stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 23:20:14 +02:00
parent 3411e825cd
commit b058dbe031
356 changed files with 68310 additions and 1108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

230
docs/implplan/archived/SPRINT_0401_0001_0001_reachability_evidence_chain.md Normal file
View File

@@ -0,0 +1,230 @@
# Sprint 0401.0001.0001 - Reachability Evidence Chain
## Topic & Scope
- Window: 2025-11-11 -> 2025-11-22 (UTC); finish the provable reachability pipeline so Sprint 0402 can focus on polish.
- Deliver function-level evidence chain (graph CAS -> replay -> DSSE -> policy/UI) with signed artifacts and replayable fixtures.
- Ship operator-facing docs/runbooks plus benchmarks that validate deterministic reachability scoring.
- **Working directory:** `docs/implplan` (cross-guild coordination; implementation happens in module paths noted per task).
## Dependencies & Concurrency
- Upstream: Sprint 0400 foundation plus Sprint 0140 Runtime & Signals, Sprint 0185 Replay Core, Sprint 0186 Scanner Record Mode, Sprint 0187 Evidence Locker & CLI Integration.
- Do not start reachability build tasks until Scanner record mode emits replay manifests and Evidence Locker APIs are reachable.
- Guilds may execute in parallel once CAS contracts and DSSE predicate schemas stabilise; keep deterministic ordering of manifests/fixtures.
## Documentation Prerequisites
- docs/reachability/DELIVERY_GUIDE.md
- docs/reachability/function-level-evidence.md
- docs/reachability/lattice.md
- docs/benchmarks/vex-evidence-playbook.md
- docs/09_API_CLI_REFERENCE.md
- docs/modules/scanner/architecture.md
- docs/modules/policy/architecture.md
- docs/modules/excititor/architecture.md
- docs/modules/cli/architecture.md
- docs/modules/signer/architecture.md
- docs/specs/SYMBOL_MANIFEST_v1.md
- docs/policy/dsl.md
- docs/policy/lifecycle.md
- docs/uncertainty/README.md
- docs/replay/DETERMINISTIC_REPLAY.md
- docs/provenance/inline-dsse.md
- docs/ci/dsse-build-flow.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | GRAPH-CAS-401-001 | DONE (2025-12-11) | richgraph-v1 schema finalized; BLAKE3 graph_hash via RichGraphWriter; CAS paths now use `cas://reachability/graphs/{blake3}`; tests passing. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{blake3}`, update adapters/fixtures. |
| 2 | GAP-SYM-007 | DONE (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild - Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
| 3 | SCAN-REACH-401-009 | DONE (2025-12-13) | Complete: Implemented Java and .NET callgraph builders with reachability graph models at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Callgraph/` and `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Callgraph/`. Files: `JavaReachabilityGraph.cs`, `JavaCallgraphBuilder.cs`, `DotNetReachabilityGraph.cs`, `DotNetCallgraphBuilder.cs`. Includes method nodes, call edges, synthetic roots (Main, static initializers, controllers, test methods, Azure Functions, AWS Lambda), unknowns, and deterministic graph hashing. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
| 4 | SCANNER-NATIVE-401-015 | DONE (2025-12-13) | Complete: Added demangler infrastructure with `ISymbolDemangler` interface, `CompositeDemangler` with Itanium ABI, Rust, and heuristic demanglers at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/`. ELF/PE/Mach-O parsers implemented with build-ID extraction. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
| 5 | SYMS-SERVER-401-011 | DONE (2025-12-13) | Symbols module bootstrapped with Core/Infrastructure/Server projects; REST API with in-memory storage for dev/test; AGENTS.md created; `src/Symbols/StellaOps.Symbols.Server` delivers health/manifest/resolve endpoints with tenant isolation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
| 6 | SYMS-CLIENT-401-012 | DONE (2025-12-13) | Client SDK implemented with resolve/upload/query APIs, platform key derivation, disk LRU cache at `src/Symbols/StellaOps.Symbols.Client`. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
| 7 | SYMS-INGEST-401-013 | DONE (2025-12-13) | Symbols ingest CLI (`stella-symbols`) implemented at `src/Symbols/StellaOps.Symbols.Ingestor.Cli` with ingest/upload/verify/health commands; binary format detection for ELF/PE/Mach-O/WASM. | Symbols Guild - DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
| 8 | SIGNALS-RUNTIME-401-002 | DONE (2025-12-13) | Complete: Added `SignalsRetentionOptions` for TTL/cleanup policy, extended `IReachabilityFactRepository` with GetExpiredAsync/DeleteAsync/GetRuntimeFactsCountAsync/TrimRuntimeFactsAsync, implemented `RuntimeFactsRetentionService` background cleanup, added `ReachabilityFactCacheDecorator` passthrough methods, and RBAC/tenant isolation tests. | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 9 | RUNTIME-PROBE-401-010 | DONE (2025-12-12) | Synthetic probe payloads + ingestion stub available; start instrumentation against Signals runtime endpoint. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
| 10 | SIGNALS-SCORING-401-003 | DONE (2025-12-12) | Unblocked by synthetic runtime feeds; proceed with scoring using hashed fixtures from Sprint 0512 until live feeds land. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
| 11 | REPLAY-401-004 | DONE (2025-12-12) | CAS registration policy adopted (BLAKE3 per CONTRACT-RICHGRAPH-V1-015); proceed with manifest v2 + deterministic tests. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
| 12 | AUTH-REACH-401-005 | DONE (2025-11-27) | Predicate types exist; DSSE signer service added. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
| 13 | POLICY-VEX-401-006 | DONE (2025-12-13) | Complete: Implemented VexDecisionEmitter with VexDecisionModels.cs (OpenVEX document/statement/evidence models), VexDecisionEmitter.cs (fact-to-VEX status mapping, lattice state bucketing, gate evaluation), PolicyEngineTelemetry.cs (VEX decision metrics), DI registration, and 10 passing tests. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionModels.cs`, `VexDecisionEmitter.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionEmitterTests.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | DONE (2025-12-13) | Complete: Implemented VexDecisionSigningService with DSSE envelope creation, Rekor submission, evidence hash attachment. Created `IVexDecisionSigningService` interface with Sign/Verify methods, `VexDsseEnvelope`/`VexDsseSignature` records, `VexRekorMetadata`/`VexRekorInclusionProof` records, `IVexSignerClient`/`IVexRekorClient` client interfaces, `VexSigningOptions` configuration, local signing fallback (PAE/SHA256), telemetry via `RecordVexSigning`, DI registration (`AddVexDecisionSigning`), and 16 passing tests. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionSigningService.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionSigningServiceTests.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
| 15 | UI-CLI-401-007 | DONE (2025-12-14) | Complete: Implemented `stella graph explain` CLI command with full evidence chain support. Added `GraphExplainRequest`/`GraphExplainResult` models with `SignedCallPath`, `RuntimeHit`, `ReachabilityPredicate`, `DssePointer`, `CounterfactualControl`, `GraphVexDecision` types. Command options: `--graph-id`, `--vuln-id`, `--purl`, `--call-paths`, `--runtime-hits`, `--predicates`, `--dsse`, `--counterfactuals`, `--full-evidence`, `--json`. Handler renders signed call paths with DSSE/Rekor pointers, runtime hits table, predicates list, DSSE envelope pointers table, counterfactual controls with risk reduction. Files: `src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs`, `Services/IBackendOperationsClient.cs`, `Services/BackendOperationsClient.cs`, `Commands/CommandFactory.cs`, `Commands/CommandHandlers.cs`. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/Web/StellaOps.Web`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
| 16 | QA-DOCS-401-008 | DONE (2025-12-14) | Complete: Created comprehensive `tests/README.md` with reachability corpus structure, ground-truth schema (`reachbench.reachgraph.truth/v1`), CI integration documentation, CAS layout reference (BLAKE3 paths for graphs/runtime-facts/replay/evidence/DSSE/symbols), replay manifest v2 schema, replay workflow steps (export/validate/fetch/import/run), validation error codes, benchmark automation guide. CI workflow `.gitea/workflows/reachability-corpus-ci.yml` validates corpus integrity on push/PR. Runtime ingestion runbook already at `docs/runbooks/reachability-runtime.md`. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
| 17 | GAP-SIG-003 | DONE (2025-12-13) | Complete: Implemented CAS-backed runtime-facts batch ingestion. Created `IRuntimeFactsArtifactStore.cs` interface with `FileSystemRuntimeFactsArtifactStore.cs` implementation storing artifacts at `cas://reachability/runtime-facts/{hash}`. Extended `RuntimeFactsIngestionService` with `IngestBatchAsync` method supporting NDJSON/gzip streams, BLAKE3 hashing, CAS storage, subject grouping, and CAS URI linking to `ReachabilityFactDocument`. Added `RuntimeFactsBatchIngestResponse` record. Updated `ReachabilityFactDocument` with `RuntimeFactsBatchUri` and `RuntimeFactsBatchHash` fields. Added 6 passing tests in `RuntimeFactsBatchIngestionTests.cs`. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
| 18 | SIG-STORE-401-016 | DONE (2025-12-13) | Complete: added `IReachabilityStoreRepository` + `InMemoryReachabilityStoreRepository` with store models (`FuncNodeDocument`, `CallEdgeDocument`, `CveFuncHitDocument`) and integrated callgraph ingestion to populate the store; Mongo index script at `ops/mongo/indices/reachability_store_indices.js`; Signals test suites passing. | Signals Guild - BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
| 19 | GAP-REP-004 | DONE (2025-12-13) | Complete: Implemented replay manifest v2 with hash field (algorithm prefix), hashAlg, code_id_coverage, sorted CAS entries. Added ICasValidator interface, ReplayManifestValidator with error codes (REPLAY_MANIFEST_MISSING_VERSION, VERSION_MISMATCH, MISSING_HASH_ALG, UNSORTED_ENTRIES, CAS_NOT_FOUND, HASH_MISMATCH), UpgradeToV2 migration, and 18 deterministic tests per acceptance contract. Files: `ReplayManifest.cs`, `ReachabilityReplayWriter.cs`, `CasValidator.cs`, `ReplayManifestValidator.cs`, `ReplayManifestV2Tests.cs`. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
