up
This commit is contained in:
StellaOps Bot
@@ -45,6 +45,12 @@ These are the authoritative advisories to reference for implementation:
|
||||
- **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md`
|
||||
- **Status:** Already implemented in Signals module; advisory validates design
|
||||
|
||||
### Confidence Decay for Prioritization
|
||||
- **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md`
|
||||
- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point)
|
||||
- **Related:** Unknowns Registry (time-based decay complements ambiguity tracking)
|
||||
- **Status:** Design advisory - provides exponential decay formula for priority freshness
|
||||
|
||||
### Explainability
|
||||
- **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md`
|
||||
- **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
|
||||
@@ -80,12 +86,83 @@ These are the authoritative advisories to reference for implementation:
|
||||
- `docs/schemas/attestation-vuln-scan.schema.json`
|
||||
- `docs/schemas/audit-bundle-index.schema.json`
|
||||
|
||||
## Files to Archive
|
||||
### Sovereign Crypto for Regional Compliance
|
||||
- **Canonical:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md`
|
||||
- **Sprint:** SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
|
||||
- **Related Docs:**
|
||||
- `docs/security/rootpack_ru_*.md` - RootPack RU documentation
|
||||
- `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design
|
||||
- `docs/security/pq-provider-options.md` - Post-quantum options
|
||||
- **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
|
||||
- **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)
|
||||
|
||||
The following files should be moved to `archived/` as they are superseded:
|
||||
### Plugin Architecture & Extensibility
|
||||
- **Canonical:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md`
|
||||
- **Sprint:** Foundational - appears in module-specific sprints
|
||||
- **Related Docs:**
|
||||
- `docs/dev/plugins/README.md` - General plugin guide
|
||||
- `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors
|
||||
- `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins
|
||||
- `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility
|
||||
- **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules
|
||||
|
||||
### Evidence Bundle & Replay Contracts
|
||||
- **Canonical:** `29-Nov-2025 - Evidence Bundle and Replay Contracts.md`
|
||||
- **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
|
||||
- **Related Sprints:**
|
||||
- SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
|
||||
- SPRINT_0160_0001_0001_export_evidence.md (Coordination)
|
||||
- **Related Docs:**
|
||||
- `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec
|
||||
- `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract
|
||||
- `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema
|
||||
- **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode
|
||||
|
||||
### Mirror & Offline Kit Strategy
|
||||
- **Canonical:** `29-Nov-2025 - Mirror and Offline Kit Strategy.md`
|
||||
- **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles)
|
||||
- **Related Sprints:**
|
||||
- SPRINT_0150_0001_0001 (DSSE/Time Anchors)
|
||||
- SPRINT_0150_0001_0002 (Time Anchors)
|
||||
- SPRINT_0150_0001_0003 (Orchestrator Hooks)
|
||||
- **Related Docs:**
|
||||
- `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec
|
||||
- `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec
|
||||
- `docs/airgap/time-anchor-schema.json` - Time anchor schema
|
||||
- **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring
|
||||
|
||||
### Task Pack Orchestration & Automation
|
||||
- **Canonical:** `29-Nov-2025 - Task Pack Orchestration and Automation.md`
|
||||
- **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
|
||||
- **Related Sprints:**
|
||||
- SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
|
||||
- SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
|
||||
- **Related Docs:**
|
||||
- `docs/task-packs/spec.md` - Pack manifest specification
|
||||
- `docs/task-packs/authoring-guide.md` - Authoring workflow
|
||||
- `docs/task-packs/registry.md` - Registry architecture
|
||||
- **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture
|
||||
|
||||
### Authentication & Authorization Architecture
|
||||
- **Canonical:** `29-Nov-2025 - Authentication and Authorization Architecture.md`
|
||||
- **Sprint:** Multiple (see below)
|
||||
- **Related Sprints:**
|
||||
- SPRINT_100_identity_signing.md (CLOSED - historical)
|
||||
- SPRINT_314_docs_modules_authority.md (Docs)
|
||||
- SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
|
||||
- **Related Docs:**
|
||||
- `docs/modules/authority/architecture.md` - Module architecture
|
||||
- `docs/11_AUTHORITY.md` - Overview
|
||||
- `docs/security/authority-scopes.md` - Scope reference
|
||||
- `docs/security/dpop-mtls-rollout.md` - Sender constraints
|
||||
- **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation
|
||||
|
||||
## Files Archived
|
||||
|
||||
The following files have been moved to `archived/27-Nov-2025-superseded/`:
|
||||
|
||||
```
|
||||
# Duplicates/superseded
|
||||
# Superseded by canonical advisories
|
||||
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
|
||||
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
|
||||
25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md
|
||||
@@ -93,13 +170,15 @@ The following files should be moved to `archived/` as they are superseded:
|
||||
27-Nov-2025 - Rekor Envelope Size Heuristic.md
|
||||
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
|
||||
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md
|
||||
|
||||
# Junk/malformed files
|
||||
24-Nov-2025 - 1 copy 2.md
|
||||
