stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

sprints up

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-30 22:35:50 +02:00
parent 808ab87b21
commit b39eb34226
32 changed files with 914 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -20,7 +20,7 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TASKRUN-AIRGAP-56-001 | DONE (2025-11-30) | Delivered sealed-mode plan validation via AirGap egress policy binding in WebService. | Task Runner Guild · AirGap Policy Guild | Enforce plan-time validation rejecting non-allowlisted network calls in sealed mode; surface remediation errors. |
| 2 | TASKRUN-AIRGAP-56-002 | BLOCKED (2025-11-30) | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 2 | TASKRUN-AIRGAP-56-002 | DOING (2025-11-30) | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 3 | TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 4 | TASKRUN-AIRGAP-58-001 | BLOCKED (2025-11-30) | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
| 5 | TASKRUN-42-001 | BLOCKED (2025-11-25) | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. Blocked: TaskPack loop/conditional semantics and policy-gate evaluation contract not published. |
@@ -56,6 +56,7 @@
| 2025-11-30 | TASKRUN-41-001 delivered in blockers sprint; run API/storage/provenance contract now active (see `docs/modules/taskrunner/architecture.md`). | Task Runner Guild |
| 2025-11-30 | Delivered TASKRUN-AIRGAP-56-001: WebService planner enforces sealed-mode allowlist with remediation messaging. | Task Runner Guild |
| 2025-11-30 | Updated dependencies: AIRGAP chain blocked on helper design (56-002) and downstream evidence work; OAS chain blocked pending TaskPack control-flow addendum (due 2025-12-05); OBS chain blocked on timeline/evidence schema; 41-001 no longer a blocker. | Project Mgmt |
| 2025-12-01 | Started TASKRUN-AIRGAP-56-002: bundle ingestion helper executor added (checksum verify + deterministic staging). Worker wired; awaiting importer specs/fixture paths before marking DONE. | Task Runner Guild |
| 2025-11-30 | Added Wave Coordination, Interlocks, and Action Tracker sections per docs/implplan/AGENTS.md template; no scope change. | Project Mgmt |
| 2025-11-30 | Synced TaskRunner task rows in tasks-all/archived indexes to reflect canonical sprint name and BLOCKED status where applicable. | Project Mgmt |
| 2025-11-30 | Refreshed Decisions & Risks with risk table and aligned checkpoint wording. | Project Mgmt |

1
docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
View File

@@ -93,4 +93,5 @@
| 2025-11-30 | Set Delivery Tracker tasks to BLOCKED pending Sprint 0163 artefacts; expanded interlocks/action tracker for gating signals. | Implementer |
| 2025-11-30 | Added KMS envelope-handling pattern doc and closed Action 2; encryption risk now covered. | Implementer |
| 2025-11-30 | Added risk-bundle provider matrix/signing baseline doc and closed Action 3; Wave 3 still waits on Sprint 0163 outputs. | Implementer |
| 2025-11-30 | Wired RiskBundle worker DI/options, added filesystem store + signer config, and enabled host service scaffold; RiskBundle tests passing. | Implementer |
| 2025-11-30 | Implemented risk-bundle builder/signing/object store scaffolding and unit tests; set RISK-BUNDLE-69-001 to DOING pending upstream provider artefacts; `dotnet test --filter RiskBundle` passing. | Implementer |

1
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -71,6 +71,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Ran TimelineIndexer unit tests (TimelineIndexer.Tests) successfully after ingestion worker + query option fixes; still waiting on transport schema to wire NATS/Redis. | Implementer |
| 2025-11-30 | Implemented TimelineIngestionWorker with subscriber abstraction, session dedupe, and metrics counters; awaiting NATS/Redis subject schema to wire real transports. | Implementer |
| 2025-11-30 | Started TIMELINE-OBS-52-002: added ingestion service, Postgres store, and deterministic payload hashing; queue bindings pending schema alignment. | Implementer |
| 2025-11-30 | Normalized sprint to AGENTS template (Wave/Interlocks/Action tracker) while keeping prior content intact. | Implementer |

5
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -29,7 +29,7 @@
| 5 | SIGN-CORE-186-005 | DONE (2025-11-26) | SignerStatementBuilder refactored with StellaOps predicate types and CanonicalJson from Provenance library. | Signing Guild | Refactor `SignerStatementBuilder` to support StellaOps predicate types and delegate canonicalisation to Provenance library when available. |
| 6 | SIGN-TEST-186-006 | DONE (2025-11-26) | Integration tests upgraded with real crypto providers and fixture predicates. | Signing Guild · QA Guild | Upgrade signer integration tests to real crypto abstraction + fixture predicates (promotion, SBOM, replay); deterministic test data. |
| 7 | AUTH-VERIFY-186-007 | BLOCKED (2025-11-30) | BLOCKED by 186-003. | Authority Guild · Provenance Guild | Authority-side helper/service validating DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints; offline audit flow. |
| 8 | SCAN-DETER-186-008 | DOING (2025-11-26) | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
| 8 | SCAN-DETER-186-008 | DONE (2025-11-30) | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
| 9 | SCAN-DETER-186-009 | BLOCKED (2025-11-30) | BLOCKED by 186-008 completion. | Scanner Guild · QA Guild | Determinism harness to replay scans, canonicalise outputs, record hash matrices (`docs/modules/scanner/determinism-score.md`). |
| 10 | SCAN-DETER-186-010 | BLOCKED (2025-11-30) | BLOCKED by 186-009. | Scanner Guild · Export Center Guild | Emit/publish `determinism.json` with scores/hashes/diffs alongside each scanner release via CAS/object storage; document in release guide. |
| 11 | SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Add core entropy calculator & tests; integrate into worker pipeline next. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
@@ -65,12 +65,13 @@
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_186_record_deterministic_execution.md` to `SPRINT_0186_0001_0001_record_deterministic_execution.md`; content preserved. | Implementer |
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
| 2025-11-30 | Realigned statuses: blocked SCAN-REPLAY-186-002/003/009/010/014, AUTH-VERIFY-186-007 on upstream contracts; blocked SPDX 15a15f/DOCS-SBOM-186-017 due to working-directory scope gap (`src/Sbomer` not in sprint). | Implementer |
| 2025-11-30 | SCAN-DETER-186-008 DONE: added determinism payload test coverage and determinism context wiring validation; determinism toggles (fixed clock, RNG seed, log filter, concurrency cap, feed/policy pins) now exercised via determinism.json payload. | Scanner Guild |
## Decisions & Risks
| Item | Impact | Mitigation / Next Step | Status |
| --- | --- | --- | --- |
| Replay Core dependency (0185) | Blocks replay record/consume tasks. | Keep 186-001 BLOCKED until pipeline contract delivered. | OPEN |
| Fixed clock/RNG/log filtering required | Deterministic execution harness correctness. | SCAN-DETER-186-008 in DOING; unblock 009/010 after 008 completes. | OPEN |
| Fixed clock/RNG/log filtering required | Deterministic execution harness correctness. | SCAN-DETER-186-008 DONE; unblock 009/010 after 008 completion. | OPEN |
| Provenance library alignment for signing/verification | Signing/Authority changes must stay compatible. | Rebase once Provenance library available; keep 186-003/007 BLOCKED. | OPEN |
| BLOCKER (186-001): WebService lacks worker inputs (sealed bundles, hashes, CAS locations). | Replay record cannot assemble manifests. | Require pipeline contract from Worker; keep 186-001/002/003 BLOCKED. | OPEN |
| BLOCKER (186-012): Worker lacks HTTP contract to POST entropy snapshots. | Entropy evidence cannot flow to WebService. | Define transport after Policy build fix; keep 186-012 BLOCKED. | OPEN |

75
docs/implplan/SPRINT_0202_0001_0001_cli_ii.md Normal file
View File

@@ -0,0 +1,75 @@
# Sprint 0202-0001-0001 · CLI II (Experience & SDKs 180.A)
## Topic & Scope
- CLI phase II: exports pipeline (profiles/distribution/scheduling/verification) and Notify command surface (rules/simulate/ack/escalations) on top of CLI core from Sprint 180.A.
- Consolidate already-delivered CLI work (exceptions, forensics, promotion, determinism, advisory/VEX) and keep export/notify chains ready once contracts land.
- **Working directory:** `src/Cli/StellaOps.Cli`.
## Dependencies & Concurrency
- Upstream: Sprint 180.A (CLI I) delivered core/bootstrap.
- Concurrency: two chains run independently but sequentially inside each chain: Export (35-001 → 36-001 → 37-001) and Notify (38-001 → 39-001 → 40-001).
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/cli/architecture.md
- src/Cli/StellaOps.Cli/AGENTS.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-CORE-41-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | CLI core: OutputRenderer (json/yaml/table), profiles, error codes, global options. |
| 2 | CLI-EXC-25-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | `stella exceptions` CRUD/import/export commands + HTTP client/models. |
| 3 | CLI-EXC-25-002 | DONE (2025-11-28) | 25-001 | DevEx/CLI Guild | Policy simulate flags `--with-exception/--without-exception`. |
| 4 | CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Await export profiles API/spec (task definition incomplete in legacy doc). | DevEx/CLI Guild | Implement `stella export profiles` (full description pending). |
| 5 | CLI-EXPORT-36-001 | TODO | Depends on 35-001. | DevEx/CLI Guild | Distribution commands `stella export distribute`, `run download --resume`, progress bars. |
| 6 | CLI-EXPORT-37-001 | TODO | Depends on 36-001. | DevEx/CLI Guild | Scheduling/retention + `export verify` (signature/hash validation). |
| 7 | CLI-FORENSICS-53-001 | DONE (2025-11-28) | None | DevEx/CLI · Evidence Locker Guild | Forensic snapshot create/list/show commands + models/clients. |
| 8 | CLI-FORENSICS-54-001 | DONE (2025-11-28) | None | DevEx/CLI · Provenance Guild | `stella forensic verify` checksums/DSSE/timeline validation. |
| 9 | CLI-FORENSICS-54-002 | DONE (2025-11-28) | None | DevEx/CLI · Provenance Guild | `stella forensic attest show` for DSSE/in-toto attestations. |
| 10 | CLI-PROMO-70-001 | DONE (2025-11-28) | None | DevEx/CLI · Provenance Guild | `stella promotion assemble` payload generation. |
| 11 | CLI-DETER-70-003 | DONE (2025-11-28) | None | DevEx/CLI · Scanner Guild | Determinism harness runner `stella detscore run`. |
| 12 | CLI-LNM-22-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | Advisory observations commands `obs get/linkset show/export`. |
| 13 | CLI-LNM-22-002 | DONE (2025-11-28) | None | DevEx/CLI Guild | VEX observations commands `vex obs get/linkset show`. |
| 14 | CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Await Notify rules API/contract. | DevEx/CLI Guild | Implement `stella notify rules ...` (spec pending). |
| 15 | CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Depends on 38-001. | DevEx/CLI Guild | `stella notify simulate`/digest/diff/schedule with dry-run. |
| 16 | CLI-NOTIFY-40-001 | TODO | Depends on 39-001. | DevEx/CLI Guild | Ack token redemption, escalations, localization previews, channel health checks. |
| 17 | CLI-OBS-50-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | Traceparent propagation handler and logging. |
## Wave Coordination
- Wave A: Export chain (35-001 → 36-001 → 37-001). Await export profiles spec before starting.
- Wave B: Notify chain (38-001 → 39-001 → 40-001). Await Notify rules/simulate contracts.
- Wave C: Completed backlog (core/exceptions/forensics/promo/determ/obs) no further action.
## Wave Detail Snapshots
| Wave | Entry criteria | Exit evidence | Notes |
| --- | --- | --- | --- |
| A Export | Export profiles API/spec published; CLI auth scopes confirmed. | `stella export profiles/distribute/schedule/verify` commands shipped with tests and docs. | Keep outputs deterministic; resume-safe downloads. |
| B Notify | Notify rules/simulate contracts published; webhook payload schema fixed. | `stella notify rules/simulate/ack` commands with escalation + localization previews validated. | Add dry-run, diff, and ack token flows; align with Notifier API versioning. |
## Interlocks
- Export profiles/distribution/scheduling contracts from Export Center/DevOps owners.
- Notify rules/simulation/digest payload schema from Notifier team.
- CLI auth scopes for export/notify surfaces.
## Upcoming Checkpoints
- Set once export/notify specs drop (target dates TBD from owning teams).
## Action Tracker
- None; populate when export/notify contract dates are provided.
## Decisions & Risks
- Blocked tasks lack published API/contract details (export profiles; notify rules/simulation). Cannot start without specs.
- Task definitions for CLI-EXPORT-35-001 and CLI-NOTIFY-38-001 are incomplete in legacy doc; require spec drop before refinement.
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Export profiles/spec not published | Export chain cannot start; delivery slips. | Track spec drop; schedule kickoff after publication. |
| Notify rules/simulate schema missing | Notify chain blocked; downstream ack/escalation work delayed. | Coordinate with Notifier team; add action once date known. |
| Ambiguous legacy task definitions | Risk of rework/misalignment. | Hold implementation until specs clarify scope; update sprint once received. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template; renamed to `SPRINT_0202_0001_0001_cli_ii.md`; added waves/interlocks/risks; preserved statuses. | Project Mgmt |