| 20 | GAP-POL-005 | DONE (2025-12-13) | Complete: Implemented Signals-backed reachability facts integration for Policy Engine. Created `IReachabilityFactsSignalsClient.cs` interface with HTTP client (`ReachabilityFactsSignalsClient.cs`) for `GET /signals/facts/{subjectKey}` and `POST /signals/reachability/recompute` endpoints. Implemented `SignalsBackedReachabilityFactsStore.cs` mapping Signals responses to Policy's ReachabilityFact model with state determination (Reachable/Unreachable/Unknown/UnderInvestigation), confidence aggregation, analysis method detection (Static/Dynamic/Hybrid), and metadata extraction (callgraph_id, scan_id, lattice_states, uncertainty_tier, runtime_hits). Added DI extensions: `AddReachabilityFactsSignalsClient`, `AddSignalsBackedReachabilityFactsStore`, `AddReachabilityFactsSignalsIntegration`. 32 passing tests in `SignalsBackedReachabilityFactsStoreTests.cs` and `ReachabilityFactsSignalsClientTests.cs`. Files: `src/Policy/StellaOps.Policy.Engine/ReachabilityFacts/IReachabilityFactsSignalsClient.cs`, `ReachabilityFactsSignalsClient.cs`, `SignalsBackedReachabilityFactsStore.cs`, `DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
| 21 | GAP-VEX-006 | DONE (2025-12-14) | Complete: Enhanced `stella vex consensus show` with evidence display options (`--call-paths`, `--graph-hash`, `--runtime-hits`, `--full-evidence`). Added `VexReachabilityEvidence`, `VexCallPath`, `VexRuntimeHit` models to `VexModels.cs`. Updated `RenderVexConsensusDetail` to display call graph info, call paths with DSSE/Rekor pointers, and runtime hits table. Created `etc/notify-templates/vex-decision.yaml.sample` with Email/Slack/Teams/Webhook templates showing reachability evidence (state, confidence, call paths, runtime hits, DSSE, Rekor). Build passes. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `Commands/CommandHandlers.cs`, `Services/Models/VexModels.cs`, `etc/notify-templates/vex-decision.yaml.sample`. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/Web/StellaOps.Web`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
| 22 | GAP-DOC-008 | DONE (2025-12-13) | Complete: Updated `docs/reachability/function-level-evidence.md` with comprehensive cross-module evidence chain guide (schema, API, CLI, OpenVEX integration, replay manifest v2). Added Signals callgraph/runtime-facts API schema + `stella graph explain/export/verify` CLI commands to `docs/09_API_CLI_REFERENCE.md`. Expanded `docs/api/policy.md` section 6.0 with lattice states, evidence block schema, and Rego policy examples. Created OpenVEX + replay samples under `samples/reachability/` (richgraph-v1-sample.json, openvex-affected/not-affected samples, replay-manifest-v2-sample.json, runtime-facts-sample.ndjson). | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
| 23 | CLI-VEX-401-011 | DONE (2025-12-13) | Complete: Implemented `stella decision export|verify|compare` commands with DSSE/Rekor integration. Added `BuildDecisionCommand` to CommandFactory.cs with export (tenant, scan-id, vuln-id, purl, status filters, format options openvex/dsse/ndjson, --sign, --rekor, --include-evidence), verify (DSSE envelope validation, digest check, Rekor inclusion proof, public key offline verification), and compare (text/json/markdown diff output, added/removed/changed/unchanged statement tracking). Added `HandleDecisionExportAsync`, `HandleDecisionVerifyAsync`, `HandleDecisionCompareAsync` handlers to CommandHandlers.cs with full telemetry. Created `DecisionModels.cs` with DecisionExportRequest/Response. Added `ExportDecisionsAsync` to BackendOperationsClient. Added CLI metrics counters: `stellaops.cli.decision.{export,verify,compare}.count`. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `CommandHandlers.cs`, `Services/Models/DecisionModels.cs`, `Services/BackendOperationsClient.cs`, `Telemetry/CliMetrics.cs`. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
| 24 | SIGN-VEX-401-018 | DONE (2025-11-26) | Predicate types added with tests. | Signing Guild (`src/Signer/StellaOps.Signer`, `docs/modules/signer/architecture.md`) | Extend Signer predicate catalog with `stella.ops/vexDecision@v1`, enforce payload policy, plumb DSSE/Rekor integration. |
| 25 | BENCH-AUTO-401-019 | DONE (2025-12-14) | Complete: Created benchmark automation pipeline. Scripts: `scripts/bench/populate-findings.py` (generates per-CVE bundles from reachbench fixtures), `scripts/bench/compute-metrics.py` (computes FP/MTTD/repro metrics), `scripts/bench/run-baseline.sh` (orchestrator). Tools: `bench/tools/verify.sh` (online DSSE+Rekor), `bench/tools/verify.py` (offline verifier), `bench/tools/compare.py` (baseline comparison), `bench/tools/replay.sh` (replay manifests). Initial run: 10 findings from 5 cases, 100% accuracy (5 TP, 5 TN, 0 FP, 0 FN). Output: `bench/results/summary.csv`, `bench/results/metrics.json`. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 26 | DOCS-VEX-401-012 | DONE (2025-12-13) | Complete: Updated `bench/README.md` with verification workflows (online/offline/graph), related documentation links, artifact contracts, CI integration, and contributing guidelines. VEX Evidence Playbook already frozen (2025-12-04). | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
| 27 | SYMS-BUNDLE-401-014 | DONE (2025-12-14) | Complete: Created `StellaOps.Symbols.Bundle` project with BundleManifest models (DSSE signatures, Rekor checkpoints, Merkle inclusion proofs), IBundleBuilder interface, BundleBuilder implementation. Added CLI commands (`stella symbols bundle/verify/extract/inspect`) with full handler implementations. Created offline workflow documentation at `docs/airgap/symbol-bundles.md`. Bundle format: deterministic ZIP with BLAKE3 hashes, sorted entries. | Symbols Guild - Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild - Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
| 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild - CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
| 31 | POLICY-ENGINE-401-003 | DONE (2025-11-27) | Depends on 29/30; ensure determinism hashes stable. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) | Replace in-service DSL compilation with shared library, support legacy packs and inline syntax, keep determinism stable. |
| 32 | CLI-EDITOR-401-004 | DONE (2025-11-27) | Relies on shared DSL lib; add git edit flow. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | Enhance `stella policy` verbs (edit/lint/simulate) to edit Git-backed DSL files, run coverage tests, commit SemVer metadata. |
| 33 | DOCS-DSL-401-005 | DONE (2025-11-26) | Docs follow 29-32 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. |
| 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild - Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
| 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild - DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
| 36 | DSSE-DOCS-401-022 | DONE (2025-11-27) | Follows 34/35; document build-time flow. | Docs Guild - Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
| 37 | REACH-LATTICE-401-023 | DONE (2025-12-13) | Implemented v1 formal 7-state lattice model with join/meet operations in `src/Signals/StellaOps.Signals/Lattice/`. ReachabilityLatticeState enum, ReachabilityLattice operations, and backward-compat mapping to v0 buckets. | Scanner Guild - Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
| 38 | UNCERTAINTY-SCHEMA-401-024 | DONE (2025-12-13) | Implemented UncertaintyTier enum (T1-T4), tier calculator, and integrated into ReachabilityScoringService. Documents extended with AggregateTier, RiskScore, and per-state tiers. See `src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs`. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
| 39 | UNCERTAINTY-SCORER-401-025 | DONE (2025-12-13) | Complete: reachability risk score now uses configurable entropy weights (`SignalsScoringOptions.UncertaintyEntropyMultiplier` / `UncertaintyBoostCeiling`) and matches `UncertaintyDocument.RiskScore`; added unit coverage in `src/Signals/__Tests/StellaOps.Signals.Tests/ReachabilityScoringServiceTests.cs`. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
| 40 | UNCERTAINTY-POLICY-401-026 | DONE (2025-12-13) | Complete: Added uncertainty gates section (§12) to `docs/policy/dsl.md` with U1/U2/U3 gate types, tier-aware compound rules, remediation actions table, and YAML configuration examples. Updated `docs/uncertainty/README.md` with policy guidance (§8) and remediation actions (§9) including CLI commands and automated remediation flow. | Policy Guild - Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
| 41 | UNCERTAINTY-UI-401-027 | DONE (2025-12-13) | Complete: Added CLI uncertainty display with Tier/Risk columns in policy findings table, uncertainty fields in details view, color-coded tier formatting (T1=red, T2=yellow, T3=blue, T4=green), and entropy states display (code=entropy format). Files: `PolicyFindingsModels.cs` (models), `PolicyFindingsTransport.cs` (wire format), `BackendOperationsClient.cs` (mapping), `CommandHandlers.cs` (rendering). | UI Guild - CLI Guild (`src/Web/StellaOps.Web`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
| 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild - Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild - Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject->Rekor map drafted. |
| 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild - Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
| 46 | QA-CORPUS-401-031 | DONE (2025-12-13) | Complete: Created reachability corpus CI workflow `.gitea/workflows/reachability-corpus-ci.yml` with 3 jobs (validate-corpus, validate-ground-truths, determinism-check), runner scripts (`scripts/reachability/run_all.sh`, `run_all.ps1`), hash verification script (`scripts/reachability/verify_corpus_hashes.sh`). CI validates: corpus manifest hashes, reachbench INDEX integrity, ground-truth schema version, JSON determinism. Fixture tests passing (3 CorpusFixtureTests + 93 ReachbenchFixtureTests = 96 total). | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
| 47 | UI-VEX-401-032 | DONE (2025-12-14) | Complete: Angular workspace bootstrapped with module structure per architecture doc. VexExplainComponent created at `src/Web/StellaOps.Web/src/app/vex/vex-explain/vex-explain.component.ts` with call-path display, runtime hits, attestation verify button, Rekor/DSSE pointers. VEX Explorer at `src/Web/StellaOps.Web/src/app/vex/vex-explorer/vex-explorer.component.ts`. Core API models at `src/app/core/api/models.ts`. CLI `stella vex explain` already implemented. Build verified: `npm run build` passes. | UI Guild - CLI Guild - Scanner Guild (`src/Web/StellaOps.Web`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. CLI: `stella vex explain <vuln-id> --product-key <key>` with `--call-paths`, `--runtime-hits`, `--graph`, `--dsse`, `--rekor`, `--verify`, `--offline`, `--json` options. Models at `VexExplainModels.cs`. |
