deliver APIG0101 API baseline outputs
---
## 3. VEX LENS CHAIN (30-00x Series)
**Root Blocker:** `VEX normalization + issuer directory + API governance specs`
```
VEX normalization + issuer directory + API governance specs
+-- 30-001: VEX Lens base
+-- 30-002
+-- 30-003 (Issuer Directory)
+-- 30-004 (Policy)
+-- 30-005
+-- 30-006 (Findings Ledger)
+-- 30-007
+-- 30-008 (Policy)
+-- 30-009 (Observability)
+-- 30-010 (QA)
+-- 30-011 (DevOps)
```
**Impact:** 11 tasks — full VEX Lens series
**To Unblock:** Publish VEX normalization spec, issuer directory contract, and API governance specs
---
## 4. DEPLOYMENT CHAIN (44-xxx to 45-xxx)
**Root Blocker:** `Upstream module releases` (service list/version pins)
```
Upstream module releases (service list/version pins)
+-- 44-001: Compose deployment base
| +-- 44-002
| +-- 44-003
| +-- 45-001
| +-- 45-002 (Security)
| +-- 45-003 (Observability)
|
+-- COMPOSE-44-001 (parallel blocker)
```
**Impact:** 7 tasks in Deployment Guild
**To Unblock:** Publish consolidated service list and version pins from upstream modules
---
## 5. AIRGAP ECOSYSTEM
### 5.1 Controller Chain
**Root Blocker:** `Disk full` (workspace cleanup needed)
```
Disk full (workspace cleanup needed)
+-- AIRGAP-CTL-57-001: Startup diagnostics
+-- AIRGAP-CTL-57-002: Seal/unseal telemetry
+-- AIRGAP-CTL-58-001: Time anchor persistence
```
### 5.2 Importer Chain
**Root Blocker:** `Disk space + controller telemetry`
```
Disk space + controller telemetry
+-- AIRGAP-IMP-57-002: Object-store loader
+-- AIRGAP-IMP-58-001: Import API + CLI
+-- AIRGAP-IMP-58-002: Timeline events
```
### 5.3 Time Chain
**Root Blocker:** `Controller telemetry + disk space`
```
Controller telemetry + disk space
+-- AIRGAP-TIME-57-002: Time anchor telemetry
+-- AIRGAP-TIME-58-001: Drift baseline
+-- AIRGAP-TIME-58-002: Staleness notifications
```
### 5.4 CLI AirGap Chain
**Root Blocker:** `Mirror bundle contract/spec` not available
```
Mirror bundle contract/spec not available
+-- CLI-AIRGAP-56-001: stella mirror create
+-- CLI-AIRGAP-56-002: Telemetry sealed mode
+-- CLI-AIRGAP-57-001: stella airgap import
+-- CLI-AIRGAP-57-002: stella airgap seal
+-- CLI-AIRGAP-58-001: stella airgap export evidence
```
### 5.5 Docs AirGap
**Root Blocker:** `CLI airgap contract` (CLI-AIRGAP-56/57)
```
CLI airgap contract (CLI-AIRGAP-56/57)
+-- AIRGAP-57-003: CLI & ops inputs
+-- AIRGAP-57-004: Ops Guild
```
**Impact:** 17+ tasks in AirGap ecosystem
**To Unblock:**
1. Clean up disk space
2. Publish mirror bundle contract/spec
3. Complete CLI-AIRGAP-56-001
---
## 6. CLI ATTESTOR CHAIN
**Root Blocker:** `Scanner analyzer compile failures + attestor SDK transport contract`
```
Scanner analyzer compile failures + attestor SDK transport contract
+-- CLI-ATTEST-73-001: stella attest sign
+-- CLI-ATTEST-73-002: stella attest verify
+-- CLI-ATTEST-74-001: stella attest list