32
docs/implplan/SPRINT_0208_0001_0001_sdk.md
View File

@@ -22,10 +22,10 @@
| --- | --- | --- | --- | --- | --- |
| 1 | SDKGEN-62-001 | DONE (2025-11-24) | Toolchain, template layout, and reproducibility spec pinned. | SDK Generator Guild · `src/Sdk/StellaOps.Sdk.Generator` | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. |
| 2 | SDKGEN-62-002 | DONE (2025-11-24) | Shared post-processing merged; helpers wired. | SDK Generator Guild | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. |
| 3 | SDKGEN-63-001 | DOING | Shared layer ready; TS generator script + fixture + packaging templates added; awaiting frozen OAS to generate. Scaffold + smoke + hash guard ready. | SDK Generator Guild | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. |
| 4 | SDKGEN-63-002 | DOING | Scaffold added; waiting on frozen OAS to generate alpha. Scaffold + smoke + hash guard ready. | SDK Generator Guild | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). |
| 5 | SDKGEN-63-003 | DOING | Scaffold added (config, driver script, smoke test, README); awaiting frozen OAS to generate alpha. | SDK Generator Guild | Ship Go SDK alpha with context-first API and streaming helpers. |
| 6 | SDKGEN-63-004 | DOING | Scaffold added (config, driver script, smoke test, README); OkHttp selected as HTTP client; awaiting frozen OAS to generate alpha. | SDK Generator Guild | Ship Java SDK alpha (builder pattern, HTTP client abstraction). |
| 3 | SDKGEN-63-001 | BLOCKED (2025-11-27) | Awaiting frozen aggregate OAS digest to generate TS alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. |
| 4 | SDKGEN-63-002 | BLOCKED (2025-11-27) | Awaiting frozen aggregate OAS digest to generate Python alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). |
| 5 | SDKGEN-63-003 | BLOCKED (2025-11-26) | Awaiting frozen aggregate OAS digest to generate Go alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Go SDK alpha with context-first API and streaming helpers. |
| 6 | SDKGEN-63-004 | BLOCKED (2025-11-26) | Awaiting frozen aggregate OAS digest to generate Java alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Java SDK alpha (builder pattern, HTTP client abstraction). |
| 7 | SDKGEN-64-001 | BLOCKED (2025-11-30) | Depends on 63-004; waiting for frozen aggregate OAS and Java alpha before mapping CLI surfaces. | SDK Generator Guild · CLI Guild | Switch CLI to consume TS or Go SDK; ensure parity once Wave B artifacts land. |
| 8 | SDKGEN-64-002 | BLOCKED (2025-11-30) | Depends on 64-001; blocked until SDKGEN-64-001 completes. | SDK Generator Guild · Console Guild | Integrate SDKs into Console data providers where feasible. |
| 9 | SDKREL-63-001 | TODO | Set up signing keys/provenance; stage CI pipelines across registries. | SDK Release Guild · `src/Sdk/StellaOps.Sdk.Release` | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. |
@@ -60,25 +60,26 @@
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Confirm registry signing keys and provenance workflow per language | SDK Release Guild | 2025-11-29 | Open |
| 1 | Confirm registry signing keys and provenance workflow per language | SDK Release Guild | 2025-11-29 | BLOCKED (awaiting sovereign crypto key provisioning; overdue) |
| 2 | Publish SDK language support matrix to CLI/UI guilds. Evidence: `docs/modules/sdk/language-support-matrix.md`. | SDK Generator Guild | 2025-12-03 | DONE (2025-11-26) |
| 3 | Align CLI adoption scope with SPRINT_0201_0001_0001_cli_i and schedule SDK drop integration | SDK Generator Guild · CLI Guild | 2025-12-10 | Open |
| 4 | Define devportal offline bundle manifest with Export Center per SPRINT_0206_0001_0001_devportal. Evidence: `docs/modules/export-center/devportal-offline-manifest.md`. | SDK Release Guild · Export Center Guild | 2025-12-12 | DONE (2025-11-26) |
| 5 | Deliver parity matrix and SDK drop to UI data providers per SPRINT_0209_0001_0001_ui_i | SDK Generator Guild · UI Guild | 2025-12-16 | Open |
## Decisions & Risks
- Toolchain pinned (OpenAPI Generator 7.4.0, JDK 21) and recorded in repo (`TOOLCHAIN.md`, `toolchain.lock.yaml`); downstream tracks must honor lock file for determinism.
- Dependencies on upstream API/portal contracts may delay generator pinning; mitigation: align with APIG0101 / DEVL0101 milestones.
- Release automation requires registry credentials and signing infra; mitigation: reuse sovereign crypto enablement (SPRINT_0514_0001_0001_sovereign_crypto_enablement.md) practices and block releases until keys are validated.
- Toolchain pinned (OpenAPI Generator 7.4.0, JDK 21) and recorded in repo (`TOOLCHAIN.md`, `toolchain.lock.yaml`); downstream tracks must honor lock file for determinism.
- Dependencies on upstream API/portal contracts may delay generator pinning; mitigation: align with APIG0101 / DEVL0101 milestones.
- Release automation requires registry credentials and signing infra; keys still pending (Action Tracker #1 overdue). Mitigation: reuse sovereign crypto enablement (SPRINT_0514_0001_0001_sovereign_crypto_enablement.md) practices, escalate key provisioning by 2025-12-02, and block releases until keys are validated.
- Offline bundle job (SDKREL-64-002) depends on Export Center artifacts; track alongside Export Center sprints; remains BLOCKED until SDKGEN-64-001 completes.
- Shared postprocess helpers copy only when CI sets `STELLA_POSTPROCESS_ROOT` and `STELLA_POSTPROCESS_LANG`; ensure generation jobs export these to keep helpers present in artifacts.
- Shared postprocess helpers copy only when CI sets `STELLA_POSTPROCESS_ROOT` and `STELLA_POSTPROCESS_LANG`; ensure generation jobs export these to keep helpers present in artifacts.
### Risk Register
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Upstream APIs change after generator pin | Rework across four SDKs | Freeze spec version before SDKGEN-63-x; gate via API governance sign-off | SDK Generator Guild | Open |
| Registry signing not provisioned | Cannot ship to npm/PyPI/Maven/Go | Coordinate with sovereign crypto enablement; dry-run staging before prod | SDK Release Guild | Open |
| Offline bundle inputs unavailable | Air-gapped delivery slips | Pull docs/specs from devportal cache; coordinate with Export Center | SDK Release Guild | Open |
| Upstream APIs change after generator pin | Rework across four SDKs | Freeze spec version before SDKGEN-63-x; gate via API governance sign-off | SDK Generator Guild | Open |
| Aggregate OpenAPI freeze delayed | Wave B and downstream adoption blocked | Track APIG0101 schedule; request interim tagged snapshot with SHA; re-run hash guard once frozen | SDK Generator Guild | Open |
| Registry signing not provisioned | Cannot ship to npm/PyPI/Maven/Go | Coordinate with sovereign crypto enablement; dry-run staging before prod | SDK Release Guild | Open |
| Offline bundle inputs unavailable | Air-gapped delivery slips | Pull docs/specs from devportal cache; coordinate with Export Center | SDK Release Guild | Open |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -102,9 +103,10 @@
| 2025-11-26 | Added CI workflow `.gitea/workflows/sdk-generator.yml` to run `npm run sdk:smoke` on SDK generator changes (TS/Python/Go/Java). | SDK Generator Guild |
| 2025-11-27 | Marked SDKGEN-63-001/002 BLOCKED pending frozen aggregate OAS digest; scaffolds and smokes remain ready. | SDK Generator Guild |
| 2025-11-30 | Marked SDKGEN-64-001 and SDKGEN-64-002 BLOCKED pending Wave B (SDKGEN-63-004) OAS freeze/Java alpha; CLI/UI adoption cannot proceed without generated SDK artifacts. | Project Mgmt |
| 2025-11-24 | Added fixture OpenAPI (`ts/fixtures/ping.yaml`) and smoke test (`ts/test_generate_ts.sh`) to validate TypeScript pipeline locally; skips if generator jar absent. | SDK Generator Guild |
| 2025-11-24 | Vendored `tools/openapi-generator-cli-7.4.0.jar` and `tools/jdk-21.0.1.tar.gz` with SHA recorded in `toolchain.lock.yaml`; adjusted TS script to ensure helper copy post-run and verified generation against fixture. | SDK Generator Guild |
| 2025-11-24 | Ran `ts/test_generate_ts.sh` with vendored JDK/JAR and fixture spec; smoke test passes (helpers present). | SDK Generator Guild |
| 2025-11-30 | Status audit: set SDKGEN-63-001..004 to BLOCKED per aggregate OAS freeze; flagged registry signing key action overdue; added OAS-freeze risk entry. | PM |
| 2025-11-24 | Added fixture OpenAPI (`ts/fixtures/ping.yaml`) and smoke test (`ts/test_generate_ts.sh`) to validate TypeScript pipeline locally; skips if generator jar absent. | SDK Generator Guild |
| 2025-11-24 | Vendored `tools/openapi-generator-cli-7.4.0.jar` and `tools/jdk-21.0.1.tar.gz` with SHA recorded in `toolchain.lock.yaml`; adjusted TS script to ensure helper copy post-run and verified generation against fixture. | SDK Generator Guild |
| 2025-11-24 | Ran `ts/test_generate_ts.sh` with vendored JDK/JAR and fixture spec; smoke test passes (helpers present). | SDK Generator Guild |
| 2025-11-24 | Added deterministic TS packaging templates (package.json, tsconfig base/cjs/esm, README, sdk-error) copied via postprocess; updated helper exports and lock hash. | SDK Generator Guild |
| 2025-11-24 | Began SDKGEN-63-002: added Python generator config/script/README + smoke test (reuses ping fixture); awaiting frozen OAS to emit alpha. | SDK Generator Guild |
| 2025-11-27 | Began SDKGEN-63-003: added Go SDK generator scaffold with config (`go/config.yaml`), driver script (`go/generate-go.sh`), smoke test (`go/test_generate_go.sh`), and README; context-first API design documented; awaiting frozen OAS to generate alpha. | SDK Generator Guild |