| 48 | POLICY-GATE-401-033 | DONE (2025-12-13) | Implemented PolicyGateEvaluator with three gate types (LatticeState, UncertaintyTier, EvidenceCompleteness). See `src/Policy/StellaOps.Policy.Engine/Gates/`. Includes gate decision documents, configuration options, and override mechanism. | Policy Guild - Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
| 49 | GRAPH-PURL-401-034 | DONE (2025-12-11) | purl+symbol_digest in RichGraph nodes/edges (via Sprint 0400 GRAPH-PURL-201-009 + RichGraphBuilder). | Scanner Worker Guild - Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
| 50 | SCANNER-BUILDID-401-035 | DONE (2025-12-13) | Complete: Added build-ID prefix formatting per CONTRACT-BUILDID-PROPAGATION-401. ELF build-IDs now use `gnu-build-id:{hex}` prefix in `ElfReader.ExtractBuildId` and `NativeFormatDetector.ParseElfNote`. Mach-O UUIDs use `macho-uuid:{hex}` prefix in `NativeFormatDetector.DetectFormatAsync`. PE/COFF uses existing `pe-guid:{guid}` format. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
| 51 | SCANNER-INITROOT-401-036 | DONE (2025-12-13) | Complete: Added `NativeRootPhase` enum (Load=0, PreInit=1, Init=2, Main=3, Fini=4), extended `NativeSyntheticRoot` with Source/BuildId/Phase/IsResolved/TargetAddress fields, updated `ComputeRootId` to contract format `root:{phase}:{order}:{target_id}`, updated `NativeCallgraphBuilder` to use phase enum and Source field. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
| 52 | QA-PORACLE-401-037 | DONE (2025-12-13) | Complete: Added JSON-based patch-oracle harness with `patch-oracle/v1` schema (JSON Schema at `tests/reachability/fixtures/patch-oracles/schema/`), sample oracles for curl/log4j/kestrel CVEs, `PatchOracleComparer` class comparing RichGraph against oracle expectations (expected/forbidden functions/edges, confidence thresholds, wildcard patterns, strict mode), `PatchOracleLoader` for loading oracles from fixtures, and `PatchOracleHarnessTests` with 19 passing tests. Updated `docs/reachability/patch-oracles.md` with combined JSON and YAML harness documentation. | QA Guild - Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 53 | GRAPH-HYBRID-401-053 | DONE (2025-12-13) | Complete: richgraph publisher now stores the canonical `richgraph-v1.json` body at `cas://reachability/graphs/{blake3Hex}` and emits deterministic DSSE envelopes at `cas://reachability/graphs/{blake3Hex}.dsse` (with `DsseCasUri`/`DsseDigest` returned in `RichGraphPublishResult`); added unit coverage validating DSSE payload and signature (`src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs`). | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering -> BLAKE3 graph hash -> DSSE envelope -> Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
| 54 | EDGE-BUNDLE-401-054 | DONE (2025-12-13) | Complete: Implemented edge-bundle DSSE envelopes with `EdgeBundle.cs` and `EdgeBundlePublisher.cs` at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Features: `EdgeBundleReason` enum (RuntimeHits/InitArray/StaticInit/ThirdParty/Contested/Revoked/Custom), `EdgeReason` enum (RuntimeHit/InitArray/TlsInit/StaticConstructor/ModuleInit/ThirdPartyCall/LowConfidence/Revoked/TargetRemoved), `BundledEdge` with per-edge reason/revoked flag, `EdgeBundleBuilder` (max 512 edges), `EdgeBundleExtractor` for runtime/init/third-party/contested/revoked extraction, `EdgeBundlePublisher` with deterministic DSSE envelope generation, `EdgeBundlePublisherOptions` for Rekor cap (default 5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. 19 tests passing in `EdgeBundleTests.cs`. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (<=512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | DONE (2025-12-13) | Complete: Implemented edge-bundle ingestion in Signals with `EdgeBundleDocument.cs` models (EdgeBundleDocument, EdgeBundleEdgeDocument, EdgeBundleReference), `IEdgeBundleIngestionService.cs` interface, and `EdgeBundleIngestionService.cs` implementation with tenant isolation, revoked edge tracking, and quarantine enforcement. Updated `ReachabilityFactDocument.cs` with EdgeBundles and HasQuarantinedEdges fields. Added 8 passing tests in `EdgeBundleIngestionServiceTests.cs`. CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | DONE (2025-12-13) | Complete: Finalized `docs/reachability/hybrid-attestation.md` with: (1) Updated implementation status table (edge-bundle DSSE, CAS publisher, ingestion, quarantine enforcement all DONE). (2) Section 9: Verification Runbook with graph-only and graph+edge-bundle workflows, verification decision matrix. (3) Section 10: Rekor Guidance covering what gets published, configuration, private mirrors, proof caching. (4) Section 11: Offline Replay Steps with pack creation, verification, trust model, air-gapped deployment checklist. (5) Section 12: Release Notes with version history and migration guide. (6) Section 13: Cross-references to sprint/contracts/implementation/related docs. Updated `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and module architectures (scanner, policy) with hybrid attestation references. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild - Signals Guild - Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
| 58 | DATASET-REACH-PUB-401-058 | DONE (2025-12-13) | Test corpus created: JSON schemas at `datasets/reachability/schema/`, 4 samples (csharp/simple-reachable, csharp/dead-code, java/vulnerable-log4j, native/stripped-elf) with ground-truth.json files; test harness at `src/Signals/__Tests/StellaOps.Signals.Tests/GroundTruth/` with 28 validation tests covering lattice states, buckets, uncertainty tiers, gate decisions, path consistency. | QA Guild - Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | DONE (2025-12-13) | richgraph-v1 alignment tests created at `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Reachability/RichgraphV1AlignmentTests.cs` with 25 tests validating: SymbolID/EdgeID/RootID/UnknownID formats, SHA-256 digests, deterministic graph hashing, edge type mappings (PLT/InitArray/Indirect), synthetic root phases (load/init/main/fini), stripped binary name format, build-id handling, confidence levels. Fixed pre-existing PeImportParser test bug. | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
| 60 | CORPUS-MERGE-401-060 | DONE (2025-12-13) | Unblocked: task 58 complete with 4 samples and ground-truth schema. Ready to merge archived multi-runtime corpus. | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT -> Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 57-60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
| 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild - Excititor Guild - Docs Guild | Address VEX1-VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
| 63 | GRAPHREV-GAPS-401-063 | DONE (2025-12-13) | Complete: Created `docs/reachability/graph-revision-schema.md` addressing all 10 gaps (GR1-GR10): manifest schema + canonical hash rules, BLAKE3-256 encoding, append-only storage layout, lineage/diff metadata format, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI full/short ID formats + commands, shard/tenant context, pin/audit governance with events, retention/tombstone policies, and offline kit inclusion with Rekor checkpoints. | Platform Guild - Scanner Guild - Policy Guild - UI/CLI Guilds | Address graph revision gaps GR1-GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
| 64 | EXPLAIN-GAPS-401-064 | DONE (2025-12-13) | Complete: Created `docs/reachability/explainability-schema.md` addressing all 10 gaps (EX1-EX10): canonical explanation schema + hash rules, DSSE predicate `stella.ops/explanation@v1` + signing policy, CAS storage layout + rules, link format for decision/policy/graph_revision_id, export/replay bundle format with verification, PII/redaction categories + metadata, size budgets with truncation behavior, schema versioning + migration support, golden fixture locations + test categories + CI integration, and determinism guarantees. | Policy Guild - UI/CLI Guild - Docs Guild - Signals Guild | Address explainability gaps EX1-EX10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
| 65 | EDGE-GAPS-401-065 | DONE (2025-12-13) | Complete: Created `docs/reachability/edge-explainability-schema.md` addressing all 10 gaps (EG1-EG10): reason enum registry with governance rules, canonical edge schema + hash computation using from/to/kind/reason, evidence limits (10 entries) + redaction rules, confidence rubric (certain/high/medium/low/unknown) with base scores per reason, detector/rule provenance schema with input artifact digests, API endpoints + CLI commands with output parity, deterministic fixture locations + requirements, propagation format for explanation graphs + VEX evidence, message catalog structure for localization, and backfill strategy + migration script. | Scanner Guild - Policy Guild - UI/CLI Guild - Docs Guild | Address edge explainability gaps EG1-EG10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
| 66 | BINARY-GAPS-401-066 | DONE (2025-12-13) | Complete: Created `docs/reachability/binary-reachability-schema.md` addressing all 10 gaps (BR1-BR10): canonical DSSE predicates (`stella.ops/binaryGraph@v1`, `stella.ops/binaryEdgeBundle@v1`), edge hash recipe including binary_hash context, required binary evidence table with CAS refs (`cas://binary/blocks|disasm|cfg|symbols`), build-id/variant rules for ELF/PE/Mach-O with fallback, policy hash governance with strict/forward/any binding modes, Sigstore bundle/log routing with offline mode, idempotent submission keys with tenant/binary/graph/hour granularity, size/chunking limits (10MB graph, 512 edges, 1MB DSSE, 100KB Rekor), API endpoints + CLI commands + UI component guidance, and binary fixtures with test categories. | Scanner Guild - Attestor Guild - Policy Guild | Address binary reachability gaps BR1-BR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: canonical DSSE/predicate schemas, edge hash recipe, required binary evidence with CAS refs, build-id/variant rules, policy hash governance, Sigstore bundle/log routing, idempotent submission keys, size/chunking limits, API/CLI/UI surfacing, and binary fixtures. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 0401 Reachability Evidence Chain | Scanner Guild - Signals Guild - BE-Base Platform Guild - Policy Guild - UI/CLI Guilds - Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | DONE | 66/66 tasks complete. Angular workspace bootstrapped (2025-12-14) with VEX Explain/Explorer components. Sprint complete and ready for handoff to 0402 polish. |
## Wave Detail Snapshots
- Single wave covering end-to-end reachability evidence; proceed once Sprint 0400 + upstream runtime/replay prerequisites land.