+-- CLI-ATTEST-74-002: stella attest fetch
```
**Impact:** 4 tasks in CLI Attestor Guild
**To Unblock:** Fix scanner analyzer compile issues; publish attestor SDK transport contract
---
## 7. TASK RUNNER CHAINS
### 7.1 AirGap
**Root Blocker:** `TASKRUN-AIRGAP-56-002`
```
TASKRUN-AIRGAP-56-002
+-- TASKRUN-AIRGAP-57-001: Sealed environment check
+-- TASKRUN-AIRGAP-58-001: Evidence bundles
```
### 7.2 OAS Chain
**Root Blocker:** `TASKRUN-41-001` (DONE - chain should unblock)
```
TASKRUN-41-001 (DONE)
+-- TASKRUN-OAS-61-001: Task Runner OAS docs
+-- TASKRUN-OAS-61-002: OpenAPI well-known
+-- TASKRUN-OAS-62-001: SDK examples
+-- TASKRUN-OAS-63-001: Deprecation handling
```
### 7.3 Observability Chain
**Root Blocker:** `Timeline event schema + evidence-pointer contract`
```
Timeline event schema + evidence-pointer contract
+-- TASKRUN-OBS-52-001: Timeline events
+-- TASKRUN-OBS-53-001: Evidence locker snapshots
+-- TASKRUN-OBS-54-001: DSSE attestations
| +-- TASKRUN-OBS-55-001: Incident mode
+-- TASKRUN-TEN-48-001: Tenant context
```
**Impact:** 10+ tasks in Task Runner Guild
**To Unblock:** Publish timeline event schema and evidence-pointer contract
---
## 8. SCANNER CHAINS
**Root Blocker:** `PHP analyzer bootstrap spec/fixtures`
```
PHP analyzer bootstrap spec/fixtures (composer/VFS schema)
+-- SCANNER-ANALYZERS-PHP-27-001
```
**Root Blocker:** `18-503/504/505/506 outputs` (EntryTrace baseline)
```
18-503/504/505/506 outputs (EntryTrace baseline)
+-- SCANNER-ENTRYTRACE-18-508
```
**Root Blocker:** `Task definition/contract missing`
```
Task definition/contract missing
+-- SCANNER-SURFACE-01
```
**Root Blocker:** `SCANNER-ANALYZERS-JAVA-21-007`
```
SCANNER-ANALYZERS-JAVA-21-007
+-- ANALYZERS-JAVA-21-008
```
**Root Blocker:** `Local dotnet tests hanging`
```
SCANNER-ANALYZERS-LANG-10-309 (DONE, but local tests hanging)
+-- ANALYZERS-LANG-11-001
```
**Impact:** 5 tasks in Scanner Guild
**To Unblock:**
1. Publish PHP analyzer bootstrap spec
2. Complete EntryTrace 18-503/504/505/506
3. Define SCANNER-SURFACE-01 contract
4. Complete JAVA-21-007
5. Fix local dotnet test environment
---
## 8.1 CLI COMPILE FAILURES (Detailed Analysis)
> **Analysis Date:** 2025-12-04
> **Status:** ✅ **RESOLVED** (2025-12-04)
> **Resolution:** See `docs/implplan/CLI_AUTH_MIGRATION_PLAN.md`
The CLI (`src/Cli/StellaOps.Cli`) had significant API drift from its dependencies. This has been resolved.
### Remediation Summary (All Fixed)
| Library | Issue | Status |
|---------|-------|--------|
| `StellaOps.Auth.Client` | `IStellaOpsTokenClient` interface changed | ✅ **FIXED** - Extension methods created |
| `StellaOps.Cli.Output` | `CliError` constructor change | ✅ **FIXED** |
| `System.CommandLine` | API changes in 2.0.0-beta5+ | ✅ **FIXED** |
| `Spectre.Console` | `Table.AddRow` signature change | ✅ **FIXED** |
| `BackendOperationsClient` | `CreateFailureDetailsAsync` return type | ✅ **FIXED** |