78
docs/implplan/SPRINT_0210_0001_0002_ui_ii.md Normal file
View File

@@ -0,0 +1,78 @@
# Sprint 0210.0001.0002 - Experience & SDKs · UI II
## Topic & Scope
- Phase II UI uplift for Experience & SDKs: linkset filters, VEX evidence surfaces, permalinks, and Policy Studio authoring flows.
- Keep VEX-first decisioning aligned with `SPRINT_0215_0001_0001_vuln_triage_ux.md` and advisory "28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md".
- Accessibility and determinism remain gating: high-contrast support, deterministic diff outputs, and RBAC-consistent token handling.
- Active items only; completed work lives in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- **Working directory:** `src/UI/StellaOps.UI`.
## Dependencies & Concurrency
- Upstream: Sprint 0209.0001.0001 (UI I) for shared components and UI-LNM-22-001 filters; VEX schema and workflows from `SPRINT_0215_0001_0001_vuln_triage_ux.md` plus `docs/schemas/vex-decision.schema.json` and `docs/schemas/audit-bundle-index.schema.json`.
- Advisory alignment: "28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md" governs VEX tab semantics.
- Concurrency: UI III (Sprint 0211) may proceed in parallel if VEX tab API contracts remain backward compatible.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
- `docs/schemas/vex-decision.schema.json`
- `docs/schemas/audit-bundle-index.schema.json`
- Advisory: "28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md"
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-LNM-22-002 | TODO | UI-LNM-22-001 contracts; finalize filter UX | UI Guild (src/UI/StellaOps.UI) | Implement filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination/lazy loading for large linksets. Docs depend on finalized filtering UX. |
| 2 | UI-LNM-22-003 | TODO | 1; align VEX tab with sprint 0215 schema | UI Guild; Excititor Guild (src/UI/StellaOps.UI) | Add VEX tab with status/justification summaries, conflict indicators, and export actions. Required for `DOCS-LNM-22-005` coverage of VEX evidence tab. |
| 3 | UI-LNM-22-004 | TODO | 2; confirm permalink format | UI Guild (src/UI/StellaOps.UI) | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. |
| 4 | UI-ORCH-32-001 | TODO | Orch scope contract; token flows | UI Guild; Console Guild (src/UI/StellaOps.UI) | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. |
| 5 | UI-POLICY-13-007 | TODO | Policy confidence metadata source | UI Guild (src/UI/StellaOps.UI) | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
| 6 | UI-POLICY-20-001 | TODO | 5; DSL schema for Monaco | UI Guild (src/UI/StellaOps.UI) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | TODO | 6; simulation inputs wired | UI Guild (src/UI/StellaOps.UI) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | TODO | 7; RBAC roles ready | UI Guild; Product Ops (src/UI/StellaOps.UI) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | TODO | 8; run viewer APIs | UI Guild; Observability Guild (src/UI/StellaOps.UI) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | TODO | 9; pack list contract | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | TODO | 10; schema + lints ready | UI Guild (src/UI/StellaOps.UI) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | TODO | 11; rule builder inputs | UI Guild (src/UI/StellaOps.UI) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 13 | UI-POLICY-23-004 | TODO | 12; approval routing | UI Guild (src/UI/StellaOps.UI) | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. |
| 14 | UI-POLICY-23-005 | TODO | 13; simulator services | UI Guild (src/UI/StellaOps.UI) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | TODO | 14; export targets confirmed | UI Guild (src/UI/StellaOps.UI) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
## Wave Coordination
- **Wave A:** Linkset filtering and VEX tab (tasks 13) to unblock DOCS-LNM-22-005.
- **Wave B:** Orchestrator RBAC surfacing (task 4) aligned with `orch:*` scope rollout.
- **Wave C:** Policy Studio authoring/review/simulation (tasks 515) in sequential unlock order; keep Monaco/editor artifacts backward compatible for UI III.
## Wave Detail Snapshots
- Wave A output: deterministic filter UX, VEX tab aligned to sprint 0215 schema, permalink pattern documented.
- Wave B output: updated RBAC mappings, token request scope changes, dashboard gating copy.
- Wave C output: Monaco editor, simulator, approvals, dashboards, explain exports wired to policy evidence APIs.
## Interlocks
- VEX decision model and schemas from `SPRINT_0215_0001_0001_vuln_triage_ux.md` must stabilize before tasks 23.
- Orchestrator scope contract (`orch:read`, `Orch.Viewer`) required before task 4.
- Policy DSL schema and simulator APIs needed before tasks 67 and downstream Policy Studio tasks.
## Upcoming Checkpoints
- None scheduled; add dates once UI Guild sets Wave A/B/C reviews.
## Action Tracker
- Pending: record permalink format decision once linkset filter UX is signed off.
## Decisions & Risks
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| VEX schema changes post-sprint 0215 | Rework of tasks 23 | Gate VEX tab behind feature flag; align early with sprint 0215 owners | UI Guild · VEX lead |
| `orch:read` scope contract slips | Task 4 blocked; dashboard gating incomplete | Coordinate with Orchestrator guild; mock scope locally until contract lands | UI Guild · Console Guild |
| Policy DSL/simulator API churn | Tasks 615 blocked or reworked | Freeze DSL schema before Monaco editor; stage simulator APIs with contract tests | UI Guild · Policy Guild |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_210_ui_ii.md` to `SPRINT_0210_0001_0002_ui_ii.md`; preserved task list and advisory links. | Planning |

70
docs/implplan/SPRINT_0211_0001_0003_ui_iii.md Normal file
View File

@@ -0,0 +1,70 @@
# Sprint 0211.0001.0003 - Experience & SDKs · UI III
## Topic & Scope
- Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
- Surface reachability evidence (columns, badges, call paths, timelines, halos) and align Console policy workspace with scopes `policy:author/review/approve/operate/audit/simulate`.
- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- **Working directory:** `src/UI/StellaOps.UI`.
- Continues UI stream after `SPRINT_0210_0001_0002_ui_ii.md` (UI II).
## Dependencies & Concurrency
- Upstream: `SPRINT_0210_0001_0002_ui_ii.md` for Policy Studio explain view (UI-POLICY-23-006) and shared components.
- Signals/Reachability contracts for SIG-26 chain (call paths, timelines, coverage, overlay states) provided by Signals & Graph guilds.
- Concurrency: SIG-26 tasks are sequential (001 → 002 → 003 → 004); policy RBAC task can proceed in parallel once scopes finalized.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/signals/architecture.md`
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-POLICY-27-001 | TODO | UI-POLICY-23-006 results; scope strings finalised | UI Guild; Product Ops (src/UI/StellaOps.UI) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
| 2 | UI-SIG-26-001 | TODO | Reachability columns spec + signals feed schema | UI Guild; Signals Guild (src/UI/StellaOps.UI) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
| 3 | UI-SIG-26-002 | TODO | 2; call path data availability | UI Guild (src/UI/StellaOps.UI) | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. |
| 4 | UI-SIG-26-003 | TODO | 3; overlay state/legend finalized | UI Guild (src/UI/StellaOps.UI) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
| 5 | UI-SIG-26-004 | TODO | 4; coverage metrics stitched | UI Guild (src/UI/StellaOps.UI) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
## Wave Coordination
- **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
- **Wave B:** Sequential reachability surfaces (tasks 25) building on the SIG-26 evidence chain.
## Wave Detail Snapshots
- Wave A output: updated RBAC guardrails, scope requests, and UX copy aligned to `policy:*` scopes with Cypress auth fixtures.
- Wave B output: reachability columns/badges, Why drawer call paths and timeline, SBOM Graph halos/time slider with legend, and Reachability Center with coverage/sensor freshness views.
## Interlocks
- Policy Engine to publish final `policy:*` scope list and explain view outputs (UI-POLICY-23-006) to unblock task 1.
- Signals/Graph guilds to provide deterministic reachability evidence fixtures (call paths, timelines, overlays) for SIG-26 tasks.
- Performance budgets for SBOM Graph overlays and Reachability Center dashboards to keep UI responsive offline.
## Upcoming Checkpoints
- None scheduled; set dates once reachability fixtures and policy scope contracts are confirmed.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild · Policy Guild | 2025-12-03 | TODO |
| 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain. | Signals Guild | 2025-12-04 | TODO |
| 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild · Policy Guild |
| Reachability evidence incomplete or non-deterministic | Tasks 25 blocked or produce noisy UI | Require deterministic fixtures from Signals/Graph; stage behind feature flag and contract tests. | Signals Guild · UI Guild |
| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 34 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_211_ui_iii.md` to `SPRINT_0211_0001_0003_ui_iii.md`; no task status changes. | Planning |

14
docs/implplan/SPRINT_0212_0001_0001_web_i.md
View File

@@ -50,18 +50,19 @@
- Policy guild input needed for evidence export scoping (WEB-CONSOLE-23-003) and exceptions workflow (WEB-EXC-25-001).
## Upcoming Checkpoints
- 2025-11-25 (tentative): Contract freeze review for WEB-CONSOLE-23-001 with Concelier and Excititor owners.
- 2025-11-27 (tentative): Scheduler/Signals alignment on SSE topics for WEB-CONSOLE-23-002.
- 2025-12-03 (rescheduled): Contract freeze review for WEB-CONSOLE-23-001 with Concelier and Excititor owners; capture schema snapshot in `docs/api/console/workspaces.md`.
- 2025-12-04 (rescheduled): Scheduler/Signals alignment on SSE topics + heartbeat/backoff defaults for WEB-CONSOLE-23-002.
## Action Tracker
- Concelier graph schema freeze date confirmation (owner: Console Guild; due: 2025-11-25).
- Excititor SSE payload validation session scheduled with Scheduler Guild (owner: BE-Base Platform; due: 2025-11-27).
- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-02; status: follow-up for missed 2025-11-25 review).
- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-04; status: rescheduled from 2025-11-27).
- Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: new action to unblock WEB-AIAI-31-001/002/003).
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Hold contract review on 2025-11-25; publish schema snapshot to `docs/api/console/workspaces.md`; keep blockers logged | Console Guild | Open |
| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Schedule alignment with Scheduler/Signals by 2025-11-27; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open |
| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Rescheduled review to 2025-12-03; publish schema snapshot to `docs/api/console/workspaces.md`; keep blockers logged | Console Guild | Open (rescheduled 2025-11-30) |
| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Rescheduled alignment with Scheduler/Signals to 2025-12-04; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open (rescheduled 2025-11-30) |
| Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Request gateway contract snapshot + policy doc; replan once provided | BE-Base Platform Guild | Open |
## Execution Log
@@ -80,4 +81,5 @@
| 2025-11-22 | Added completion dates in `tasks-all` for WEB-CONTAINERS-44/45/46 and aligned BLOCKED dates for VULN-29-001/VEX-30-001. | Planning |
| 2025-11-22 | Harmonized all `CONTAINERS-44/45/46` rows in `tasks-all` to DONE with dates to match sprint status. | Planning |
| 2025-11-28 | Completed WEB-CONSOLE-23-001: Implemented `/console/dashboard` and `/console/filters` endpoints in Authority module. Dashboard returns tenant-scoped aggregates (findings summary, VEX overrides, advisory deltas, run health, policy change log) with 30-day trend data. Filters endpoint returns deterministic filter categories with counts and cache-validation hash. Added 8 unit tests for dashboard/filters endpoints. Implementation in `src/Authority/StellaOps.Authority/StellaOps.Authority/Console/`. | Policy Guild |
| 2025-11-30 | Rescheduled missed 2025-11-25/27 checkpoints to 2025-12-03/04, added follow-up actions (schema snapshot, SSE alignment, advisory AI gateway contract) and noted reschedule in risk statuses. | Planning |
| 2025-11-30 | Completed WEB-AOC-19-002: added deterministic provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests under `src/Web/StellaOps.Web/src/app/core/aoc`. Added Web TASKS board and marked task DONE. | BE-Base Platform Guild |