## Interlocks
- CAS hash/predicate choices must stay consistent across Scanner, Signals, Replay, and Policy (tasks 1, 11, 19, 24).
- DSSE predicate catalog and Signer integration (tasks 12, 24, 34-36) gate VEX and provenance tasks.
- UI/CLI explainers (tasks 15, 21, 47) depend on policy reachability outputs and graph schema stabilization.
- Hybrid reachability attestation decision: graph-level DSSE is mandatory; edge-bundle DSSE is optional/targeted (runtime/init/contested edges) with Rekor publish capped; see `docs/reachability/hybrid-attestation.md` and tasks 53-56.
- New datasets/benches (tasks 57-61) rely on schema freeze from tasks 1/55 and determinism guardrails; ensure feed-freeze hashes are published before CI wiring.
- Competitive/vision docs updated with reachability moat and vendor comparison; ensure sales/PMM references live in `docs/market/competitive-landscape.md` and `docs/reachability/lead.md`.
## Upcoming Checkpoints
- 2025-12-10 - Completed richgraph-v1 schema/hash alignment (tasks 1, 11, 19); downstream tasks may start.
- 2025-12-12 - Impact index dataset + policy delta fixtures delivered (bench sprint outputs); feed to QA/bench tasks.
- 2025-12-15 - Rebaseline task start dates for 2-8/13-21 after runtime ingestion readiness review (Planning).
- 2025-12-18 - Confirm Signals ingestion/probe readiness (tasks 8-10, 17-18) and update statuses to DOING/BLOCKED accordingly.
- Align DSSE predicate review across Authority/Signer/Policy once task 12 schema draft is ready (TBD, Authority Guild).
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Capture checkpoint dates after Sprint 0400 closure signal. | Planning | 2025-12-15 | DONE (2025-12-13) | Sprint 0400 archived sprint indicates closed (2025-12-11); checkpoints captured and reflected under Upcoming Checkpoints. |
| 2 | Confirm CAS hash alignment (BLAKE3 + sha256 addressing) across Scanner/Replay/Signals. | Platform Guild | 2025-12-10 | DONE (2025-12-10) | CONTRACT-RICHGRAPH-V1-015 adopted; BLAKE3 graph_hash live in Scanner/Replay per GRAPH-CAS-401-001. |
| 3 | Schedule richgraph-v1 schema/hash alignment and rebaseline sprint dates. | Planning - Platform Guild | 2025-12-15 | DONE (2025-12-12) | Rebaselined checkpoints post 2025-12-10 alignment; updated 2025-12-15/18 readiness reviews (see Execution Log 2025-12-12). |
| 4 | Signals ingestion/probe readiness checkpoint for tasks 8-10, 17-18. | Signals Guild - Planning | 2025-12-18 | DONE (2025-12-14) | All Signals tasks (8-10, 17-18) completed; runtime ingestion, probes, scoring, and CAS storage operational. Sprint closed. |
## Decisions & Risks
- File renamed to `SPRINT_0401_0001_0001_reachability_evidence_chain.md` and normalized to template on 2025-11-22; scope unchanged.
- VEX proof bundle schema/catalog frozen on 2025-12-04 with verifier + fixtures at `docs/benchmarks/` and `tests/Vex/ProofBundles/`; DSSE and CAS hashes enforced for RBAC/reeval/uncertainty gates.
- CI guard `.gitea/workflows/vex-proof-bundles.yml` validates all proof bundles with pinned deps to keep VEX-GAPS-401-062 controls from regressing.
- Deterministic reachability/bench fixtures delivered via Sprint 0512 (impact/policy/reachability caches with `.sha256` under `docs/samples/**` and `src/Bench/StellaOps.Bench/**`); leverage to unblock QA/bench tasks 16, 25, 57-60.
- Replay manifest v2 adopted (BLAKE3 graph hashes, sorted CAS entries, hashAlg fields) and wired into RecordModeService/ReachabilityReplayWriter; synthetic runtime probe endpoint added to Signals to bootstrap scoring without live probes.
- Tasks 4/19/50/51/53 BLOCKED pending decisions: native lifter/demangler/toolchain selection + fixture corpus; replay manifest v2 acceptance vectors/CAS gates aligned with Signals/Scanner; cross-RID build-id/code_id propagation contract; init-section synthetic root schema/oracles; graph-level DSSE/Rekor budget + golden fixture plan.