| `CliProfile` | Class→Record conversion | ✅ **FIXED** |
| `X509Certificate2` | Missing using directive | ✅ **FIXED** |
| `StellaOps.PolicyDsl` | `PolicyIssue` properties changed | ✅ **FIXED** |
| `CommandHandlers` | Method signature mismatches | ✅ **FIXED** |
### Build Result
**Build succeeded with 0 errors, 6 warnings** (warnings are non-blocking)
### Previously Blocked Tasks (Now Unblocked)
```
CLI Compile Failures (RESOLVED)
+-- CLI-ATTEST-73-001: stella attest sign → UNBLOCKED
+-- CLI-ATTEST-73-002: stella attest verify → UNBLOCKED
+-- CLI-AIAI-31-001: Advisory AI CLI integration → UNBLOCKED
+-- CLI-AIRGAP-56-001: stella mirror create → UNBLOCKED
+-- CLI-401-007: Reachability evidence chain → UNBLOCKED
+-- CLI-401-021: Reachability chain CI/attestor → UNBLOCKED
```
### Key Changes Made
1. Created `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` with compatibility shims
2. Updated 8 service files to use new Auth.Client API pattern
3. Fixed CommandFactory.cs method call argument order/types
4. Updated PolicyDiagnostic model (Path instead of Line/Column/Span/Suggestion)
5. Fixed CommandHandlers.cs static type and diagnostic rendering
---
## 9. CONCELIER RISK CHAIN
**Root Blocker:** `POLICY-20-001 outputs + AUTH-TEN-47-001 + shared signals library`
```
POLICY-20-001 + AUTH-TEN-47-001 + shared signals library
+-- CONCELIER-RISK-66-001: Vendor CVSS/KEV data
+-- CONCELIER-RISK-66-002: Fix-availability metadata
+-- CONCELIER-RISK-67-001: Coverage/conflict metrics
+-- CONCELIER-RISK-68-001: Advisory signal pickers
+-- CONCELIER-RISK-69-001 (continues)
```
**Impact:** 5+ tasks in Concelier Core Guild
**To Unblock:** Complete POLICY-20-001, AUTH-TEN-47-001, and adopt shared signals library
---
## 10. WEB/GRAPH CHAIN
**Root Blocker:** Upstream dependencies (unspecified)
```
Upstream dependencies
+-- WEB-GRAPH-21-001: Graph gateway routes
+-- WEB-GRAPH-21-002: Parameter validation
+-- WEB-GRAPH-21-003: Error mapping
+-- WEB-GRAPH-21-004: Policy Engine proxy
```
**Root Blocker:** `WEB-POLICY-20-004`
```
WEB-POLICY-20-004
+-- WEB-POLICY-23-001: Policy packs API
+-- WEB-POLICY-23-002: Activation endpoint
```
**Impact:** 6 tasks in BE-Base Platform Guild
**To Unblock:** Complete WEB-POLICY-20-004 and upstream graph dependencies
---
## 11. STAFFING / PROGRAM MANAGEMENT BLOCKERS
**Root Blocker:** `PGMI0101 staffing confirmation`
```
PGMI0101 staffing confirmation
+-- 54-001: Exporter/AirGap/CLI coordination
+-- 64-002: DevPortal Offline
+-- AIRGAP-46-001: Mirror staffing + DSSE plan
```
**Root Blocker:** `PROGRAM-STAFF-1001` (staffing not assigned)
```
PROGRAM-STAFF-1001 (staffing not assigned)
+-- 54-001 (same as above)
```
**Impact:** 3 tasks
**To Unblock:** Confirm staffing assignments via Program Management Guild
---
## 12. BENCHMARK CHAIN
**Root Blocker:** `CAGR0101 outputs` (Graph platform)
```
CAGR0101 outputs (Graph platform)