79
docs/implplan/SPRINT_0213_0001_0002_web_ii.md Normal file
View File

@@ -0,0 +1,79 @@
# Sprint 0213-0001-0002 · Web II (Experience & SDKs 180.F)
## Topic & Scope
- Phase II web gateway work: exceptions workflow surfaces, Export Center routing, and Graph overlay/asset proxying.
- Active items only; completed/historic work reside in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- Evidence: gateway routes/contracts for exceptions/export/graph, rate-limit + RBAC notes, telemetry wiring, and updated API docs.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 0212-0001-0001 Web I; Graph Platform overlay schema ratification; Export Center API contract freeze.
- Concurrency: Graph chain must follow spec ratification; export and exception tracks can proceed in parallel but respect per-task dependencies.
- Avoid parallel merges on Graph tasks until duplicate IDs (WEB-GRAPH-24-001/24-004 variants) are clarified.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/export-center/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-EXC-25-002 | TODO | Depends on WEB-EXC-25-001; align exception metadata schema for `/policy/*`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
| 2 | WEB-EXC-25-003 | TODO | Wait for WEB-EXC-25-002 output and notification hook contracts. | BE-Base Platform Guild; Platform Events Guild (`src/Web/StellaOps.Web`) | Publish `exception.*` events, integrate notification hooks, enforce rate limits. |
| 3 | WEB-EXPORT-35-001 | TODO | Need Export Center profile/run/download contracts confirmed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface Export Center APIs with tenant scoping, streaming support, viewer/operator scope checks. |
| 4 | WEB-EXPORT-36-001 | TODO | Depends on WEB-EXPORT-35-001 and storage signer inputs. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add distribution routes (OCI/object storage), manifest/provenance proxies, signed URL generation. |
| 5 | WEB-EXPORT-37-001 | TODO | Depends on WEB-EXPORT-36-001; finalize retention/encryption params. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose scheduling, retention, encryption parameters, verification endpoints with admin scope enforcement and audit logs. |
| 6 | WEB-GRAPH-SPEC-21-000 | BLOCKED (2025-11-30) | Await Graph Platform ratification of overlay format + cache schema. | BE-Base Platform Guild; Graph Platform Guild (`src/Web/StellaOps.Web`) | Graph API/overlay spec drop; stub exists but not ratified. |
| 7 | WEB-GRAPH-21-001 | BLOCKED (2025-11-30) | Blocked by WEB-GRAPH-SPEC-21-000. | BE-Base Platform Guild; Graph Platform Guild (`src/Web/StellaOps.Web`) | Graph endpoints proxy with tenant enforcement, scope checks, streaming. |
| 8 | WEB-GRAPH-21-002 | BLOCKED (2025-11-30) | Blocked by WEB-GRAPH-21-001 and final overlay schema. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Request validation (bbox/zoom/path), pagination tokens, deterministic ordering; contract tests. |
| 9 | WEB-GRAPH-21-003 | TODO | Start once WEB-GRAPH-21-002 unblocks. | BE-Base Platform Guild; QA Guild (`src/Web/StellaOps.Web`) | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, document rate limits. |
| 10 | WEB-GRAPH-21-004 | TODO | Requires WEB-GRAPH-21-003 outputs. | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Overlay pass-through; maintain streaming budgets while gateway stays stateless. |
| 11 | WEB-GRAPH-24-001 | TODO | WEB-GRAPH-21-004; cache/pagination strategy confirmation. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Gateway proxy refresh for Graph API + Policy overlays with RBAC, caching, pagination, ETags, streaming; zero business logic. |
| 12 | WEB-GRAPH-24-001 (Graph endpoints) | TODO | Depends on WEB-GRAPH-24-001; clarify duplicate ID scope. | BE-Base Platform Guild; SBOM Service Guild (`src/Web/StellaOps.Web`) | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, tenant scoping as pure proxy. |
| 13 | WEB-GRAPH-24-004 | TODO | Needs WEB-GRAPH-24-001 responses; overlay service AOC feed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Embed AOC summaries from overlay services; gateway does not compute derived severity/hints. |
| 14 | WEB-GRAPH-24-004 (Telemetry) | TODO | Depends on WEB-GRAPH-24-004; pick sampling strategy. | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling. |
| 15 | WEB-LNM-21-001 | TODO | Need advisory service schema; confirm RBAC scopes. | BE-Base Platform Guild; Concelier WebService Guild (`src/Web/StellaOps.Web`) | Surface `/advisories/*` APIs via gateway with caching, pagination, RBAC enforcement (`advisory:read`). |
| 16 | WEB-LNM-21-002 | TODO | Depends on WEB-LNM-21-001 contract. | BE-Base Platform Guild; Excititor WebService Guild (`src/Web/StellaOps.Web`) | Expose `/vex/*` read APIs with evidence routes/export handlers; map `ERR_AGG_*` codes. |
## Wave Coordination
- Single wave covering Graph overlays/assets, Export Center routing, and exception workflows; follow dependency order noted above.
## Wave Detail Snapshots
- Not required; Delivery Tracker captures task-level state.
## Interlocks
- Graph overlay schema ratification required before tasks 612 can progress.
- Export Center contract (profiles/runs/download/distribution) must freeze before tasks 35 advance.
- Notification hooks/rate-limit policy needed for WEB-EXC-25-003; coordinate with Platform Events Guild.
- Duplicate IDs in Graph chain (24-001, 24-004 variants) risk status drift; needs resolution.
## Upcoming Checkpoints
- 2025-12-02 (UTC): Graph Platform review to ratify overlay/cache schema for WEB-GRAPH-SPEC-21-000.
- 2025-12-03 (UTC): Export Center contract freeze review for WEB-EXPORT-35-001/36-001.
- 2025-12-04 (UTC): Platform Events alignment on exception event shapes and rate limits for WEB-EXC-25-003.
## Action Tracker
| Item | Owner | Due (UTC) | Status / Notes |
| --- | --- | --- | --- |
| Publish ratified Graph overlay/cache schema snapshot to sprint attachments | Graph Platform Guild | 2025-12-02 | Open |
| Confirm Export Center streaming/range limits and signed URL policy for gateway | Export Center Guild | 2025-12-03 | Open |
| Clarify duplicate task IDs (WEB-GRAPH-24-001 variants and WEB-GRAPH-24-004 variants) and assign distinct IDs | Planning | 2025-12-01 | Open |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Graph overlay schema not ratified (WEB-GRAPH-SPEC-21-000) | Blocks tasks 612; prevents gateway proxy wiring | Schedule 2025-12-02 ratification; publish schema snapshot; keep tasks 712 BLOCKED until done | Graph Platform Guild | Open |
| Duplicate task IDs in Graph chain (24-001, 24-004) | Tracking ambiguity; risk of parallel conflicting changes | Planning to assign distinct IDs and update sprint + tasks-all once clarified (Action Tracker item) | Planning | Open |
| Export Center contract churn | Rework for tasks 35; risk of incompatible scopes/streaming limits | Freeze contract on 2025-12-03 checkpoint; capture signed URL + retention params in API doc | Export Center Guild | Open |
| Notification/rate-limit policy gaps for exception events | Could block WEB-EXC-25-003 or cause unsafe fan-out | Align with Platform Events Guild on 2025-12-04; codify rate-limit + event schema in docs | BE-Base Platform Guild | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template, expanded dependencies/checkpoints, and carried over all tasks from prior list. | Project Mgmt |
| 2025-11-30 | Renamed file from `SPRINT_213_web_ii.md` to `SPRINT_0213_0001_0002_web_ii.md`; pending cross-references updated. | Project Mgmt |

53
docs/implplan/SPRINT_0214_0001_0001_web_iii.md Normal file
View File

@@ -0,0 +1,53 @@
# Sprint 0214-0001-0001 · Web III (Experience & SDKs 180.F)
## Topic & Scope
- Phase III gateway delivery for Experience & SDKs: evidence aggregation, notifier routing, OAS alignment, and observability surfaces.
- Keep Web gateway contracts aligned with upstream services (Policy, Notifier, Timeline/Log stores) while maintaining offline/deterministic posture.
- Prep orchestrator read-only routes to unblock control-plane features in Web IV.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 180.F · Web II must land shared policy/VEX observation contracts before this work proceeds.
- Notifier chain is sequential (WEB-NOTIFY-38-001 → 39-001 → 40-001); avoid parallel merges to keep scopes coherent.
- OAS alignment must follow order WEB-OAS-61-001 → 61-002 → 62-001 → 63-001.
- Observability work is sequential (WEB-OBS-50-001 → 51-001 → 52-001 → 54-001 → 55-001 → 56-001); keep guardrails consistent across steps.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-LNM-21-003 | TODO | WEB-LNM-21-002 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
| 2 | WEB-NOTIFY-38-001 | TODO | Align notifier gateway routes and tenant scopes | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. |
| 3 | WEB-NOTIFY-39-001 | TODO | WEB-NOTIFY-38-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. |
| 4 | WEB-NOTIFY-40-001 | TODO | WEB-NOTIFY-39-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. |
| 5 | WEB-OAS-61-001 | TODO | Finalize gateway spec metadata | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. |
| 6 | WEB-OAS-61-002 | TODO | WEB-OAS-61-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. |
| 7 | WEB-OAS-62-001 | TODO | WEB-OAS-61-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Normalize endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. |
| 8 | WEB-OAS-63-001 | TODO | WEB-OAS-62-001 | BE-Base Platform Guild · API Governance Guild (`src/Web/StellaOps.Web`) | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. |
| 9 | WEB-OBS-50-001 | TODO | Integrate StellaOps.Telemetry.Core into gateway host | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Replace ad-hoc logging; ensure routes emit trace/span IDs, tenant context, and scrubbed payload previews. |
| 10 | WEB-OBS-51-001 | TODO | WEB-OBS-50-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `/obs/health` and `/obs/slo` aggregations pulling Prometheus/collector metrics with burn-rate signals and exemplar links for Console widgets. |
| 11 | WEB-OBS-52-001 | TODO | WEB-OBS-51-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. |
| 12 | WEB-OBS-54-001 | TODO | WEB-OBS-52-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. |
| 13 | WEB-OBS-55-001 | TODO | WEB-OBS-54-001 | BE-Base Platform Guild · Ops Guild (`src/Web/StellaOps.Web`) | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. |
| 14 | WEB-OBS-56-001 | TODO | WEB-OBS-55-001 | BE-Base Platform Guild · AirGap Guild (`src/Web/StellaOps.Web`) | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. |
| 15 | WEB-ORCH-32-001 | TODO | Confirm orchestrator read-only API contract | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template and renamed from `SPRINT_214_web_iii.md`; preserved existing task list. | Project Mgmt |
## Decisions & Risks
- Notify, OAS, and Observability tracks are strictly sequential; later tasks should not start until predecessors complete to avoid schema drift.
- WEB-LNM-21-003 remains gated on WEB-LNM-21-002 delivering stable policy/VEX observation contracts.
- WEB-ORCH-32-001 depends on orchestrator API clarity; block if contracts are not published to avoid misaligned caching/rate-limit behavior.
- Ensure telemetry/error envelope updates are synchronized with downstream Console/CLI consumers to prevent breaking dashboards.
## Next Checkpoints
- Schedule dependency sync once WEB-LNM-21-002 contract drops (target week of 2025-12-02).
- Set notifier gateway review after WEB-NOTIFY-38-001 implementation notes are ready (target week of 2025-12-04).

17
docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
View File

@@ -6,7 +6,7 @@
- **Working directory:** `src/UI/StellaOps.UI`
## Dependencies & Concurrency
- Upstream sprints: SPRINT_0209_0001_0001_ui_i (UI I), SPRINT_210_ui_ii (UI II - VEX tab).
- Upstream sprints: SPRINT_0209_0001_0001_ui_i (UI I), SPRINT_0210_0001_0002_ui_ii (UI II - VEX tab).
- Backend dependencies: Vuln Explorer APIs (`/v1/findings`, `/v1/vex-decisions`), Attestor service, Export Center.
- Parallel tracks: Can run alongside UI II/III for shared component work.
- Blockers to flag: VEX decision API schema finalization, Attestation viewer predicates.
@@ -26,7 +26,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-TRIAGE-01-001 | TODO | - | UI Guild (src/UI/StellaOps.UI) | Create Artifacts List view with columns: Artifact, Type, Environment(s), Open/Total vulns, Max severity, Attestations badge, Last scan. Include sorting, filtering, and "View vulnerabilities" primary action. |
| 1 | UI-TRIAGE-01-001 | BLOCKED | UI workspace missing (src/UI/StellaOps.UI has no Angular project files) | UI Guild (src/UI/StellaOps.UI) | Create Artifacts List view with columns: Artifact, Type, Environment(s), Open/Total vulns, Max severity, Attestations badge, Last scan. Include sorting, filtering, and "View vulnerabilities" primary action. |
| 2 | UI-TRIAGE-01-002 | TODO | UI-TRIAGE-01-001 | UI Guild (src/UI/StellaOps.UI) | Build Vulnerability Workspace split layout: left panel with finding cards (CVE, package, severity, path), right panel with Explainability tabs (Overview, Reachability, Policy, Attestations). |
| 3 | UI-TRIAGE-01-003 | TODO | UI-TRIAGE-01-002 | UI Guild (src/UI/StellaOps.UI) | Implement evidence-first Finding Card component with severity badge, package info, location path, and primary actions (Fix PR, VEX, Attach Evidence). Include `New`, `VEX: Not affected`, `Policy: blocked` badges. |
| 4 | UI-TRIAGE-01-004 | TODO | UI-TRIAGE-01-003 | UI Guild (src/UI/StellaOps.UI) | Build Explainability Panel Overview tab: title, severity, package/version, scanner+DB date, finding history timeline, current VEX decision summary. |
@@ -61,9 +61,12 @@
| 33 | DTO-09-001 | TODO | SCHEMA-08-001 | API Guild | Create VexDecisionDto, SubjectRefDto, EvidenceRefDto, VexScopeDto, ValidForDto C# DTOs per advisory. |
| 34 | DTO-09-002 | TODO | SCHEMA-08-002 | API Guild | Create VulnScanAttestationDto, AttestationSubjectDto, VulnScanPredicateDto C# DTOs per advisory. |
| 35 | DTO-09-003 | TODO | SCHEMA-08-003 | API Guild | Create AuditBundleIndexDto, BundleArtifactDto, BundleVexDecisionEntryDto C# DTOs per advisory. |
| 36 | TS-10-001 | TODO | SCHEMA-08-001 | UI Guild | Create TypeScript interfaces for VexDecision, SubjectRef, EvidenceRef, VexScope, ValidFor per advisory. |
| 37 | TS-10-002 | TODO | SCHEMA-08-002 | UI Guild | Create TypeScript interfaces for VulnScanAttestation, AttestationSubject, VulnScanPredicate per advisory. |
| 38 | TS-10-003 | TODO | SCHEMA-08-003 | UI Guild | Create TypeScript interfaces for AuditBundleIndex, BundleArtifact, BundleVexDecisionEntry per advisory. |
| 36 | TS-10-001 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for VexDecision, SubjectRef, EvidenceRef, VexScope, ValidFor per advisory. |
| 37 | TS-10-002 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for VulnScanAttestation, AttestationSubject, VulnScanPredicate per advisory. |
| 38 | TS-10-003 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for AuditBundleIndex, BundleArtifact, BundleVexDecisionEntry per advisory. |
| 39 | DOC-11-001 | TODO | Product advisory doc sync | Docs Guild (docs/) | Update high-level positioning for VEX-first triage: refresh docs/key-features.md and docs/07_HIGH_LEVEL_ARCHITECTURE.md with UX/audit bundle narrative; link 28-Nov-2025 advisory. |
| 40 | DOC-11-002 | TODO | DOC-11-001 | Docs Guild; UI Guild | Update docs/modules/ui/architecture.md with triage workspace + VEX modal flows; add schema links and advisory cross-references. |
| 41 | DOC-11-003 | TODO | DOC-11-001 | Docs Guild; Vuln Explorer Guild; Export Center Guild | Update docs/modules/vuln-explorer/architecture.md and docs/modules/export-center/architecture.md with VEX decision/audit bundle API surfaces and schema references. |
## Wave Coordination
- **Wave A (Schemas & DTOs):** SCHEMA-08-*, DTO-09-*, TS-10-* - Foundation work
@@ -113,11 +116,15 @@
| Attestation service not ready | UI-ATT-* tasks blocked | Mock attestation data; feature flag attestation views |
| Export Center capacity | Audit bundle generation slow | Async generation with progress; queue management |
| Bulk VEX operations performance | UI-VEX-02-007 slow for large selections | Batch API endpoint; pagination; background processing |
| Advisory doc sync lag | Docs drift from UX/API decisions | Track DOC-11-* tasks; block release sign-off until docs updated |
| UI workspace absent | Blocks UI-TRIAGE-* and TS-10-* tasks | Restore Angular project under src/UI/StellaOps.UI or provide module path; rebaseline mocks |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint created from product advisory `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`. 38 tasks defined across 5 UI task groups, 2 API task groups, 3 schema tasks, 3 DTO tasks, 3 TS interface tasks. | Project mgmt |
| 2025-11-30 | Added DOC-11-* doc-sync tasks per advisory handling rules; no scope change to delivery waves. | Project mgmt |
| 2025-11-30 | Marked UI-TRIAGE-01-001 and TS-10-* tasks BLOCKED because src/UI/StellaOps.UI lacks Angular workspace; awaiting restoration to proceed. | UI Guild |
---
*Sprint created: 2025-11-28*