| ID | Risk | Impact | Mitigation / Owner |
| --- | --- | --- | --- |
| R1 | Sprint 0400 and upstream runtime/replay prerequisites slip. | Delivery blocked; evidence chain cannot start. | Track readiness in checkpoints; hold start until record mode + Evidence Locker APIs land (Planning). |
| R2 | CAS hash/predicate mismatch across modules. | Inconsistent artifacts, replay failures. | Align specs via tasks 1, 11, 19, 24; review before implementation (Platform Guild); CONTRACT-RICHGRAPH-V1-015 adopted. |
| R3 | Determinism gaps in fixtures/benchmarks. | Flaky reachability scoring and VEX proofs. | Prioritize QA tasks 16, 25, 46, 52; enforce deterministic ordering in tests (QA Guild); reuse hashed fixtures from Sprint 0512 benches (`docs/samples/impactindex`, `docs/samples/policy`, `docs/samples/signals/reachability`, `src/Bench/StellaOps.Bench/**`). |
| R4 | Edge-bundle Rekor volume or bundle count spikes. | Rekor congestion/cost; slower pipelines; CAS bloat. | Cap Rekor publishes per graph (task 54), default to CAS-only for bulk bundles, monitor Signals ingest size; add CI perf guard after task 55. |
| R5 | Bench/dataset tasks start before feed-freeze and schema alignment. | Non-replayable results; wasted bench runs. | Block tasks 57-61 on published feed hashes + `richgraph-v1`/Unknowns schema; add gating checklist in task definitions. |
| R6 | Bench/dataset code not materialized (docs only). | Docs drift; no executable evidence for claims. | Tasks 57-60 must produce runnable harnesses/fixtures under `docs/benchmarks/**` or `tests/**`; Execution Log to confirm artifact paths. |
| R7 | Sprint window (2025-11-11 -> 2025-11-22) elapsed with key tasks still TODO/BLOCKED. | Scope drift and delayed handoff to Sprint 0402 polish. | Rebaseline schedule and checkpoints by 2025-12-02; gate starts on schema/hash decisions; Planning + Platform guilds. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | **SPRINT COMPLETE** - 66/66 tasks DONE. Angular workspace bootstrapped unblocking Task 47 UI portion. Sprint 0401 complete and ready for handoff to Sprint 0402 polish phase. Deliverables: richgraph-v1 schema with BLAKE3 hashes, DSSE/Rekor attestation pipeline, Policy VEX emitter with reachability gates, CLI explain/verify commands, Angular UI with VEX Explain/Explorer components, benchmark automation, symbol bundles for air-gap, and comprehensive documentation across reachability/hybrid-attestation/uncertainty/binary schemas. | Planning |
| 2025-12-14 | Completed UI-VEX-401-032 (UI portion): Bootstrapped Angular 17 workspace at `src/Web/StellaOps.Web` with full module structure per `docs/modules/ui/architecture.md`. Created: (1) `VexExplainComponent` with call-path display, runtime hits table, attestation verify button, Rekor/DSSE pointers at `src/app/vex/vex-explain/vex-explain.component.ts`. (2) `VexExplorerComponent` with search and results table at `src/app/vex/vex-explorer/vex-explorer.component.ts`. (3) Core API models for Scanner/Policy/Excititor/Concelier/Attestor/Authority at `src/app/core/api/models.ts`. (4) Lazy-loaded feature routes: dashboard, scans, vex, triage, policy, runtime, attest, admin. (5) Tailwind CSS configuration with StellaOps design tokens. Build verified with `npm run build`. CLI portion was already complete. Task now fully DONE. | Implementer |
| 2025-12-14 | Completed UI-VEX-401-032 (CLI portion): Implemented `stella vex explain <vuln-id> --product-key <key>` command with options: `--call-paths`, `--runtime-hits`, `--graph`, `--dsse`, `--rekor`, `--verify`, `--offline`, `--json`. Created `VexExplainModels.cs` with VexDecisionExplanation, CallPathEvidence, RuntimeHitEvidence, ReachabilityGraphMetadata, DsseAttestationInfo, RekorEntryInfo models. Handler renders tree-based formatted output with Spectre.Console or JSON serialization. UI portion blocked on Angular workspace. | Implementer |
| 2025-12-14 | Completed SYMS-BUNDLE-401-014: Created `StellaOps.Symbols.Bundle` project with deterministic symbol bundle generation for air-gapped installations. Models: BundleManifest, BundleEntry, BundleSignature, RekorCheckpoint, InclusionProof. IBundleBuilder interface with BundleBuildOptions/BundleVerifyOptions/BundleExtractOptions/BundleBuildResult/BundleVerifyResult/BundleExtractResult records. CLI commands: `stella symbols bundle` (build deterministic ZIP with BLAKE3 hashes, sorted entries, optional DSSE signing and Rekor submission), `stella symbols verify` (integrity + signature + Rekor verification with offline mode), `stella symbols extract` (platform-filtered extraction), `stella symbols inspect` (bundle metadata display). Documentation at `docs/airgap/symbol-bundles.md` with full offline workflow guide. | Implementer |
| 2025-12-14 | Completed BENCH-AUTO-401-019: Created benchmark automation pipeline for populating `bench/findings/**` and computing FP/MTTD/repro metrics. Scripts: (1) `scripts/bench/populate-findings.py` - generates per-CVE VEX decision bundles from reachbench fixtures with evidence excerpts, SBOM stubs, OpenVEX decisions, DSSE envelope stubs, Rekor placeholders, and metadata. (2) `scripts/bench/compute-metrics.py` - computes TP/FP/TN/FN/precision/recall/F1/accuracy from findings. (3) `scripts/bench/run-baseline.sh` - orchestrator with --populate/--compute/--compare options. Tools: (4) `bench/tools/verify.sh` - online DSSE+Rekor verification. (5) `bench/tools/verify.py` - offline bundle verification. (6) `bench/tools/compare.py` - baseline scanner comparison. (7) `bench/tools/replay.sh` - replay manifest verification. Initial run: 10 findings from 5 cases (runc/linux-cgroups/glibc/curl/openssl), 100% accuracy (5 TP, 5 TN, 0 FP, 0 FN). Output: `bench/results/summary.csv`, `bench/results/metrics.json`. | Implementer |
| 2025-12-13 | Completed QA-CORPUS-401-031: Created reachability corpus CI workflow `.gitea/workflows/reachability-corpus-ci.yml` with 3 jobs: (1) validate-corpus - builds and runs CorpusFixtureTests + ReachbenchFixtureTests, verifies manifest/INDEX JSON validity, runs inline Python hash verification. (2) validate-ground-truths - validates schema_version=`reachbench.reachgraph.truth/v1`, variant∈{reachable,unreachable}, paths array structure for both corpus and reachbench fixtures. (3) determinism-check - verifies JSON files have sorted keys for deterministic hashing. Created runner scripts `scripts/reachability/run_all.sh` (bash) and `run_all.ps1` (PowerShell) with --filter, --verbosity, --configuration, --no-build options. Created hash verification script `scripts/reachability/verify_corpus_hashes.sh` using Python for cross-platform JSON parsing. CI triggers on push/PR to `tests/reachability/**`, `scripts/reachability/**`, workflow file. All 96 fixture tests passing (3 CorpusFixtureTests + 93 ReachbenchFixtureTests). Files: `.gitea/workflows/reachability-corpus-ci.yml`, `scripts/reachability/run_all.sh`, `scripts/reachability/run_all.ps1`, `scripts/reachability/verify_corpus_hashes.sh`. | Implementer |
| 2025-12-13 | Completed CLI-VEX-401-011: Implemented `stella decision export|verify|compare` CLI commands with DSSE/Rekor integration. Added `BuildDecisionCommand` to CommandFactory.cs with: (1) export subcommand (--tenant required, --scan-id, --vuln-id, --purl, --status filters, --format openvex/dsse/ndjson, --sign DSSE envelope, --rekor transparency submission, --include-evidence reachability blocks, --json metadata output), (2) verify subcommand (file argument, --digest expected hash, --rekor inclusion proof, --rekor-uuid, --public-key offline verification, --json output), (3) compare subcommand (base/target files, --output file, --format text/json/markdown, --show-unchanged, --summary-only). Added handler methods `HandleDecisionExportAsync`, `HandleDecisionVerifyAsync`, `HandleDecisionCompareAsync` to CommandHandlers.cs with VexStatementSummary extraction, status/justification diff tracking, and multi-format output. Created `DecisionModels.cs` with `DecisionExportRequest` (tenant, scan, filters, format, sign, rekor, evidence) and `DecisionExportResponse` (success, content, digest, rekor index/uuid, statement count). Added `ExportDecisionsAsync` to BackendOperationsClient calling `/api/v1/decisions/export` with response header parsing (X-VEX-Digest, X-VEX-Rekor-Index, X-VEX-Rekor-UUID, X-VEX-Statement-Count, X-VEX-Signed). Added CLI metrics counters `stellaops.cli.decision.{export,verify,compare}.count` with `RecordDecisionExport`, `RecordDecisionVerify`, `RecordDecisionCompare` methods. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `CommandHandlers.cs`, `Services/Models/DecisionModels.cs`, `Services/BackendOperationsClient.cs`, `Telemetry/CliMetrics.cs`. | Implementer |