+-- BENCH-GRAPH-21-001: Graph benchmark harness
+-- BENCH-GRAPH-21-002: UI load benchmark
```
**Impact:** 2 tasks in Bench Guild
**To Unblock:** Complete CAGR0101 Graph platform outputs
---
## 13. FINDINGS LEDGER
**Root Blocker:** `LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors`
```
LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
+-- 58 series: LEDGER-AIRGAP chain
+-- AIRGAP-58-001: Concelier bundle contract
+-- AIRGAP-58-002
+-- AIRGAP-58-003
+-- AIRGAP-58-004
```
**Impact:** 5 tasks in Findings Ledger + AirGap guilds
**To Unblock:** Publish LEDGER-AIRGAP-56-002 staleness spec and time anchor contract
---
## 14. MISCELLANEOUS BLOCKED TASKS
| Task ID | Root Blocker | Guild |
|---------|--------------|-------|
| FEED-REMEDIATION-1001 | Scope missing; needs remediation runbook | Concelier Feed Owners |
| CLI-41-001 | Pending clarified scope | Docs/DevEx Guild |
| CLI-42-001 | Pending clarified scope | Docs Guild |
| CLI-AIAI-31-001 | Scanner analyzers compile failures | DevEx/CLI Guild |
| CLI-401-007 | Reachability evidence chain contract | UI & CLI Guilds |
| CLI-401-021 | Reachability chain CI/attestor contract | CLI/DevOps Guild |
| SVC-35-001 | Unspecified | Exporter Service Guild |
| VEX-30-001 | Unspecified | Console/BE-Base Guild |
| VULN-29-001 | Unspecified | Console/BE-Base Guild |
| WEB-RISK-66-001 | npm ci hangs; Angular tests broken | BE-Base/Policy Guild |
| CONCELIER-LNM-21-003 | Requires #8 heuristics | Concelier Core Guild |
---
## Summary Statistics
| Root Blocker Category | Root Blockers | Downstream Tasks |
|----------------------|---------------|------------------|
| SGSI0101 (Signals/Runtime) | 2 | ~6 |
| APIG0101 (API Governance) | 1 | 6 |
| VEX Specs | 1 | 11 |
| Deployment/Compose | 1 | 7 |
| AirGap Ecosystem | 4 | 17+ |
| Scanner Compile/Specs | 5 | 5 |
| Task Runner Contracts | 3 | 10+ |
| Staffing/Program Mgmt | 2 | 3 |
| Disk Full | 1 | 6 |
| Graph/Policy Upstream | 2 | 6 |
| Miscellaneous | 11 | 11 |
**Total BLOCKED tasks:** ~100+
---
## Priority Unblocking Actions
These root blockers, if resolved, will unblock the most downstream tasks:
1. **SGSI0101** — Unblocks Signals chain + Telemetry + Replay Core (~6 tasks)
2. **APIG0101** — Unblocks DevPortal + SDK Generator (6 tasks)
3. **VEX normalization spec** — Unblocks 11 VEX Lens tasks
4. **Mirror bundle contract** — Unblocks CLI AirGap + Importer chains (~8 tasks)
5. **Disk cleanup** — Unblocks AirGap Controller/Time chains (6 tasks)
6. **Scanner analyzer fixes** — Unblocks CLI Attestor + Advisory AI (5+ tasks)
7. **Upstream module releases** — Unblocks Deployment chain (7 tasks)
8. **Timeline event schema** — Unblocks Task Runner Observability (5 tasks)
---
## Cross-Reference
- Sprint files reference this document for BLOCKED task context
- Update this file when root blockers are resolved
- Notify dependent guilds when unblocking occurs