134
docs/implplan/SPRINT_0215_0001_0001_web_iv.md
View File

@@ -1,54 +1,92 @@
# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
## Topic & Scope
- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
## Topic & Scope
- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/policy/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
| 3 | WEB-POLICY-20-001 | BLOCKED (2025-11-25) | Await Policy Engine REST contract + tenant/RBAC spec | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
| 9 | WEB-POLICY-23-003 | TODO | WEB-POLICY-23-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
| 10 | WEB-POLICY-23-004 | TODO | WEB-POLICY-23-003 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
| 11 | WEB-POLICY-27-001 | TODO | WEB-POLICY-23-004 | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
| 12 | WEB-POLICY-27-002 | TODO | WEB-POLICY-27-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
| 13 | WEB-POLICY-27-003 | TODO | WEB-POLICY-27-002 | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
| 14 | WEB-POLICY-27-004 | TODO | WEB-POLICY-27-003 | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |
| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
| 4 | WEB-POLICY-20-002 | BLOCKED (2025-11-30) | WEB-POLICY-20-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
| 5 | WEB-POLICY-20-003 | BLOCKED (2025-11-30) | WEB-POLICY-20-002 (blocked) | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
| 6 | WEB-POLICY-20-004 | BLOCKED (2025-11-30) | WEB-POLICY-20-003 (blocked) | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
| 9 | WEB-POLICY-23-003 | BLOCKED (2025-11-30) | WEB-POLICY-23-002 (blocked until WEB-POLICY-20-004 ships) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
| 10 | WEB-POLICY-23-004 | BLOCKED (2025-11-30) | WEB-POLICY-23-003 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
| 11 | WEB-POLICY-27-001 | BLOCKED (2025-11-30) | WEB-POLICY-23-004 (blocked) | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
| 12 | WEB-POLICY-27-002 | BLOCKED (2025-11-30) | WEB-POLICY-27-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
| 13 | WEB-POLICY-27-003 | BLOCKED (2025-11-30) | WEB-POLICY-27-002 (blocked) | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
| 14 | WEB-POLICY-27-004 | BLOCKED (2025-11-30) | WEB-POLICY-27-003 (blocked) | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
| 15 | WEB-POLICY-27-005 | BLOCKED (2025-11-30) | WEB-POLICY-27-004 (blocked) | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
## Wave Coordination
- Wave 1: Orchestrator run-control (WEB-ORCH-33/34) follows WEB-ORCH-32-001 and can proceed independently of policy work.
- Wave 2: Policy Engine CRUD/simulation (WEB-POLICY-20-001…004) is strictly sequential and blocked on the REST contract + tenant/RBAC spec.
- Wave 3: Policy pack lifecycle (WEB-POLICY-23-001…004) begins only after Wave 2 exits with rate-limit design approved.
- Wave 4: Registry/Studio proxy and publishing (WEB-POLICY-27-001…005) proceeds after Wave 3 to avoid schema drift.
## Wave Detail Snapshots
| Wave | Covered tasks | Current state | Exit criteria | Blockers |
| --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | TODO | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | WEB-ORCH-32-001 readiness |
| 2 | WEB-POLICY-20-001…004 | BLOCKED | Policy CRUD/simulate endpoints with rate limits and error mapping published in OpenAPI | Policy Engine REST contract + tenant/RBAC spec; rate-limit design approval |
| 3 | WEB-POLICY-23-001…004 | BLOCKED | Policy pack CRUD/activation/simulate/evaluate with streaming responses and explain history | WEB-POLICY-20-004 completion and approval workflow design |
| 4 | WEB-POLICY-27-001…005 | BLOCKED | Registry proxy with reviews, publish/promote/rollback, and Studio observability dashboards | Wave 3 exit + shared registry schema/versioning plan |
## Interlocks
- Policy Engine REST contract + tenant/RBAC specification is required before any WEB-POLICY-20-* implementation.
- Platform Reliability must approve adaptive rate-limit design for simulations before publishing retry headers and CLI docs.
- Policy Registry schema/versioning alignment is needed to avoid rework in WEB-POLICY-27-001…005.
- Security Guild audit/RBAC checklist must be applied to orchestrator control routes prior to release.
## Upcoming Checkpoints
- 2025-12-02 · Receive Policy Engine REST contract + tenant/RBAC spec (Policy Guild) to unblock WEB-POLICY-20-001…004.
- 2025-12-03 · Platform Reliability rate-limit design review for simulations (slipped from 2025-11-22) to enable WEB-POLICY-20-004.
- 2025-12-06 · Go/no-go on policy pack CRUD/activation kickoff (WEB-POLICY-23-001/002) contingent on rate-limit approval.
- 2025-12-09 · Registry schema/versioning alignment for Studio proxy stream (WEB-POLICY-27-001 owner: Policy Registry Guild).
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Deliver Policy Engine REST contract + tenant/RBAC spec for web gateway | Policy Guild | 2025-12-02 | OPEN | Unblocks WEB-POLICY-20-001…004; required before any Angular wiring. |
| 2 | Confirm adaptive rate-limit design for simulations | Platform Reliability Guild | 2025-12-03 | OPEN | Gates WEB-POLICY-20-004 retry headers and quotas. |
| 3 | Publish RBAC/tenant alignment note for web gateway once contract lands | BE-Base Platform Guild | 2025-12-05 | PENDING | Follows Action #1; must precede policy pack work. |
| 4 | Lock Policy Registry schema/versioning plan for Studio proxy | Policy Registry Guild | 2025-12-09 | OPEN | Required before WEB-POLICY-27-001 streaming proxy. |
## Decisions & Risks
- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
- WEB-POLICY-20-001 blocked pending Policy Engine REST contract + tenant/RBAC specification; cannot scaffold Angular/web gateway endpoints without it.
## Next Checkpoints
- 2025-11-22 · Verify WEB-POLICY-20-004 rate-limit design review completed (Platform Reliability Guild).
- 2025-11-25 · Policy pack CRUD kickoff pending unblock from WEB-POLICY-20-004 (Policy Guild + BE-Base Platform Guild).
| ID | Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- | --- |
| R1 | Policy Engine REST contract/RBAC spec slips past 2025-12-02 | Blocks WEB-POLICY-20-001…004 and downstream pack work | Track Action #1; escalate to Policy Guild; keep OpenAPI placeholders out of main until contract arrives | Policy Guild | OPEN |
| R2 | Rate-limit design review delayed past 2025-12-03 | Simulation endpoints cannot expose quotas/headers; CLI docs drift | Track Action #2; freeze public docs until design approved; backfill metrics before enablement | Platform Reliability Guild | OPEN |
| R3 | Registry schema/versioning diverges from web proxy | Rework for WEB-POLICY-27-001…005; potential outage on streaming downloads | Track Action #4; pin schema versions and add contract tests before merge | Policy Registry Guild | OPEN |
| R4 | Orchestrator run-control released without audit/RBAC alignment | Post-release security gap and incomplete audit trail | Apply Security Guild checklist; add acceptance tests for RBAC + audit logging before Wave 1 exit | BE-Base Platform Guild | OPEN |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized to docs/implplan template (added waves, interlocks, action tracker); propagated BLOCKED statuses to downstream tasks and refreshed checkpoints. | Project Mgmt |
| 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |
| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |

71
docs/implplan/SPRINT_0216_0001_0001_web_v.md Normal file
View File

@@ -0,0 +1,71 @@
# Sprint 0216-0001-0001 · Web V (Experience & SDKs 180.F)
## Topic & Scope
- Phase V gateway uplift: risk routing, signals reachability overlays, tenant scoping/ABAC, VEX consensus streaming, and vuln proxy/export telemetry.
- Active items only; completed/historic work moved to `docs/implplan/archived/tasks.md` (last updated 2025-11-08).
- Evidence: routed APIs with RBAC/ABAC, signed URL handling, reachability filters, notifier/ledger hooks, and gateway telemetry.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 180.F · Web IV must land shared gateway components before Web V endpoints ship.
- Respect chains: RISK (66-001 → 66-002 → 67-001 → 68-001), SIG (26-001 → 26-002 → 26-003), TENANT (47-001 → 48-001 → 49-001), VULN (29-001 → 29-002 → 29-003 → 29-004). Avoid parallel merges that violate these orders.
- Interlocks: Policy Engine contracts for ABAC overlay and reachability scoring; Notifications bus schema for severity transition events; Findings Ledger idempotency/correlation headers for vuln workflow forwarding.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-RISK-66-001 | TODO | Baseline gateway routing contract | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
| 2 | WEB-RISK-66-002 | TODO | WEB-RISK-66-001 | BE-Base Platform Guild; Risk Engine Guild (`src/Web/StellaOps.Web`) | Add signed URL handling for explanation blobs and enforce scope checks. |
| 3 | WEB-RISK-67-001 | TODO | WEB-RISK-66-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). |
| 4 | WEB-RISK-68-001 | TODO | WEB-RISK-67-001; notifier bus schema | BE-Base Platform Guild; Notifications Guild (`src/Web/StellaOps.Web`) | Emit events on severity transitions via gateway to notifier bus with trace metadata. |
| 5 | WEB-SIG-26-001 | TODO | Signals API contract confirmation | BE-Base Platform Guild; Signals Guild (`src/Web/StellaOps.Web`) | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. |
| 6 | WEB-SIG-26-002 | TODO | WEB-SIG-26-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. |
| 7 | WEB-SIG-26-003 | TODO | WEB-SIG-26-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. |
| 8 | WEB-TEN-47-001 | TODO | JWT + tenant header contract freeze | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. |
| 9 | WEB-TEN-48-001 | TODO | WEB-TEN-47-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. |
| 10 | WEB-TEN-49-001 | TODO | WEB-TEN-48-001; Policy Engine ABAC overlay | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. |
| 11 | WEB-VEX-30-007 | TODO | Tenant RBAC/ABAC policy definitions | BE-Base Platform Guild; VEX Lens Guild (`src/Web/StellaOps.Web`) | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. |
| 12 | WEB-VULN-29-001 | TODO | Tenant scoping model | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. |
| 13 | WEB-VULN-29-002 | TODO | WEB-VULN-29-001; Findings Ledger idempotency headers | BE-Base Platform Guild; Findings Ledger Guild (`src/Web/StellaOps.Web`) | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. |
| 14 | WEB-VULN-29-003 | TODO | WEB-VULN-29-002; export/simulation orchestrator | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. |
| 15 | WEB-VULN-29-004 | TODO | WEB-VULN-29-003; observability dashboard specs | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. |
## Wave Coordination
- Single wave (Web V gateway + tenant hardening). Keep task order per dependency chains above; no parallel merges that alter schema/telemetry without shared reviews.
## Wave Detail Snapshots
- Not required (single wave). Progress captured in Delivery Tracker and Execution Log.
## Interlocks
- Policy Engine: ABAC overlay contract and reachability scoring must be stable before WEB-TEN-49-001 and WEB-SIG-26-002 proceed.
- Notifications: event schema for severity transitions required ahead of WEB-RISK-68-001.
- Findings Ledger: idempotency/correlation header contract required before WEB-VULN-29-002.
## Upcoming Checkpoints
- 2025-12-02 (UTC) · JWT/tenant header + ABAC overlay contract review (BE-Base Platform Guild · Policy Guild).
- 2025-12-04 (UTC) · Findings Ledger idempotency/correlation header alignment (BE-Base Platform Guild · Findings Ledger Guild).
- 2025-12-06 (UTC) · Notifications event schema review for severity transitions (BE-Base Platform Guild · Notifications Guild).
## Action Tracker
- Publish gateway routing/tenant header contract for WEB-TEN-47-001 (owner: BE-Base Platform Guild; due: 2025-12-02).
- Deliver Findings Ledger contract note (idempotency + correlation headers) for WEB-VULN-29-002 (owner: Findings Ledger Guild; due: 2025-12-04).
- Confirm notifier bus event schema for WEB-RISK-68-001 (owner: Notifications Guild; due: 2025-12-06).
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Tenant header/ABAC contract slips | Blocks WEB-TEN-47-001/48-001/49-001 and delays RBAC enforcement across routes | Lock contract by 2025-12-02; record in `docs/api/gateway/tenant-auth.md`; add blocking status if slip persists | BE-Base Platform Guild | Open |
| Findings Ledger idempotency headers unclear | WEB-VULN-29-002/003 cannot forward workflow actions safely | Obtain contract on 2025-12-04 checkpoint; add retries/backoff defaults once confirmed | Findings Ledger Guild | Open |
| Notifications event schema not finalized | WEB-RISK-68-001 cannot emit severity transition events with trace metadata | Schema review on 2025-12-06; use placeholder event name only after review | Notifications Guild | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template and renamed file from `SPRINT_216_web_v.md` to `SPRINT_0216_0001_0001_web_v.md`; no task status changes. | Project Mgmt |