| 2025-12-13 | Completed POLICY-VEX-401-010: Implemented VexDecisionSigningService for DSSE envelope creation and Rekor submission. Created `IVexDecisionSigningService` interface with `SignAsync` (DSSE envelope creation with PAE encoding, SHA256 signature, evidence hash attachment) and `VerifyAsync` (payload type/signature validation, Rekor inclusion proof). Added supporting records: `VexSigningRequest`/`VexSigningResult`, `VexDsseEnvelope`/`VexDsseSignature`, `VexRekorMetadata`/`VexRekorInclusionProof`, `VexEvidenceReference`. Created client interfaces `IVexSignerClient`/`IVexRekorClient` for remote signing/transparency. Added `VexSigningOptions` configuration (UseSignerService, RekorEnabled, DefaultKeyId, RekorUrl, RekorTimeout) with `SectionName="VexSigning"`. Implementation supports local signing fallback when Signer service unavailable. Added telemetry counter `policy_vex_signing_total{success,rekor_submitted}` via `RecordVexSigning`. Added DI extensions `AddVexDecisionSigning`/`AddVexDecisionSigning(Action<VexSigningOptions>)`. Created 16 passing tests covering signing with remote/local fallback, Rekor submission, verification, options defaults, and predicate types. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionSigningService.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionSigningServiceTests.cs`. | Implementer |
| 2025-12-13 | Completed GAP-POL-005: Implemented Signals-backed reachability facts integration for Policy Engine. Created `IReachabilityFactsSignalsClient.cs` interface with HTTP client (`ReachabilityFactsSignalsClient.cs`) calling Signals endpoints (`GET /signals/facts/{subjectKey}`, `POST /signals/reachability/recompute`). Implemented `SignalsBackedReachabilityFactsStore.cs` implementing `IReachabilityFactsStore`, mapping Signals `SignalsReachabilityFactResponse` to Policy's `ReachabilityFact` model with: state determination logic (Reachable/Unreachable/Unknown/UnderInvestigation based on confidence thresholds), confidence aggregation from lattice states, analysis method detection (Static/Dynamic/Hybrid/Manual), and metadata extraction (callgraph_id, scan_id, image_digest, entry_points, uncertainty_tier, risk_score, unknowns_count, unknowns_pressure, call_paths, runtime_hits, lattice_states). Added DI extensions to `PolicyEngineServiceCollectionExtensions.cs`: `AddReachabilityFactsSignalsClient`, `AddSignalsBackedReachabilityFactsStore`, `AddReachabilityFactsSignalsIntegration`. Added Moq package to test project. Created 32 passing tests: `SignalsBackedReachabilityFactsStoreTests.cs` (19 tests for state mapping, metadata extraction, read-only behavior, batch operations) and `ReachabilityFactsSignalsClientTests.cs` (13 tests for HTTP operations, options, batch fetching). Files: `src/Policy/StellaOps.Policy.Engine/ReachabilityFacts/{IReachabilityFactsSignalsClient,ReachabilityFactsSignalsClient,SignalsBackedReachabilityFactsStore}.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/ReachabilityFacts/{SignalsBackedReachabilityFactsStoreTests,ReachabilityFactsSignalsClientTests}.cs`. | Implementer |
| 2025-12-13 | Completed DOCS-HYBRID-401-056: Finalized hybrid attestation documentation at `docs/reachability/hybrid-attestation.md`. Removed TODO comments, updated implementation status table with completed components (edge-bundle DSSE, CAS publisher, ingestion, quarantine enforcement). Added Section 9 (Verification Runbook) with graph-only and graph+edge-bundle workflows, verification decision matrix. Added Section 10 (Rekor Guidance) covering what gets published, configuration, private mirrors, proof caching. Added Section 11 (Offline Replay Steps) with pack creation, verification, trust model, air-gapped deployment checklist. Added Section 12 (Release Notes) with version history and migration guide. Added Section 13 (Cross-References) to sprint/contracts/implementation/related docs. Updated `docs/07_HIGH_LEVEL_ARCHITECTURE.md` (line 23) with hybrid attestation doc reference. Updated `docs/modules/scanner/architecture.md` (section 5.6) and `docs/modules/policy/architecture.md` with cross-references. | Docs Guild |
| 2025-12-13 | Completed GAP-SIG-003: Implemented CAS-backed runtime-facts batch ingestion for `/signals/runtime-facts`. Created `IRuntimeFactsArtifactStore.cs` interface, `FileSystemRuntimeFactsArtifactStore.cs` filesystem implementation with CAS paths `cas://reachability/runtime-facts/{hash}`, `RuntimeFactsArtifactSaveRequest.cs` and `StoredRuntimeFactsArtifact.cs` models. Extended `RuntimeFactsIngestionService.cs` with `IngestBatchAsync` method supporting NDJSON/gzip streams, BLAKE3 hashing via `ICryptoHash`, subject grouping, and CAS URI linking. Updated `ReachabilityFactDocument.cs` with `RuntimeFactsBatchUri` and `RuntimeFactsBatchHash` fields. Added `RuntimeFactsBatchIngestResponse` record in `IRuntimeFactsIngestionService.cs`. Created `RuntimeFactsBatchIngestionTests.cs` with 6 passing tests covering NDJSON parsing, gzip decompression, subject grouping, CAS linking, invalid line handling, and optional artifact store. | Implementer |
| 2025-12-13 | Completed Task 55 (SIG-POL-HYBRID-401-055): Implemented edge-bundle ingestion in Signals with tenant isolation, revoked edge tracking, and quarantine enforcement. Created `EdgeBundleDocument.cs` models (EdgeBundleDocument, EdgeBundleEdgeDocument, EdgeBundleReference), `IEdgeBundleIngestionService.cs` interface, and `EdgeBundleIngestionService.cs` implementation. Updated `ReachabilityFactDocument.cs` with EdgeBundles and HasQuarantinedEdges fields. Added 8 passing tests in `EdgeBundleIngestionServiceTests.cs`. Unblocked Tasks 25, 46, 56. | Implementer |
| 2025-12-13 | Completed Tasks 3 and 54: (1) Task 3 SCAN-REACH-401-009: Implemented Java and .NET callgraph builders with reachability graph models. Created `JavaReachabilityGraph.cs` (JavaMethodNode, JavaCallEdge, JavaSyntheticRoot, JavaUnknown, JavaGraphMetadata, enums for edge types/root types/phases), `JavaCallgraphBuilder.cs` (JAR analysis, bytecode parsing, invoke* detection, synthetic root extraction). Created `DotNetReachabilityGraph.cs` (DotNetMethodNode, DotNetCallEdge, DotNetSyntheticRoot, DotNetUnknown, DotNetGraphMetadata, enums for IL edge types/root types/phases), `DotNetCallgraphBuilder.cs` (PE/metadata reader, IL opcode parsing for call/callvirt/newobj/ldftn, synthetic root detection for Main/cctor/ModuleInitializer/Controllers/Tests/AzureFunctions/Lambda). Both builders emit deterministic graph hashing. (2) Task 54 EDGE-BUNDLE-401-054: Implemented edge-bundle DSSE envelopes at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Created `EdgeBundle.cs` with EdgeBundleReason/EdgeReason enums, BundledEdge record, EdgeBundle/EdgeBundleBuilder/EdgeBundleExtractor classes (max 512 edges, canonical sorting). Created `EdgeBundlePublisher.cs` with IEdgeBundlePublisher interface, deterministic DSSE envelope generation, EdgeBundlePublisherOptions (Rekor cap=5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. Added `EdgeBundleTests.cs` with 19 tests. Unblocked Task 55 (SIG-POL-HYBRID-401-055). | Implementer |
| 2025-12-13 | Completed Tasks 4, 8, 50, 51: (1) Task 4 SCANNER-NATIVE-401-015: Created demangler infrastructure with `ISymbolDemangler`, `CompositeDemangler`, `ItaniumAbiDemangler`, `RustDemangler`, and `HeuristicDemangler` at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/`. (2) Task 8 SIGNALS-RUNTIME-401-002: Added `SignalsRetentionOptions`, extended `IReachabilityFactRepository` with retention methods, implemented `RuntimeFactsRetentionService` background cleanup, updated `ReachabilityFactCacheDecorator`. (3) Task 50 SCANNER-BUILDID-401-035: Added build-ID prefixes (`gnu-build-id:`, `macho-uuid:`) per CONTRACT-BUILDID-PROPAGATION-401 in `ElfReader.ExtractBuildId` and `NativeFormatDetector`. (4) Task 51 SCANNER-INITROOT-401-036: Added `NativeRootPhase` enum, extended `NativeSyntheticRoot`, updated `ComputeRootId` format per CONTRACT-INIT-ROOTS-401. Unblocked Task 3 (SCAN-REACH-401-009) and Task 54 (EDGE-BUNDLE-401-054). Tests: Signals 164/164 pass, Scanner Native 221/224 pass (3 pre-existing failures). | Implementer |
| 2025-12-13 | **Unblocked 4 tasks via contract/decision definitions:** (1) Task 4 SCANNER-NATIVE-401-015 → TODO: Created `docs/contracts/native-toolchain-decision.md` (DECISION-NATIVE-TOOLCHAIN-401) defining pure-C# ELF/PE/Mach-O parsers, per-language demanglers (Demangler.Net, Iced, Capstone.NET), pre-built test fixtures, and callgraph extraction methods. (2) Task 8 SIGNALS-RUNTIME-401-002 → TODO: Identified dependencies already complete (CONTRACT-RICHGRAPH-V1-015 adopted 2025-12-10, Task 19 GAP-REP-004 done 2025-12-13). (3) Task 50 SCANNER-BUILDID-401-035 → TODO: Created `docs/contracts/buildid-propagation.md` (CONTRACT-BUILDID-PROPAGATION-401) defining build-id formats (ELF/PE/Mach-O), code_id for stripped binaries, cross-RID variant mapping, SBOM/Signals integration. (4) Task 51 SCANNER-INITROOT-401-036 → TODO: Created `docs/contracts/init-section-roots.md` (CONTRACT-INIT-ROOTS-401) defining synthetic root phases (preinit/init/main/fini), init_array/ctors handling, DT_NEEDED deps, patch-oracle integration. These unblock cascading dependencies: Task 4 → Task 3; Tasks 50/51 → Task 54 → Task 55 → Tasks 16/25/56. | Implementer |
| 2025-12-13 | Completed QA-PORACLE-401-037: Added JSON-based patch-oracle harness for CI graph validation. Created: (1) `patch-oracle/v1` JSON Schema at `tests/reachability/fixtures/patch-oracles/schema/patch-oracle-v1.json` defining expected/forbidden functions, edges, roots with wildcard patterns and confidence thresholds. (2) Sample oracle fixtures for curl-CVE-2023-38545 (reachable/unreachable), log4j-CVE-2021-44228, dotnet-kestrel-CVE-2023-44487. (3) `PatchOracleModels.cs` with `PatchOracleDefinition`, `ExpectedFunction`, `ExpectedEdge`, `ExpectedRoot` models. (4) `PatchOracleComparer.cs` comparing RichGraph against oracle expectations (missing/forbidden elements, confidence thresholds, strict mode). (5) `PatchOracleLoader.cs` for loading oracles from fixtures. (6) `PatchOracleHarnessTests.cs` with 19 tests covering all comparison scenarios. Updated `docs/reachability/patch-oracles.md` with combined JSON + YAML harness documentation. | Implementer |