143
docs/implplan/CLI_AUTH_MIGRATION_PLAN.md Normal file
View File

@@ -0,0 +1,143 @@
# CLI Auth.Client Migration Plan
> **Created:** 2025-12-04
> **Status:** COMPLETED
> **Completed:** 2025-12-04
## Problem Statement
The CLI services used an older `IStellaOpsTokenClient` API that no longer exists. This document outlines the migration strategy and tracks completion.
## Summary of Changes
### Files Created
- `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` - Compatibility shim methods
### Files Modified
#### Service Files (Auth.Client API Migration)
1. `OrchestratorClient.cs` - Updated scope references
2. `VexObservationsClient.cs` - Updated to use `GetAccessTokenAsync(string)` extension, removed `IsSuccess` check
3. `SbomerClient.cs` - Fixed `GetTokenAsync` to use `AccessToken` property
4. `ExceptionClient.cs` - Updated token acquisition pattern
5. `NotifyClient.cs` - Updated token acquisition pattern
6. `ObservabilityClient.cs` - Updated token acquisition pattern
7. `PackClient.cs` - Updated token acquisition pattern
8. `SbomClient.cs` - Updated token acquisition pattern
#### Command Handlers (Signature Fixes)
9. `CommandHandlers.cs`:
- Fixed `CreateLogger<CommandHandlers>()` static type error (line 80)
- Fixed PolicyDsl diagnostic rendering (removed Line/Column/Suggestion, added Path)
10. `CommandFactory.cs`:
- Fixed `HandleExceptionsListAsync` argument order and count
- Fixed `HandleExceptionsCreateAsync` argument order, expiration type conversion
- Fixed `HandleExceptionsPromoteAsync` argument order
- Fixed `HandleExceptionsExportAsync` argument order and count
- Fixed `HandleExceptionsImportAsync` argument order
#### Model Updates
11. `PolicyWorkspaceModels.cs` - Updated `PolicyDiagnostic` class (replaced Line/Column/Span/Suggestion with Path)
## Old API (Removed)
```csharp
// Methods that no longer exist
Task<StellaOpsTokenResult> GetTokenAsync(StellaOpsTokenRequest request, CancellationToken ct);
Task<StellaOpsTokenResult> GetAccessTokenAsync(string[] scopes, CancellationToken ct);
// Types that no longer exist
class StellaOpsTokenRequest { string[] Scopes; }
static class StellaOpsScope { const string OrchRead = "orch:read"; }
// Properties removed from StellaOpsTokenResult
bool IsSuccess;
```
## New API (Current)
```csharp
interface IStellaOpsTokenClient
{
Task<StellaOpsTokenResult> RequestClientCredentialsTokenAsync(
string? scope = null,
IReadOnlyDictionary<string, string>? additionalParameters = null,
CancellationToken cancellationToken = default);
ValueTask<StellaOpsTokenCacheEntry?> GetCachedTokenAsync(string key, CancellationToken ct);
ValueTask CacheTokenAsync(string key, StellaOpsTokenCacheEntry entry, CancellationToken ct);
}
// StellaOpsTokenResult record properties:
// - AccessToken (string)
// - TokenType (string)
// - ExpiresAtUtc (DateTimeOffset)
// - Scopes (IReadOnlyList<string>)
```
## Migration Approach
### Extension Methods Created
```csharp
public static class StellaOpsTokenClientExtensions
{
// Single scope version
public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
this IStellaOpsTokenClient client,
string scope,
CancellationToken cancellationToken = default);
// Multi-scope version
public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
this IStellaOpsTokenClient client,
IEnumerable<string> scopes,
CancellationToken cancellationToken = default);
// Cached token version
public static async Task<StellaOpsTokenCacheEntry> GetCachedAccessTokenAsync(
this IStellaOpsTokenClient client,
string scope,
CancellationToken cancellationToken = default);
// Parameterless version
public static async Task<StellaOpsTokenResult> GetTokenAsync(
this IStellaOpsTokenClient client,
CancellationToken cancellationToken = default);
}
```
### Scope Constants
Used `StellaOpsScopes` from `StellaOps.Auth.Abstractions` namespace (e.g., `StellaOpsScopes.OrchRead`, `StellaOpsScopes.VexRead`).
## Build Results
**Build succeeded with 0 errors, 6 warnings:**
- 3x CS8629 nullable warnings in OutputRenderer.cs
- 1x CS0618 obsolete warning (VulnRead → VulnView)
- 1x SYSLIB0057 obsolete X509Certificate2 constructor
- 1x CS0219 unused variable warning
## Implementation Checklist
- [x] Create `StellaOpsTokenClientExtensions.cs`
- [x] Verify `StellaOpsScopes` exists in Auth.Abstractions
- [x] Update OrchestratorClient.cs
- [x] Update VexObservationsClient.cs
- [x] Update SbomerClient.cs
- [x] Update ExceptionClient.cs
- [x] Update NotifyClient.cs
- [x] Update ObservabilityClient.cs
- [x] Update PackClient.cs
- [x] Update SbomClient.cs
- [x] Fix CommandHandlers static type error
- [x] Fix PolicyDsl API changes (PolicyIssue properties)
- [x] Fix HandleExceptionsListAsync signature
- [x] Fix HandleExceptionsCreateAsync signature
- [x] Fix HandleExceptionsPromoteAsync signature
- [x] Fix HandleExceptionsExportAsync signature
- [x] Fix HandleExceptionsImportAsync signature
- [x] Update PolicyDiagnostic model
- [x] Build verification passed