10
docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
View File

@@ -7,7 +7,7 @@
## Dependencies & Concurrency
- Upstream: Sprint 140 Runtime Signals, Sprint 185 Replay Core, Sprint 186 Scanner Record Mode, Sprint 187 Evidence & CLI Replay.
- reachbench fixture packs staged at repo root; must be relocated to `tests/reachability/fixtures/` during QA tasks.
- reachbench fixture packs relocated to `tests/reachability/fixtures/`; keep root staging clean and reuse deterministic manifests for CI.
## Documentation Prerequisites
- docs/11_DATA_SCHEMAS.md
@@ -21,21 +21,21 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ZASTAVA-REACH-201-001 | DONE (2025-11-26) | Runtime facts emitter shipped in Observer | Zastava Observer Guild | Implement runtime symbol sampling in `StellaOps.Zastava.Observer` (EntryTrace-aware shell AST + build-id capture) and stream ND-JSON batches to Signals `/runtime-facts`, including CAS pointers for traces. Update runbook + config references. |
| 9 | GAP-ZAS-002 | BLOCKED (2025-11-26) | Align with task 1; runtime NDJSON schema | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 2 | SCAN-REACH-201-002 | DONE (2025-11-26) | Schema published: `docs/reachability/runtime-static-union-schema.md` (v0.1). Node + .NET lifters shipped with tests. | Scanner Worker Guild | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. |
| 3 | SIGNALS-REACH-201-003 | DONE (2025-11-25) | Consume schema `docs/reachability/runtime-static-union-schema.md`; wire ingestion + CAS storage. | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
| 4 | SIGNALS-REACH-201-004 | DONE (2025-11-25) | Unblocked by 201-003; scoring engine can proceed using schema v0.1. | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
| 5 | REPLAY-REACH-201-005 | DONE (2025-11-26) | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
| 6 | DOCS-REACH-201-006 | DONE (2025-11-26) | Requires outputs from 15 | Docs Guild | Author the reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
| 7 | QA-REACH-201-007 | DONE (2025-11-25) | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
| 8 | GAP-SCAN-001 | BLOCKED (2025-11-26) | Richgraph-v1 schema not final; Scanner workspace currently dirty, unsafe to land symbolizer changes. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 8 | GAP-SCAN-001 | BLOCKED (2025-11-27) | Richgraph-v1 schema not final; Scanner workspace currently dirty, unsafe to land symbolizer changes. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 9 | GAP-ZAS-002 | DONE (2025-11-26) | Runtime NDJSON emitter merged; config enables callgraph-linked facts | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 10 | SIGNALS-UNKNOWN-201-008 | DONE (2025-11-26) | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
| 11 | GRAPH-PURL-201-009 | BLOCKED (2025-11-26) | Depends on GAP-SCAN-001 and final richgraph-v1; pending stable symbolizer outputs. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
| 11 | GRAPH-PURL-201-009 | BLOCKED (2025-11-27) | Depends on GAP-SCAN-001 and final richgraph-v1; pending stable symbolizer outputs. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised Delivery Tracker numbering, removed duplicate GAP-ZAS-002 row, and aligned statuses with Execution Log. | Project Mgmt |
| 2025-11-26 | Validated runtime facts builder: `dotnet test src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj --filter RuntimeFactsBuilderTests` restored and passed; Observer build clean. | Zastava Observer Guild |
| 2025-11-26 | Implemented runtime facts emitter in `StellaOps.Zastava.Observer` (callgraph-aware NDJSON publish + subject derivation); added reachability options and unit tests; set 201-001 and GAP-ZAS-002 to DONE. | Zastava Observer Guild |
| 2025-11-26 | Drafted runtime sampler runbook updates (config knobs, sampler rules, CAS trace pointers) in `docs/runbooks/reachability-runtime.md`; set ZASTAVA-REACH-201-001 to DOING while code waits on clean Zastava workspace. | Zastava Observer Guild |
@@ -61,7 +61,7 @@
## Decisions & Risks
- Schema v0.1 published at `docs/reachability/runtime-static-union-schema.md` (2025-11-23); treat as add-only. Breaking changes require version bump and mirrored updates in Signals/Replay.
- reachbench fixtures not yet relocated into tests tree; QA task 201-007 must complete before CI enablement.
- reachbench fixtures relocated to `tests/reachability/fixtures/` via QA-REACH-201-007; keep deterministic seeds and rerun CI guidance to confirm reproducibility on shared runners.
- Offline posture: ensure reachability pipelines avoid external downloads; rely on sealed/mock bundles.
- Unknowns Registry shipped (201-008): unknowns pressure applied to scoring; monitor schema adjustments from policy team for purl/digest merge (201-009) to avoid churn.
- purl + symbol-digest edge schema (201-009) depends on `richgraph-v1` finalization; may require updates to SBOM resolver and CLI explain flows.

4
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -112,6 +112,7 @@
- Competitive/vision docs updated with reachability moat and vendor comparison; ensure sales/PMM references live in `docs/market/competitive-landscape.md` and `docs/reachability/lead.md`.
## Upcoming Checkpoints
- 2025-12-02 · richgraph-v1 schema/hash alignment (tasks 1, 11, 19) — Scanner, Platform, Replay guilds.
- Schedule go/no-go once Sprint 0400 readiness is confirmed (TBD, Planning).
- Align DSSE predicate review across Authority/Signer/Policy once task 12 schema draft is ready (TBD, Authority Guild).
@@ -120,6 +121,7 @@
| --- | --- | --- | --- | --- | --- |
| 1 | Capture checkpoint dates after Sprint 0400 closure signal. | Planning | TBD | Open | Waiting on Sprint 0400 readiness update. |
| 2 | Confirm CAS hash alignment (BLAKE3 + sha256 addressing) across Scanner/Replay/Signals. | Platform Guild | TBD | Open | Coordinate tasks 1 and 19. |
| 3 | Schedule richgraph-v1 schema/hash alignment and rebaseline sprint dates. | Planning · Platform Guild | 2025-12-02 | Open | Needed to unblock tasks 1, 11, 19 and address elapsed sprint window. |
## Decisions & Risks
- File renamed to `SPRINT_0401_0001_0001_reachability_evidence_chain.md` and normalized to template on 2025-11-22; scope unchanged.
@@ -132,10 +134,12 @@
| R4 | Edge-bundle Rekor volume or bundle count spikes. | Rekor congestion/cost; slower pipelines; CAS bloat. | Cap Rekor publishes per graph (task 54), default to CAS-only for bulk bundles, monitor Signals ingest size; add CI perf guard after task 55. |
| R5 | Bench/dataset tasks start before feed-freeze and schema alignment. | Non-replayable results; wasted bench runs. | Block tasks 5761 on published feed hashes + `richgraph-v1`/Unknowns schema; add gating checklist in task definitions. |
| R6 | Bench/dataset code not materialized (docs only). | Docs drift; no executable evidence for claims. | Tasks 5760 must produce runnable harnesses/fixtures under `docs/benchmarks/**` or `tests/**`; Execution Log to confirm artifact paths. |
| R7 | Sprint window (2025-11-11 → 2025-11-22) elapsed with key tasks still TODO/BLOCKED. | Scope drift and delayed handoff to Sprint 0402 polish. | Rebaseline schedule and checkpoints by 2025-12-02; gate starts on schema/hash decisions; Planning + Platform guilds. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Added R7 for elapsed sprint window, scheduled 2025-12-02 schema/hash alignment checkpoint, and logged Action Tracker item 3; no task status changes. | Project Mgmt |
| 2025-11-27 | Marked GRAPH-CAS-401-001, GAP-SYM-007, SCAN-REACH-401-009, and SCANNER-NATIVE-401-015 BLOCKED pending richgraph schema + Symbols Server contracts. | Project Mgmt |
| 2025-11-27 | Completed AUTH-REACH-401-005: added `StellaOps.Attestation` reference to Authority project; created `AuthoritySignerAdapter` to wrap ICryptoSigner as IAuthoritySigner; created `IAuthorityDsseStatementSigner` interface and `AuthorityDsseStatementSigner` service for signing In-toto statements with Authority's signing keys; service reuses existing DsseHelper.WrapAsync for DSSE envelope creation; fixed null-reference issue in DsseHelper.cs. Rekor mirroring leverages existing Attestor `IRekorClient` infrastructure. | Authority Guild |
| 2025-11-27 | Completed DSSE-LIB-401-020: `StellaOps.Attestation` library now packages Envelope primitives. Added `DsseEnvelopeExtensions.cs` with conversion utilities (`ToSerializableDict`, `FromBase64`, `GetPayloadString`, `GetPayloadBase64`). Envelope types (`DsseEnvelope`, `DsseSignature`, etc.) are exposed as transitive dependencies; consumers only need to reference `StellaOps.Attestation` to access both high-level InToto/DSSE helpers and low-level envelope primitives. Build verified. | Attestor Guild |

16
docs/implplan/SPRINT_0513_0001_0001_public_reachability_benchmark.md
View File