| 2025-12-13 | Completed UNCERTAINTY-UI-401-027: Added CLI uncertainty display with Tier/Risk columns in policy findings table (`RenderPolicyFindingsTable`), uncertainty fields in details view (`RenderPolicyFindingDetails`), color-coded tier formatting (T1=red/High, T2=yellow/Medium, T3=blue/Low, T4=green/Negligible), and entropy states display (code=entropy format). Updated models: `PolicyFindingsModels.cs` (added `PolicyFindingUncertainty`, `PolicyFindingUncertaintyState` records), `PolicyFindingsTransport.cs` (added DTO classes), `BackendOperationsClient.cs` (added mapping logic), `CommandHandlers.cs` (added `FormatUncertaintyTier`, `FormatUncertaintyTierPlain`, `FormatUncertaintyStates` helpers). Also fixed pre-existing package conflict (NetEscapades.Configuration.Yaml 2.1.0→3.1.0) and pre-existing missing using directive in `ISemanticEntrypointAnalyzer.cs`. | Implementer |
| 2025-12-13 | Unblocked tasks 40/41/52: (1) Task 40 (UNCERTAINTY-POLICY-401-026) now TODO - dependencies 38/39 complete with UncertaintyTier (T1-T4) and entropy-aware scoring. (2) Task 41 (UNCERTAINTY-UI-401-027) now TODO - same dependencies. (3) Task 52 (QA-PORACLE-401-037) now TODO - dependencies 1/53 complete with richgraph-v1 schema and graph-level DSSE. | Implementer |
| 2025-12-13 | Completed CORPUS-MERGE-401-060: migrated `tests/reachability/corpus` from legacy `expect.yaml` to `ground-truth.json` (Reachbench truth schema v1) with updated deterministic manifest generator (`tests/reachability/scripts/update_corpus_manifest.py`) and fixture validation (`tests/reachability/StellaOps.Reachability.FixtureTests/CorpusFixtureTests.cs`). Added cross-dataset coverage gates (`tests/reachability/StellaOps.Reachability.FixtureTests/FixtureCoverageTests.cs`), a deterministic manifest runner for corpus + public samples + reachbench (`tests/reachability/runners/run_all.{sh,ps1}`), and updated corpus map documentation (`docs/reachability/corpus-plan.md`). Fixture tests passing. | Implementer |
| 2025-12-13 | Started CORPUS-MERGE-401-060: unifying `tests/reachability/corpus` and `tests/reachability/samples-public` on a single ground-truth/manifest contract, adding deterministic runners + coverage gates, and updating `docs/reachability/corpus-plan.md`. | Implementer |
| 2025-12-13 | Completed GRAPH-HYBRID-401-053: richgraph CAS publisher now stores canonical JSON bodies and emits deterministic graph DSSE envelopes under `cas://reachability/graphs/{blake3Hex}.dsse`; `RichGraphPublishResult` includes DSSE pointers and tests validate the DSSE payload/signature (`src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityRichGraphPublisher.cs`, `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs`). | Implementer |
| 2025-12-13 | Completed SIG-STORE-401-016 and UNCERTAINTY-SCORER-401-025: added shared reachability store (func_nodes/call_edges/cve_func_hits) repository APIs + Mongo index script (`ops/mongo/indices/reachability_store_indices.js`), integrated store population during callgraph ingestion, and aligned entropy-aware risk scoring so `ReachabilityFactDocument.RiskScore` matches `UncertaintyDocument.RiskScore` with configurable weights; Signals + reachability integration tests passing. | Implementer |
| 2025-12-13 | Started SIG-STORE-401-016 and UNCERTAINTY-SCORER-401-025: implementing reachability store collections/indexes + repository APIs and entropy-aware risk scoring in `src/Signals/StellaOps.Signals`. | Implementer |
| 2025-12-13 | Completed GAP-REP-004: Implemented replay manifest v2 in `src/__Libraries/StellaOps.Replay.Core`. (1) Added `hash` field with algorithm prefix (blake3:..., sha256:...) to ReplayManifest.cs. (2) Added `code_id_coverage` section for stripped binary handling. (3) Created `ICasValidator` interface and `InMemoryCasValidator` for CAS reference validation. (4) Created `ReplayManifestValidator` with error codes per acceptance contract (MISSING_VERSION, VERSION_MISMATCH, MISSING_HASH_ALG, UNSORTED_ENTRIES, CAS_NOT_FOUND, HASH_MISMATCH). (5) Added `UpgradeToV2` migration helper. (6) Added 18 tests covering all v2 acceptance vectors. Also unblocked Task 18 (SIG-STORE-401-016). | Implementer |
| 2025-12-13 | Unblocked tasks 19/26/39/53/60: (1) Created `docs/replay/replay-manifest-v2-acceptance.md` with acceptance vectors, CAS registration gates, test fixtures, and migration path for Task 19. (2) Updated `bench/README.md` with verification workflows, artifact contracts, and CI integration for Task 26 (DONE). (3) Frozen section 8 of `docs/reachability/hybrid-attestation.md` with DSSE/Rekor budget by tier, CAS signing layout, CLI UX, and golden fixture plan for Task 53. (4) Marked Tasks 39 and 60 as TODO since their dependencies (38 and 58) are complete. | Docs Guild |
| 2025-12-13 | Completed POLICY-VEX-401-006: Implemented VexDecisionEmitter consuming reachability facts and emitting OpenVEX documents. Created `VexDecisionModels.cs` (VexDecisionDocument, VexStatement, VexEvidenceBlock, etc.), `VexDecisionEmitter.cs` (IVexDecisionEmitter interface + implementation with fact-to-VEX status mapping, lattice state bucketing CU/CR/SU/SR/etc., gate evaluation via PolicyGateEvaluator), added telemetry counter `policy_vex_decisions_total`, registered services in DI, and wrote 10 passing tests. Unblocked tasks 14, 23. | Policy Guild |
| 2025-12-13 | Completed BINARY-GAPS-401-066: Created `docs/reachability/binary-reachability-schema.md` addressing all 10 binary reachability gaps (BR1-BR10) from November 2025 product findings. Document specifies: DSSE predicates (`stella.ops/binaryGraph@v1`, `stella.ops/binaryEdgeBundle@v1`), edge hash recipe with binary_hash context, required evidence table with CAS refs, build-id/variant rules for ELF/PE/Mach-O, policy hash governance with binding modes, Sigstore routing with offline mode, idempotent submission keys, size/chunking limits, API/CLI/UI guidance, and binary fixture requirements with test categories. | Docs Guild |
| 2025-12-13 | Completed tasks 37/38/48/58/59: implemented reachability lattice + uncertainty tiers + policy gate evaluator, published ground-truth schema/tests, and added richgraph-v1 native alignment tests; docs synced (`docs/reachability/lattice.md`, `docs/uncertainty/README.md`, `docs/reachability/policy-gate.md`, `docs/reachability/ground-truth-schema.md`, `docs/modules/scanner/design/native-reachability-plan.md`). | Implementer |
| 2025-12-13 | Regenerated deterministic reachbench/corpus manifest hashes with offline scripts (`tests/reachability/fixtures/reachbench-2025-expanded/harness/update_variant_manifests.py`, `tests/reachability/corpus/update_manifest.py`) and verified reachability test suites (Policy Engine, Scanner Reachability, FixtureTests, Signals Reachability, ScannerSignals Integration) passing. | Implementer |
| 2025-12-13 | Closed Action Tracker items #1/#3: captured Sprint 0400 closure signal (archived sprint closed 2025-12-11) and marked richgraph alignment/rebaseline action complete. | Planning |
| 2025-12-13 | Started GAP-REP-004: implementing replay manifest v2 acceptance contract (hash fields, CAS registration gates, deterministic vectors) per `docs/replay/replay-manifest-v2-acceptance.md`. | Implementer |
| 2025-12-13 | Marked SCANNER-NATIVE-401-015, SCANNER-BUILDID-401-035, and SCANNER-INITROOT-401-036 as BLOCKED pending contracts on native lifters/toolchains, cross-RID build-id/code_id propagation, and init synthetic-root schema/oracles. | Planning |
| 2025-12-12 | Normalized sprint header/metadata formatting and aligned Action Tracker status labels to `TODO`/`DONE`; no semantic changes. | Project Mgmt |
| 2025-12-12 | Rebaselined reachability wave: marked tasks 6/8/13-18/20-21/23/25-26/39-41/46-47/52/54-56/60 as BLOCKED pending upstream deps; set Wave 0401 status to DOING post richgraph alignment so downstream work can queue cleanly. | Planning |
| 2025-12-12 | RecordModeService bumped to replay manifest v2 (hashAlg fields, BLAKE3 graph hashes) and ReachabilityReplayWriter now emits hashAlg for graphs/traces; added synthetic runtime probe endpoint to Signals with deterministic builder + tests. | Implementer |
| 2025-12-12 | Unblocked runtime probes/scoring/replay: added synthetic runtime probe endpoint + builder in Signals, enabled scoring with synthetic feeds, and shipped ReachabilityReplayWriter manifest v2 with deterministic ordering/tests. Tasks 9/10/11 marked DONE. | Planning |
| 2025-12-12 | Marked SCAN-REACH-401-009 BLOCKED pending native symbolizer/lifter outputs from task 4; cannot wire .NET/JVM callgraph generators until those adapters exist. | Scanner Guild |
| 2025-12-12 | Completed GAP-SYM-007: reachability union/richgraph serializers now emit `symbol{mangled,demangled,source,confidence}` and optional `code_block_hash`; docs synced (`docs/contracts/richgraph-v1.md`, `docs/reachability/evidence-schema.md`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`). | Scanner Guild |