2
docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
View File

@@ -21,6 +21,8 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/advisory-ai/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
View File

@@ -25,6 +25,8 @@
- `src/Concelier/AGENTS.md` (module charter, testing/guardrail rules)
- `docs/modules/concelier/link-not-merge-schema.md` (LNM schema v1, frozen 2025-11-17)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
View File

@@ -23,6 +23,8 @@
- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -23,6 +23,8 @@
- docs/modules/concelier/architecture.md (policy/risk/tenant scope sections)
- docs/dev/raw-linkset-backfill-plan.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
View File

@@ -24,6 +24,8 @@
- docs/modules/concelier/architecture.md (airgap, AOC, observability)
- Link-Not-Merge API specs and error envelope guidelines
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
View File

@@ -24,6 +24,8 @@
- docs/modules/concelier/architecture.md (connectors, evidence locker integration)
- docs/migration/no-merge.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
View File

@@ -24,6 +24,8 @@
- `docs/modules/excititor/implementation_plan.md`
- Excititor component `AGENTS.md` files (Core, WebService, Worker).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
View File

@@ -24,6 +24,8 @@
- `docs/modules/excititor/implementation_plan.md`
- Excititor component `AGENTS.md` files (WebService, Core, Storage).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
View File

@@ -23,6 +23,8 @@
- `docs/modules/excititor/implementation_plan.md`
- Excititor component `AGENTS.md` files (WebService).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
View File

@@ -44,6 +44,8 @@
- `docs/modules/findings-ledger/airgap-provenance.md`
- `docs/observability/policy.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
View File

@@ -26,6 +26,8 @@
- docs/modules/findings-ledger/workflow-inference.md
- src/Findings/StellaOps.Findings.Ledger/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md
View File

@@ -20,6 +20,8 @@
- `docs/modules/findings-ledger/prep/ledger-attestations-http.md`
- `docs/modules/findings-ledger/prep/ledger-risk-prep.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
View File

@@ -27,6 +27,8 @@
- docs/modules/findings-ledger/workflow-inference.md
- src/Findings/StellaOps.Findings.Ledger/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md
View File

@@ -25,6 +25,8 @@
- `docs/modules/policy/architecture.md`
- Any export/air-gap/attestation contract docs once published.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md
View File

@@ -20,6 +20,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Interlocks
- POLICY-CONSOLE-23-001 (Console export/simulation contract from BE-Base Platform) satisfied on 2025-12-02 via `docs/modules/policy/contracts/policy-console-23-001-console-api.md`.

2
docs/implplan/SPRINT_0125_0001_0001_mirror.md
View File

@@ -17,6 +17,8 @@
- `docs/modules/devops/architecture.md`
- `docs/modules/policy/architecture.md` (for provenance expectations)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0125_0001_0001_policy_reasoning.md
View File

@@ -21,6 +21,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0127_0001_0001_policy_reasoning.md
View File

@@ -17,6 +17,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
View File

@@ -20,6 +20,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
View File

@@ -21,6 +21,8 @@
- `docs/modules/policy/architecture.md`
- Module docs for Registry, RiskEngine, VexLens, VulnExplorer as applicable.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
View File

@@ -25,6 +25,8 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md
View File

@@ -26,6 +26,8 @@
- docs/modules/scanner/architecture.md
- Ensure module-level AGENTS.md exists for `src/Scanner`; if missing, complete the governance task below.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0133_0001_0001_scanner_surface.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0134_0001_0001_scanner_surface.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0135_0001_0001_scanner_surface.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md
View File

@@ -16,6 +16,8 @@
- `docs/modules/scanner/architecture.md`; `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`.
- AGENTS for involved components: `src/Scanner/StellaOps.Scanner.Worker/AGENTS.md`, `src/Scanner/StellaOps.Scanner.WebService/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md`.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -21,6 +21,8 @@
- docs/modules/concelier/architecture.md
- docs/modules/zastava/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md
View File