@@ -32,7 +32,7 @@
| 4 | BENCH-CASES-PY-513-004 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · Python Track (`bench/reachability-benchmark/cases/py`) | Create 5-8 Python cases: Flask, Django, FastAPI. Include requirements.txt pinned, pytest oracles, coverage.py output. Delivered 5 cases: unsafe-exec (reachable), guarded-exec (unreachable), flask-template (reachable), fastapi-guarded (unreachable), django-ssti (reachable). |
| 5 | BENCH-CASES-JAVA-513-005 | BLOCKED (2025-11-30) | Depends on 513-002. | Bench Guild · Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Include pom.xml locked, JUnit oracles, JaCoCo coverage. Progress: 2/5 seeded (`spring-deserialize` reachable, `spring-guarded` unreachable); build/test blocked by missing JDK (`javac` not available in runner). |
| 6 | BENCH-CASES-C-513-006 | TODO | Depends on 513-002. | Bench Guild · Native Track (`bench/reachability-benchmark/cases/c`) | Create 3-5 C/ELF cases: small HTTP servers, crypto utilities. Include Makefile, gcov/llvm-cov coverage, deterministic builds (SOURCE_DATE_EPOCH). |
| 7 | BENCH-BUILD-513-007 | DOING | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: added scripts (hash check, deterministic ordering) + README; SBOM/attestation stubs pending. |
| 7 | BENCH-BUILD-513-007 | DOING | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: added scripts (hash check, deterministic ordering) + README; added deterministic SBOM/attestation stubs; real syft/signing still pending. |
| 8 | BENCH-SCORER-513-008 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild (`bench/reachability-benchmark/tools/scorer`) | Implement `rb-score` CLI: load cases/truth, validate submissions, compute precision/recall/F1, explainability score (0-3), runtime stats, determinism rate. |
| 9 | BENCH-EXPLAIN-513-009 | DONE (2025-11-30) | Depends on 513-008. | Bench Guild | Implement explainability scoring rules: 0=no context, 1=path with ≥2 nodes, 2=entry+≥3 nodes, 3=guards/constraints included. Unit tests for each level. |
| 10 | BENCH-BASELINE-SEMGREP-513-010 | TODO | Depends on 513-008 and cases. | Bench Guild | Semgrep baseline runner: `baselines/semgrep/run_case.sh`, rule config, output normalization to submission format. |
@@ -47,12 +47,19 @@
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| W1 Foundation | Bench Guild · DevOps Guild | None | TODO | Tasks 1-2: Repo, schemas. |
| W2 Dataset | Bench Guild (per language track) | W1 complete | TODO | Tasks 3-7: Cases, builds. |
| W3 Scoring | Bench Guild | W1 complete | TODO | Tasks 8-9: Scorer, explainability (parallel with W2). |
| W1 Foundation | Bench Guild · DevOps Guild | None | DONE (2025-11-29) | Tasks 1-2 shipped: repo + schemas. |
| W2 Dataset | Bench Guild (per language track) | W1 complete | DOING | JS/PY cases DONE; Java BLOCKED (JDK); C TODO; builds DOING (SBOM stubs pending). |
| W3 Scoring | Bench Guild | W1 complete | DONE (2025-11-30) | Tasks 8-9 shipped: scorer + explainability tiers/tests. |
| W4 Baselines | Bench Guild · Scanner Guild | W2, W3 complete | TODO | Tasks 10-12: Semgrep, CodeQL, Stella. |
| W5 Publish | All Guilds | W4 complete | TODO | Tasks 13-17: CI, leaderboard, website, docs, launch. |
## Wave Detail Snapshots
- **W1 Foundation (DONE 2025-11-29):** Repo skeleton, licensing, schemas, validators landed; prerequisites satisfied for downstream tracks.
- **W2 Dataset (DOING):** JS/PY tracks complete; Java blocked on JDK>=17 in runner/CI; C track not started; build pipeline scripts exist but need SBOM/attestation stubs.
- **W3 Scoring (DONE 2025-11-30):** `rb-score` CLI, explainability tiers, and tests complete; ready to support baselines.
- **W4 Baselines (TODO):** Semgrep, CodeQL, and Stella runners not started; waiting on dataset/build stability and Sprint 0401 reachability for Stella.
- **W5 Publish (TODO):** CI, leaderboard, website, docs, and launch materials pending completion of baselines and build hardening.
## Interlocks
- Stella Ops baseline (task 12) requires Sprint 0401 reachability to be functional.
- Legal review needed for open-source licensing and third-party tool inclusion.
@@ -98,4 +105,5 @@
| 2025-11-30 | BLOCKED BENCH-CASES-JAVA-513-005: `javac`/JDK not available in runner; Java builds/tests cannot execute. Need JDK (>=17) in CI/runner before unblocking. | Implementer |
| 2025-11-30 | BENCH-EXPLAIN-513-009 DONE: added explainability tier tests (03) to scorer; tiers already implemented (guards→3, entry+path>=3→2, path>=2→1, else 0). | Implementer |
| 2025-11-30 | BENCH-BUILD-513-007 DOING: added `tools/build/build_all.py` and `tools/build/validate_builds.py` for deterministic builds and hash checks; SBOM/attestation stubs still pending. | Implementer |
| 2025-11-30 | Normalised sprint doc to template: updated wave statuses to reflect task reality and added Wave Detail Snapshots. | PM |
| 2025-11-30 | BENCH-BUILD-513-007: build_all/validate_builds run; all JS/PY cases deterministic, Java cases fail due to missing `javac` (same blocker as task 5). | Implementer |

81
docs/implplan/SPRINT_187_evidence_locker_cli_integration.md
View File

@@ -1,33 +1,60 @@
# Sprint 187 - Replay Delivery · 187.A) Evidence Locker & CLI Integration
# Sprint 0187-0001-0001 · Evidence Locker & CLI Integration (Replay Delivery 187.A)
[Replay Delivery] 187.A) Evidence Locker & CLI Integration
Depends on: Sprint 186 Scanner Record Mode, Sprint 160 Export & Evidence, Sprint 180 Experience & SDKs
Summary: Persist replay bundles in Evidence Locker, expose ledger-backed verification, and ship offline-ready CLI workflows.
## Topic & Scope
- Persist replay bundles in Evidence Locker, expose ledger-backed verification, and ship offline-ready CLI workflows.
- Cover ingestion/retention APIs, CLI replay/verify/diff commands, attestor anchoring, ops runbook, and validation harness.
- **Working directory:** `docs/implplan` (coordination); code paths: `src/EvidenceLocker`, `src/Cli`, `src/Attestor`, `docs/**`.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EVID-REPLAY-187-001 | TODO | Implement replay bundle ingestion/retention APIs in Evidence Locker (WebService + Worker) and document storage/retention rules in `docs/modules/evidence-locker/architecture.md`, referencing `docs/replay/DETERMINISTIC_REPLAY.md` Sections 2 & 8. | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`)
CLI-REPLAY-187-002 | TODO | Add `scan --record`, `verify`, `replay`, `diff` commands to the CLI with offline bundle resolution; update `docs/modules/cli/architecture.md` and add a replay commands appendix citing `docs/replay/DEVS_GUIDE_REPLAY.md`. | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`)
ATTEST-REPLAY-187-003 | TODO | Wire Attestor/Rekor anchoring for replay manifests and capture verification APIs; extend `docs/modules/attestor/architecture.md` with a replay ledger flow referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9. | Attestor Guild (`src/Attestor/StellaOps.Attestor`, `docs/modules/attestor/architecture.md`)
RUNBOOK-REPLAY-187-004 | TODO | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, and verification drills; cross-link from replay specification summary. | Docs Guild, Ops Guild (`docs`)
VALIDATE-BUNDLE-187-005 | TODO | Deliver `VALIDATION_PLAN.md`, harness scripts (A/B quiet vs baseline, provenance bundle export), and a `stella bundle verify` CLI subcommand that checks DSSE/Rekor/SBOM/policy/replay claims end-to-end for offline audits. | QA Guild · CLI Guild · Docs Guild (`docs/validation`, `scripts/validation`, `src/Cli/StellaOps.Cli`)
EVID-CRYPTO-90-001 | TODO | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through `ICryptoProviderRegistry`/`ICryptoHash` so sovereign profiles (e.g., `ru-offline`) can swap providers per `docs/security/crypto-routing-audit-2025-11-07.md`. | Evidence Locker Guild, Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`)
## Dependencies & Concurrency
- Upstream: Sprint 0186 (Scanner Record Mode) payload stability; Sprint 0160/0161 EvidenceLocker schema freeze; Orchestrator/Notifications capsules.
- Sovereign crypto readiness review (2025-11-18) must approve provider registry usage.
- Concurrency: run tasks after EvidenceLocker API/schema freeze; Attestor/CLI depend on EvidenceLocker APIs; validation harness last.
> 2025-11-03: `/docs/runbooks/replay_ops.md` created — Evidence Locker, CLI, Attestor teams can transition replay delivery tasks to **DOING** alongside Ops runbook rehearsals.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/evidence-locker/architecture.md
- docs/modules/cli/architecture.md
- docs/modules/attestor/architecture.md
- docs/replay/DETERMINISTIC_REPLAY.md
## Task snapshot (2025-11-12)
- EvidenceLocker: `EVID-REPLAY-187-001` (replay ingestion/retention) and `EVID-CRYPTO-90-001` (sovereign crypto).
- CLI/Docs: `CLI-REPLAY-187-002` plus `RUNBOOK-REPLAY-187-004` ensure offline workflows + ops readiness.
- Attestor: `RUNBOOK-REPLAY-187-003` documents replay ledger integration with DSSE/attest flows.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EVID-REPLAY-187-001 | BLOCKED (2025-11-30) | Blocked by Scanner record payload + EvidenceLocker schema freeze (Sprint 0161) and orchestrator capsules. | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`) | Implement replay bundle ingestion/retention APIs in Evidence Locker (WebService + Worker) and document storage/retention rules in `docs/modules/evidence-locker/architecture.md`, referencing `docs/replay/DETERMINISTIC_REPLAY.md` §§2,8. |
| 2 | CLI-REPLAY-187-002 | BLOCKED (2025-11-30) | Blocked by 187-001 API schema freeze and Scanner record payloads. | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`) | Add `scan --record`, `verify`, `replay`, `diff` commands to the CLI with offline bundle resolution; update CLI architecture and replay appendix citing `docs/replay/DEVS_GUIDE_REPLAY.md`. |
| 3 | ATTEST-REPLAY-187-003 | BLOCKED (2025-11-30) | Blocked by 187-001; needs EvidenceLocker manifest schema for anchoring. | Attestor Guild (`src/Attestor/StellaOps.Attestor`, `docs/modules/attestor/architecture.md`) | Wire Attestor/Rekor anchoring for replay manifests and capture verification APIs; extend Attestor architecture with replay ledger flow referencing `docs/replay/DETERMINISTIC_REPLAY.md` §9. |
| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED (2025-11-30) | Blocked by 187-001/002 outputs to document final workflows. | Docs Guild · Ops Guild (`docs/runbooks/replay_ops.md`) | Publish replay ops runbook covering retention enforcement, RootPack rotation, offline kits, and verification drills; cross-link from replay spec summary. |
| 5 | VALIDATE-BUNDLE-187-005 | BLOCKED (2025-11-30) | Blocked by 187-001/002 schema and attestor anchoring decisions. | QA Guild · CLI Guild · Docs Guild (`docs/validation`, `scripts/validation`, `src/Cli/StellaOps.Cli`) | Deliver `VALIDATION_PLAN.md`, harness scripts (A/B quiet vs baseline, provenance bundle export), and `stella bundle verify` CLI subcommand that checks DSSE/Rekor/SBOM/policy/replay claims end-to-end for offline audits. |
| 6 | EVID-CRYPTO-90-001 | BLOCKED (2025-11-30) | Await crypto registry readiness signal (Nov-18 review) and EvidenceLocker schema alignment. | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through `ICryptoProviderRegistry`/`ICryptoHash` per `docs/security/crypto-routing-audit-2025-11-07.md`. |
## Dependencies & blockers
- Tied to Sprint 160 wave progress (EvidenceLocker DSSE schema + orchestrator capsule events).
- Requires Scanner Record Mode (Sprint 186) payload stability to drive replay ingestion.
- CLI/Attestor work depends on EvidenceLocker API schema freeze.
- Sovereign crypto readiness review on 2025-11-18 must approve provider registry usage.
## Interlocks & Readiness Signals
| Dependency | Impacts | Status / Next signal |
| --- | --- | --- |
| Scanner record payload/schema (Sprint 0186) | Tasks 15 | Pending; need stable replay manifest and bundle layout to proceed. |
| EvidenceLocker DSSE/manifest schema (Sprint 0161) + orchestrator/notification capsules | Tasks 15 | Pending; require frozen schema/envelopes. |
| Sovereign crypto routing review (2025-11-18) | Task 6 | Pending confirmation of provider registry usage. |
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Pull stable replay bundle sample from Scanner (Sprint 0186) and attach to sprint doc. | Evidence Locker Guild | 2025-12-03 | OPEN |
| 2 | Capture EvidenceLocker replay API draft (paths, payloads) once schema freezes and link here. | Evidence Locker Guild | 2025-12-04 | OPEN |
| 3 | Align CLI command surface with replay API/manifest sample; note offline behaviors. | DevEx/CLI Guild | 2025-12-05 | OPEN |
| 4 | Add validation harness outline with DSSE/Rekor/SBOM/policy checks tied to replay bundle sample. | QA Guild | 2025-12-05 | OPEN |
## Decisions & Risks
| Risk / Decision | Impact | Mitigation / Next Step | Status |
| --- | --- | --- | --- |
| Replay payloads/schemas not yet frozen (Scanner 0186, EvidenceLocker 0161). | Blocks all 187 tasks. | Track Actions 12; keep tasks BLOCKED until sample + schema land. | OPEN |
| CLI surface cannot be finalized without replay manifest structure. | Blocks CLI-REPLAY-187-002 and VALIDATE-BUNDLE-187-005. | Action 3; attach schema once available. | OPEN |
| Validation harness depends on attestor anchoring flow. | Blocks VALIDATE-BUNDLE-187-005. | Align after Actions 13; keep BLOCKED. | OPEN |
| Sovereign crypto routing not confirmed for replay bundles. | Blocks EVID-CRYPTO-90-001. | Await 2025-11-18 review outcome; mirror decisions into EvidenceLocker options. | OPEN |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized sprint to standard template; set all tasks to BLOCKED pending Scanner/EvidenceLocker schema and crypto readiness; added interlocks/actions/risks. | Implementer |
| 2025-11-03 | `/docs/runbooks/replay_ops.md` created — teams may start ops rehearsal once schemas land. | Ops Guild |
## Ready-to-start checklist
1. Capture sample replay bundle payloads from Scanner record mode for CLI + Attestor reference.
2. Align EvidenceLocker API design with Replay Delivery + Ops teams, documenting endpoints before coding.
3. Schedule joint review covering `/docs/runbooks/replay_ops.md` with EvidenceLocker, CLI, Attestor, Ops.
4. Confirm `ICryptoProviderRegistry` coverage for replay bundle signing/encryption ahead of the Nov-18 review.