| 2025-12-12 | Rebaselined checkpoints/actions post richgraph alignment; added 2025-12-15/18 readiness reviews, logged Sprint 0512 bench fixtures as determinism inputs for tasks 16, 25, 57-60, and marked CAS hash alignment action done. | Planning |
| 2025-12-11 | Completed GRAPH-CAS-401-001: RichGraphPublisher now uses BLAKE3 graph_hash for CAS keys per CONTRACT-RICHGRAPH-V1-015; CAS URIs follow `cas://reachability/graphs/{blake3}`; added `CasUri` to `RichGraphPublishResult`; 15 reachability tests pass. Also marked GRAPH-PURL-401-034 DONE (already implemented in RichGraph via Sprint 0400). | Scanner Worker |
| 2025-12-04 | Added second VEX proof bundle fixture (`sample-proof-bundle-config.json` + DSSE/OpenVEX) and wired CI guard `.gitea/workflows/vex-proof-bundles.yml` running `scripts/vex/verify_proof_bundle.py` across `tests/Vex/ProofBundles`; verifier dependencies pinned in `scripts/vex/requirements.txt`. | Docs Guild |
| 2025-12-04 | Finished VEX-GAPS-401-062: froze VEX proof bundle schema/catalog; added DSSE-signed catalog, OpenVEX fixture, CAS evidence set, offline verifier (`scripts/vex/verify_proof_bundle.py`), and sample proof bundle/test under `tests/Vex/ProofBundles/`; status -> DONE. | Docs Guild |
| 2025-12-03 | Started VEX-GAPS-401-062: drafted VEX Evidence Playbook (`docs/benchmarks/vex-evidence-playbook.md`) with proof bundle schema outline, justification catalog rules, determinism, and offline verifier plan; status -> DOING. | Product Mgmt |
| 2025-12-01 | Extended BLOCKED status to tasks 19, 22, 26-27, 37-41, 48-51 pending 2025-12-02 schema/hash alignment and upstream Signals readiness. | Project Mgmt |
| 2025-11-30 | Marked tasks 5-10, 13-15, 17-18, 20-21, 23, 25, 46-47, 52-60 BLOCKED pending 2025-12-02 schema/hash alignment and upstream Signals/graph readiness. | Project Mgmt |
| 2025-11-30 | Marked Wave 0401 as BLOCKED pending Sprint 0400 readiness and richgraph schema decisions. | Project Mgmt |
| 2025-11-30 | Added R7 for elapsed sprint window, scheduled 2025-12-02 schema/hash alignment checkpoint, and logged Action Tracker item 3; no task status changes. | Project Mgmt |
| 2025-11-27 | Marked GRAPH-CAS-401-001, GAP-SYM-007, SCAN-REACH-401-009, and SCANNER-NATIVE-401-015 BLOCKED pending richgraph schema + Symbols Server contracts. | Project Mgmt |
| 2025-11-27 | Completed AUTH-REACH-401-005: added `StellaOps.Attestation` reference to Authority project; created `AuthoritySignerAdapter` to wrap ICryptoSigner as IAuthoritySigner; created `IAuthorityDsseStatementSigner` interface and `AuthorityDsseStatementSigner` service for signing In-toto statements with Authority's signing keys; service reuses existing DsseHelper.WrapAsync for DSSE envelope creation; fixed null-reference issue in DsseHelper.cs. Rekor mirroring leverages existing Attestor `IRekorClient` infrastructure. | Authority Guild |
| 2025-11-27 | Completed DSSE-LIB-401-020: `StellaOps.Attestation` library now packages Envelope primitives. Added `DsseEnvelopeExtensions.cs` with conversion utilities (`ToSerializableDict`, `FromBase64`, `GetPayloadString`, `GetPayloadBase64`). Envelope types (`DsseEnvelope`, `DsseSignature`, etc.) are exposed as transitive dependencies; consumers only need to reference `StellaOps.Attestation` to access both high-level InToto/DSSE helpers and low-level envelope primitives. Build verified. | Attestor Guild |
| 2025-11-27 | Completed DSSE-CLI-401-021: implemented `stella attest` CLI command with verify/list/show subcommands in `CommandFactory.cs` and `CommandHandlers.cs`. Added handlers for offline DSSE verification (`HandleAttestVerifyAsync`), attestation listing (`HandleAttestListAsync`), and attestation details (`HandleAttestShowAsync`). Added CI workflow snippets for GitHub Actions and GitLab CI to `docs/modules/cli/guides/attest.md`. Fixed pre-existing build errors (`SanitizeFileName` missing, `NodePackageCollector.AttachEntrypoints` parameter mismatch). All CLI commands functional with placeholder handlers for backend integration. | CLI Guild |
| 2025-11-27 | Completed DSSE-DOCS-401-022: updated `docs/ci/dsse-build-flow.md` status from Draft to Complete, updated CLI verification command syntax to match implemented `stella attest verify --envelope` with additional options (`--policy`, `--root`, `--transparency-checkpoint`), updated references to completed tasks. Attestor architecture documentation at `docs/modules/attestor/architecture.md` was already comprehensive with CLI touchpoints, verification pipeline, and API details. | Docs Guild |
| 2025-11-27 | Completed PROV-BACKFILL-401-029: created `EventProvenanceBackfillService` in `src/StellaOps.Events.Mongo/` for backfilling historical events with DSSE provenance metadata; added `IAttestationResolver` interface for resolving attestations by subject digest; added `StubAttestationResolver` for testing; documented in `docs/provenance/inline-dsse.md` section 10 (Backfill service) with usage examples, implementation guide, and reference files. Build verified. | Platform Guild |
| 2025-11-27 | Completed PROV-INDEX-401-030: created `ops/mongo/indices/events_provenance_indices.js` ops deployment script with 5 indexes (subject+kind+provenance, unproven by kind, Rekor log index, envelope digest, timestamp+kind+verified); updated `src/StellaOps.Events.Mongo/MongoIndexes.cs` to include 2 new indexes (envelope digest for dedup, timestamp+kind for compliance reporting); updated `docs/provenance/inline-dsse.md` section 4 with additional indexes and deployment options. Build verified. | Platform Guild |
| 2025-11-26 | Completed SIGN-VEX-401-018: added `stella.ops/vexDecision@v1` and `stella.ops/graph@v1` predicate types to PredicateTypes.cs; added helper methods IsVexRelatedType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType; added OpenVEX VexDecisionPredicateJson and richgraph-v1 GraphPredicateJson fixtures; updated SigningRequestBuilder with WithVexDecisionPredicate and WithGraphPredicate; added 12 new unit tests covering new predicate types and helper methods; updated integration tests to cover all 8 StellaOps predicate types. All 102 Signer tests pass. | Signing Guild |
| 2025-11-26 | BENCH-DETERMINISM-401-057 completed: added offline harness + mock scanner at `src/Bench/StellaOps.Bench/Determinism`, sample SBOM/VEX inputs, manifests (`results/inputs.sha256`), and summary output; unit tests under `Determinism/tests` passing. | Bench Guild |
| 2025-11-26 | BENCH-DETERMINISM-401-057 follow-up: default runs set to 10 per scanner/SBOM pair; harness supports `--manifest-extra`/`DET_EXTRA_INPUTS` for frozen feeds; CI wrapper enforces threshold. | Bench Guild |
| 2025-11-26 | DOCS-DSL-401-005 completed: refreshed `docs/policy/dsl.md` and `docs/policy/lifecycle.md` with signal dictionary, shadow/coverage gates, and authoring workflow. | Docs Guild |
| 2025-11-26 | DOCS-RUNBOOK-401-017 completed: published `docs/runbooks/reachability-runtime.md` and linked from `docs/reachability/DELIVERY_GUIDE.md`; includes CAS/DSSE, air-gap steps, troubleshooting. | Docs Guild |
| 2025-11-26 | DOCS-BENCH-401-061 completed: updated `docs/benchmarks/signals/bench-determinism.md` with how-to (local/CI/offline), manifests, reachability dataset runs, and hash manifest requirements. | Docs Guild |
| 2025-12-01 | Added VEX-GAPS-401-062 to capture VEX1-VEX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added GRAPHREV-GAPS-401-063 to capture GR1-GR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added EXPLAIN-GAPS-401-064 to capture EX1-EX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added EDGE-GAPS-401-065 to capture EG1-EG10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added BINARY-GAPS-401-066 to capture BR1-BR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-02 | Clarified VEX-GAPS-401-062 outputs: justification catalog, proofBundle schema + DSSE, coverage/negative tests, config/flag hash enforcement + expiry, DSSE/Rekor mandates, RBAC + re-eval triggers, uncertainty gating, canonical OpenVEX serialization, and fixtures/doc paths. | Project Mgmt |
| 2025-11-25 | Marked REPLAY-401-004 BLOCKED: awaiting CAS registration policy (GAP-REP-004) and Signals runtime facts (SGSI0101) before replay manifest v2 can proceed; mirrored to tasks-all. | Project Mgmt |
| 2025-11-23 | Added R6 to enforce runnable bench/dataset artifacts; noted supersedes/extends text in moat/competitive docs. | Planning |
| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 57-61 links. | Planning |
| 2025-11-23 | Added competitive + reachability moat docs (`docs/market/competitive-landscape.md`, `docs/reachability/lead.md`) and linked sprint narrative to them. | Planning |
| 2025-11-23 | Added tasks 57-61 (determinism bench, public reachability dataset, native callgraph ingest, corpus merge, docs), logged R5, and noted schema/feed gating. | Planning |
| 2025-11-23 | Added hybrid attestation decision and tasks 53-56; aligned docs references. | Planning |
| 2025-11-22 | Updated cross-references to new sprint filename in tasks-all and reachability docs; synced naming in bench playbook. | Planning |
| 2025-11-22 | Normalized sprint to template, added dependencies/prereqs, Delivery Tracker numbering, interlocks, risks; renamed file for naming compliance. | Planning |
| 2025-11-20 | Added tasks for purl-resolved edges, ELF build-id propagation, init-array roots, and patch-oracle QA harness; aligned docs references. | Planning |