@@ -18,6 +18,8 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
View File

@@ -16,6 +16,8 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/sbomservice/architecture.md (module dossier).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0143_0000_0001_signals.md
View File

@@ -16,6 +16,8 @@
- src/Signals/StellaOps.Signals/AGENTS.md.
- CAS waiver/remediation checklist dated 2025-11-17 for SIGNALS-24-002/004/005 scope.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
View File

@@ -19,6 +19,8 @@
- src/Zastava/StellaOps.Zastava.Observer/AGENTS.md
- src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0150_0001_0001_mirror_dsse.md
View File

@@ -14,6 +14,8 @@
- `docs/modules/platform/architecture-overview.md`
- Any mirror DSSE drafts (if available).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
View File

@@ -18,6 +18,8 @@
- docs/modules/taskrunner/architecture.md
- docs/modules/registry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0150_0001_0002_mirror_time.md
View File

@@ -14,6 +14,8 @@
- docs/modules/mirror/milestone-0-thin-bundle.md
- docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0150_0001_0003_mirror_orch.md
View File

@@ -14,6 +14,8 @@
- docs/modules/export-center/architecture.md
- docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
View File

@@ -16,6 +16,8 @@
- docs/modules/graph/architecture.md
- docs/modules/telemetry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md
View File

@@ -17,6 +17,8 @@
- docs/modules/orchestrator/architecture.md
- src/Orchestrator/StellaOps.Orchestrator/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
View File

@@ -16,6 +16,8 @@
- `docs/modules/platform/architecture-overview.md`
- Module charter: `src/Orchestrator/StellaOps.Orchestrator/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0154_0001_0001_packsregistry.md
View File

@@ -18,6 +18,8 @@
- docs/modules/devops/architecture.md
- Any PacksRegistry AGENTS.md (if present under src/PacksRegistry).
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scheduler/architecture.md
- src/Scheduler/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scheduler/implementation_plan.md
- docs/modules/platform/architecture-overview.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -16,6 +16,8 @@
- docs/modules/taskrunner/architecture.md (if available)
- src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0157_0001_0002_taskrunner_blockers.md
View File

@@ -13,6 +13,8 @@
- `docs/modules/platform/architecture-overview.md`
- `src/TaskRunner/StellaOps.TaskRunner/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
View File

@@ -21,6 +21,8 @@
- docs/task-packs/runbook.md
- src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
View File

@@ -19,6 +19,8 @@
- `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
- `docs/events/orchestrator-scanner-events.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
View File

@@ -20,6 +20,8 @@
- `docs/events/orchestrator-scanner-events.md`
- `docs/modules/cli/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
View File

@@ -18,6 +18,8 @@
- EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
- DevPortal offline guidance (DVOFF-64 series) as provided by DevPortal Offline Guild
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
View File

@@ -17,6 +17,8 @@
- EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
- Observability guidance/dashboards referenced by Observability Guild
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
View File

@@ -16,6 +16,8 @@
- docs/modules/export-center/architecture.md
- src/ExportCenter/AGENTS.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -16,6 +16,8 @@
- docs/modules/export-center/architecture.md (for evidence linkage)
- src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md (if present)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
View File

@@ -16,6 +16,8 @@
- docs/modules/notifications/architecture.md
- docs/modules/telemetry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Track | Status | Key dependency / next step | Owners | Notes |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
View File

@@ -17,6 +17,8 @@
- docs/notifications/templates.md
- src/Notifier/StellaOps.Notifier/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0172_0001_0002_notifier_ii.md
View File

@@ -15,6 +15,8 @@
- docs/modules/notifications/architecture.md
- src/Notifier/StellaOps.Notifier/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0173_0001_0003_notifier_iii.md
View File

@@ -15,6 +15,8 @@
- docs/modules/notifications/architecture.md
- src/Notifier/StellaOps.Notifier/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0174_0001_0001_telemetry.md
View File

@@ -16,6 +16,8 @@
- docs/modules/telemetry/architecture.md
- src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0180_0001_0001_telemetry_core.md
View File

@@ -15,6 +15,8 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/telemetry/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md
View File