24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd (missing dot)
|
||||
25-Nov-2025 - Half‑Life Confidence Decay for Unknownsmd (missing dot)
|
||||
```
|
||||
|
||||
## Cleanup Completed (2025-11-28)
|
||||
|
||||
The following issues were fixed:
|
||||
- Deleted junk file: `24-Nov-2025 - 1 copy 2.md`
|
||||
- Deleted malformed duplicate: `24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd`
|
||||
- Fixed filename: `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` (was missing .md extension)
|
||||
|
||||
## Sprint Cross-Reference
|
||||
|
||||
| Advisory Topic | Sprint ID | Status |
|
||||
@@ -108,10 +187,17 @@ The following files should be moved to `archived/` as they are superseded:
|
||||
| SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED |
|
||||
| Reachability Benchmark | SPRINT_0513_0001_0001 | NEW |
|
||||
| Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING |
|
||||
| Unknowns Registry | SPRINT_0140_0001_0001 | EXISTING (implemented) |
|
||||
| Unknowns Registry | SPRINT_0140_0001_0001 | IMPLEMENTED |
|
||||
| Confidence Decay | SPRINT_0140_0001_0001 | DESIGN |
|
||||
| Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING |
|
||||
| DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING |
|
||||
| Vuln Triage UX / VEX | SPRINT_0215_0001_0001 | NEW |
|
||||
| Sovereign Crypto | SPRINT_0514_0001_0001 | EXISTING |
|
||||
| Plugin Architecture | Multiple (module-specific) | FOUNDATIONAL |
|
||||
| Evidence Bundle & Replay | SPRINT_0161_0001_0001 | EXISTING |
|
||||
| Mirror & Offline Kit | SPRINT_0125_0001_0001 | EXISTING |
|
||||
| Task Pack Orchestration | SPRINT_0157_0001_0001 | EXISTING |
|
||||
| Auth/AuthZ Architecture | Multiple (100, 314, 0514) | EXISTING |
|
||||
|
||||
## Implementation Priority
|
||||
|
||||
@@ -121,8 +207,14 @@ Based on gap analysis:
|
||||
2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance
|
||||
3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value
|
||||
4. **P1 - Vuln Triage UX** (Sprint 0215) - Industry-aligned UX for competitive parity
|
||||
5. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks
|
||||
6. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching
|
||||
5. **P1 - Sovereign Crypto** (Sprint 0514) - Regional compliance enablement
|
||||
6. **P1 - Evidence Bundle & Replay** (Sprint 0161, 0187) - Audit/compliance critical
|
||||
7. **P1 - Mirror & Offline Kit** (Sprint 0125, 0150) - Air-gap deployment critical
|
||||
8. **P2 - Task Pack Orchestration** (Sprint 0157, 0158) - Automation foundation
|
||||
9. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks
|
||||
10. **P2 - Plugin Architecture** (Multiple) - Foundational extensibility patterns
|
||||
11. **P2 - Auth/AuthZ Architecture** (Multiple) - Security consolidation
|
||||
12. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching
|
||||
|
||||
## Implementer Quick Reference
|
||||
|
||||
@@ -145,7 +237,41 @@ For each topic, the implementer should read:
|
||||
| Vuln Explorer | `docs/modules/vuln-explorer/architecture.md` | `src/VulnExplorer/*/AGENTS.md` |
|
||||
| VEX-Lens | `docs/modules/vex-lens/architecture.md` | `src/Excititor/*/AGENTS.md` |
|
||||
| UI | `docs/modules/ui/architecture.md` | `src/UI/*/AGENTS.md` |
|
||||
| Authority | `docs/modules/authority/architecture.md` | `src/Authority/*/AGENTS.md` |
|
||||
| Evidence Locker | `docs/modules/evidence-locker/*.md` | `src/EvidenceLocker/*/AGENTS.md` |
|
||||
| Mirror | `docs/modules/mirror/*.md` | `src/Mirror/*/AGENTS.md` |
|
||||
| TaskRunner | `docs/modules/taskrunner/*.md` | `src/TaskRunner/*/AGENTS.md` |
|
||||
|
||||
## Topical Gaps (Advisory Needed)
|
||||
|
||||
The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:
|
||||
|
||||
| Gap | Severity | Status | Notes |
|
||||
|-----|----------|--------|-------|
|
||||
| ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` |
|
||||
| ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` |
|
||||
| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `29-Nov-2025 - Evidence Bundle and Replay Contracts.md` |
|
||||
| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `29-Nov-2025 - Mirror and Offline Kit Strategy.md` |
|
||||
| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `29-Nov-2025 - Task Pack Orchestration and Automation.md` |
|
||||
| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `29-Nov-2025 - Authentication and Authorization Architecture.md` |
|
||||
| **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance |
|
||||
| **Findings Ledger & Audit Trail** | MEDIUM | Open | Immutable verdict tracking; module exists but no advisory |
|
||||
| **Runtime Posture & Observation** | MEDIUM | Open | Zastava runtime signals; sprints exist but no advisory |
|
||||
| **Graph Analytics & Clustering** | MEDIUM | Open | Community detection, blast-radius; implementation underway |
|
||||
| **Policy Simulation & Shadow Gates** | MEDIUM | Open | Impact modeling; extensive sprints but no contract advisory |
|
||||
| **Notification Rules Engine** | MEDIUM | Open | Throttling, digests, templating; sprints active |
|
||||
|
||||
## Known Issues (Non-Blocking)
|
||||
|
||||
**Unicode Encoding Inconsistency:**
|
||||
Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:
|
||||
- `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md`
|
||||
- `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md`
|
||||
- `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md`
|
||||
|
||||
**Archived Duplicate:**
|
||||
`archived/17-Nov-2025 - SBOM-Provenance-Spine.md` and `archived/18-Nov-2025 - SBOM-Provenance-Spine.md` are potential duplicates. The 18-Nov version is likely canonical.
|
||||
|
||||
---
|
||||
*Index created: 2025-11-27*
|
||||
*Last updated: 2025-11-28*
|
||||
*Last updated: 2025-11-29*
|
||||
|
||||
Reference in New Issue
Block a user