@@ -14,6 +14,8 @@
- docs/modules/platform/architecture-overview.md (Replay CAS §5)
- docs/replay/DETERMINISTIC_REPLAY.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -19,6 +19,8 @@
- Product advisory: `docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md` (canonical for SPDX/VEX work)
- SPDX 3.0.1 specification: https://spdx.github.io/spdx-spec/v3.0.1/
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md
View File

@@ -16,6 +16,8 @@
- docs/runbooks/replay_ops.md
- docs/security/crypto-routing-audit-2025-11-07.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
View File

@@ -21,6 +21,8 @@
- FIRST CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4-0
- Module AGENTS.md: Create `src/Policy/StellaOps.Policy.Scoring/AGENTS.md` as part of task 1
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md
View File

@@ -15,6 +15,8 @@
- docs/modules/platform/architecture-overview.md
- docs/implplan/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0201_0001_0001_cli_i.md
View File

@@ -17,6 +17,8 @@
- `docs/modules/cli/architecture.md`.
- `src/Cli/StellaOps.Cli/AGENTS.md` and `docs/implplan/AGENTS.md`.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0202_0001_0001_cli_ii.md
View File

@@ -16,6 +16,8 @@
- docs/modules/cli/architecture.md
- src/Cli/StellaOps.Cli/AGENTS.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0206_0001_0001_devportal.md
View File

@@ -17,6 +17,8 @@
- `docs/modules/platform/architecture.md`
- `docs/modules/ui/architecture.md` (for shared UX conventions)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0207_0001_0001_graph.md
View File

@@ -20,6 +20,8 @@
- `docs/modules/graph/implementation_plan.md`
- `src/Graph/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0208_0001_0001_sdk.md
View File

@@ -17,6 +17,8 @@
- docs/modules/cli/architecture.md; docs/modules/ui/architecture.md.
- API/OAS governance specs referenced by APIG0101 and portal contracts (DEVL0101) once published.
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0209_0001_0001_ui_i.md
View File

@@ -25,6 +25,8 @@
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
View File

@@ -25,6 +25,8 @@
- `docs/schemas/audit-bundle-index.schema.json`
- Advisory: "28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md"
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
View File

@@ -25,6 +25,8 @@
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0212_0001_0001_web_i.md
View File

@@ -18,6 +18,8 @@
- `docs/api/console/workspaces.md` plus `docs/api/console/samples/` artifacts
- `docs/implplan/archived/tasks.md` for prior completions
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition / Evidence |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0213_0001_0002_web_ii.md
View File

@@ -20,6 +20,8 @@
- `docs/modules/export-center/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0214_0001_0001_web_iii.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
View File

@@ -23,6 +23,8 @@
- `docs/schemas/vex-decision.schema.json`
- `docs/schemas/audit-bundle-index.schema.json`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0215_0001_0001_web_iv.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/policy/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0216_0001_0001_web_v.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/ui/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/scanner/architecture.md`
- `docs/modules/airgap/architecture.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Task Board
| Task ID | Status | Owner(s) | Dependencies | Notes |
| --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
View File

@@ -18,6 +18,8 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0317_0001_0001_docs_modules_concelier.md
View File

@@ -18,6 +18,8 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.md
View File

@@ -19,6 +19,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
View File

@@ -17,6 +17,8 @@
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
View File

@@ -16,6 +16,8 @@
- docs/modules/orchestrator/implementation_plan.md
- docs/modules/platform/architecture-overview.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0324_0001_0001_docs_modules_platform.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/implementation_plan.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0327_0001_0001_docs_modules_scanner.md
View File

@@ -16,6 +16,8 @@
- docs/modules/platform/architecture-overview.md
- docs/modules/scanner/architecture.md
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
View File

@@ -16,6 +16,8 @@
- docs/modules/scheduler/implementation_plan.md
- docs/modules/scheduler/AGENTS.md (this sprint refreshes it)
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0330_0001_0001_docs_modules_telemetry.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

2
docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md
View File

@@ -18,6 +18,8 @@
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |

Some files were not shown because too many files have changed in this diff Show More