75
docs/implplan/SPRINT_200_experience_sdks.md
View File

@@ -1,16 +1,71 @@
# Sprint 200 - Experience & SDKs
# Sprint 0200-0001-0001 · Experience & SDKs Snapshot
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Snapshot of Experience & SDKs stream (waves 180.AF); active backlog now lives in later sprints (201+).
- Maintain visibility of wave readiness while upstream dependencies land.
- **Working directory:** `docs/implplan` (coordination only).
This file now only tracks the Experience & SDKs status snapshot. Active backlog lives in Sprint 201 and later files.
## Dependencies & Concurrency
- Upstream gating sprints: 120.A (AirGap), 130.A (Scanner), 150.A (Orchestrator), 170.A (Notifier), 141 (Graph Indexer for 180.C).
- All waves remain TODO until upstream APIs/contracts finalize; no concurrent execution planned.
## Wave coordination
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/implplan/AGENTS.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXP-SNAPSHOT-200 | TODO | Keep wave readiness current; migrate active items to sprint 201+. | Project Mgmt · Experience Guild | Maintain Experience & SDKs status snapshot; no implementation tracked here. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 180.A CLI | DevEx/CLI Guild · Advisory AI Guild (for CLI verbs) · Evidence Locker Guild | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Commands stay blocked on orchestrator + notifier scopes; finalize auth/output scaffolding so we can flip to DOING quickly. |
| 180.B DevPortal | Developer Portal Guild · SDK Generator Guild · Platform Guild | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Static site generator selection is pending; coordinate with CLI/SDK teams for shared examples. |
| 180.C Graph Experiences (CLI/SDK) | Graph Guild · SDK Generator Guild · Policy Guild | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Wait on Graph Indexer APIs from Sprint 141 before wiring SDK quickstarts. |
| 180.D SDK | SDK Generator Guild · Service Guilds providing OpenAPI | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Downstream of orchestrator/export OAS consolidation; keep templates updated. |
| 180.E UI | UI Guild · Console Guild · Notifications Guild | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Exception center & graph canvas rely on policy/graph APIs; hold until upstream signals stabilize. |
| 180.F Web | BE-Base Platform Guild · Platform Events Guild · Notifications Guild | Sprint 120.A AirGap; Sprint 130.A Scanner; Sprint 150.A Orchestrator; Sprint 170.A Notifier | TODO | Gateway routing can start once AdvisoryAI/Export endpoints finalize; prepare guard helpers now. |
| 180.A CLI | DevEx/CLI Guild · Advisory AI Guild · Evidence Locker Guild | Sprint 120.A AirGap; 130.A Scanner; 150.A Orchestrator; 170.A Notifier | TODO | Commands blocked on orchestrator + notifier scopes; finalize auth/output scaffolding to flip to DOING. |
| 180.B DevPortal | Developer Portal Guild · SDK Generator Guild · Platform Guild | Same as above | TODO | Static site generator selection pending; align examples with CLI/SDK teams. |
| 180.C Graph Experiences (CLI/SDK) | Graph Guild · SDK Generator Guild · Policy Guild | Same as above + Sprint 141 Graph Indexer APIs | TODO | Wait on Graph Indexer APIs before wiring SDK quickstarts. |
| 180.D SDK | SDK Generator Guild · Service Guilds providing OpenAPI | Same as above | TODO | Downstream of orchestrator/export OAS consolidation; keep templates updated. |
| 180.E UI | UI Guild · Console Guild · Notifications Guild | Same as above | TODO | Exception center & graph canvas rely on policy/graph APIs; hold until upstream signals stabilize. |
| 180.F Web | BE-Base Platform Guild · Platform Events Guild · Notifications Guild | Same as above | TODO | Gateway routing can start once AdvisoryAI/Export endpoints finalize; prepare guard helpers now. |
## Wave Detail Snapshots
| Wave | Entry criteria | Exit evidence | Notes |
| --- | --- | --- | --- |
| 180.A CLI | Orchestrator + Notifier scopes finalized; auth/output scaffolding approved. | CLI verbs implemented for new scopes; determinism tests passing; docs synced. | Track in Sprint 201+. |
| 180.B DevPortal | Static site generator chosen; shared examples sourced; platform routing approved. | DevPortal sections published with examples; CI build green. | Track in Sprint 201+. |
| 180.C Graph Exp | Graph Indexer APIs (Sprint 141) stable; policy contracts approved. | SDK/CLI quickstarts for graph queries published; regression tests passing. | Track in Sprint 201+. |
| 180.D SDK | Consolidated OAS from services published; SDK templates refreshed. | SDKs generated with pinned versions and offline bundles; smoke tests pass. | Track in Sprint 201+. |
| 180.E UI | Policy/graph APIs stable; notifier integration contract signed. | Exception center & graph canvas shipped behind feature flag; UX docs updated. | Track in Sprint 201+. |
| 180.F Web | AdvisoryAI/Export endpoints finalized; gateway guard helpers ready. | Web gateway routing committed with guards; incident/webhook paths tested. | Track in Sprint 201+. |
## Interlocks
- Orchestrator + Notifier scopes for CLI verbs.
- Graph Indexer API availability (Sprint 141) for 180.C.
- OAS consolidation for SDK generation (180.D).
- Platform routing/guards for Web/UI experiences (180.E/F).
## Upcoming Checkpoints
- 2025-12-07 · Review upstream sprint signals (141/150/170) and decide which waves move to Sprint 201.
## Action Tracker
| ID | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| AT-01 | Collect upstream readiness signals (141/150/170) and propose Sprint 201 wave starts. | Project Mgmt | 2025-12-07 | TODO | Source signals from sprint execution logs. |
| AT-02 | Confirm static site generator choice for DevPortal wave. | DevPortal Guild | 2025-12-07 | TODO | Needed before moving wave 180.B to DOING. |
## Decisions & Risks
- Experience waves remain paused pending upstream API/contracts; track readiness rather than implementation here.
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Upstream Orchestrator/Notifier scopes slip. | Delays CLI/Web experience delivery. | Pull scope signals weekly; shift to Sprint 201 once stable. | Project Mgmt | OPEN |
| Graph Indexer APIs unstable. | SDK/CLI graph quickstarts would rework. | Gate 180.C until Sprint 141 publishes stable APIs. | Project Mgmt | OPEN |
| DevPortal generator choice stalls content. | Docs/SDK examples miss deadlines. | AT-02 to choose generator; reuse CLI/SDK examples for consistency. | DevPortal Guild | OPEN |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalized to docs/implplan template; added delivery tracker placeholder, wave details, interlocks, actions, risks. | Project Mgmt |
| 2025-11-08 | Archived completed items to `docs/implplan/archived/tasks.md`; file now tracks status snapshot only. | Project Mgmt |

27
docs/implplan/SPRINT_202_cli_ii.md
View File

@@ -1,26 +1,5 @@
# Sprint 202 - Experience & SDKs · 180.A) Cli.II
# Redirect Notice · Sprint 202
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
This sprint was normalized and renamed to `docs/implplan/SPRINT_0202_0001_0001_cli_ii.md` (2025-11-30).
[Experience & SDKs] 180.A) Cli.II
Depends on: Sprint 180.A - Cli.I
Summary: Experience & SDKs focus on Cli (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-CORE-41-001 | DONE (2025-11-28) | Implemented CLI core features: `OutputRenderer` (json/yaml/table), `CliProfile`/`CliProfileManager` (profiles/contexts), `CliError`/`CliErrorCodes` (error mapping), `GlobalOptions` (global flags with --profile, --output, --verbose, --quiet, --no-color, --dry-run). Config precedence already exists in `CliBootstrapper`. Auth flows already exist via `StellaOps.Auth.Client`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-EXC-25-001 | DONE (2025-11-28) | Implemented `stella exceptions list/show/create/promote/revoke/import/export` commands for exception governance. Created `ExceptionModels.cs` with full models for exception instances, scopes, effects, evidence refs, lifecycle states (draft/staged/active/expired/revoked), and request/response types. Created `IExceptionClient.cs` interface and `ExceptionClient.cs` HTTP client with token caching for all CRUD operations plus import/export. Added command handlers with JSON/table output, status-colored rendering, verbose mode with evidence/approval details, and `ERR_EXC_*` error codes (exit code 16). | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-EXC-25-002 | DONE (2025-11-28) | Extended `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Added repeatable options for exception IDs, validation to prevent overlapping IDs in both lists, verbose logging of exception preview mode, and OpenTelemetry tracing of exception counts. Updated `PolicySimulationInput` record with optional `WithExceptions`/`WithoutExceptions` fields. Dependencies: CLI-EXC-25-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Implement `stella export profiles | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-EXPORT-36-001 | TODO | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-EXPORT-37-001 | TODO | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-FORENSICS-53-001 | DONE (2025-11-28) | Implemented `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs. Created `ForensicSnapshotModels.cs` with full document/manifest/artifact models, `IForensicSnapshotClient.cs` interface, `ForensicSnapshotClient.cs` HTTP client with token caching, and command handlers in `CommandHandlers.cs` with JSON/table output. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli)
CLI-FORENSICS-54-001 | DONE (2025-11-28) | Implemented `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Created `ForensicVerificationModels.cs` with verification result models, `IForensicVerifier.cs` interface, `ForensicVerifier.cs` with SHA256/384/512 checksum verification, RSA-PSS signature verification, and chain-of-custody timeline validation. Added `ERR_FORENSIC_*` error codes (exit code 12), JSON/pretty output, and verbose mode with detailed tables. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
CLI-FORENSICS-54-002 | DONE (2025-11-28) | Implemented `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Created `AttestationModels.cs` with DSSE/in-toto models, `IAttestationReader.cs` interface, `AttestationReader.cs` with PAE encoding, RSA-PSS verification, predicate parsing (SLSA/VEX), and rich console output with subject/signature tables. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
CLI-PROMO-70-001 | DONE (2025-11-28) | Implemented `stella promotion assemble` command that resolves image digests (via crane/cosign), hashes SBOM/VEX artifacts with format detection (CycloneDX/SPDX, OpenVEX/CSAF), and emits the `stella.ops/promotion@v1` JSON payload. Created `PromotionModels.cs` with full predicate/subject/material/metadata models, `IPromotionAssembler.cs` interface, `PromotionAssembler.cs` with image digest resolution, SHA256 file hashing, SBOM/VEX format detection, and JSON output. Command supports `--image`, `--sbom`, `--vex`, `--from/--to` environment, `--actor`, `--ticket`, `--notes`, `--skip-rekor`, and `--output` options. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
CLI-DETER-70-003 | DONE (2025-11-28) | Implemented `stella detscore run` command that executes the determinism harness locally with fixed clock, seeded RNG, and canonical hashes. Created `DeterminismModels.cs` with manifest/request/result models per SCAN-DETER-186-010 schema, `IDeterminismHarness.cs` interface, `DeterminismHarness.cs` with Docker container execution, SHA256 artifact hashing, score calculation, and threshold verification. Command supports `--image`, `--scanner`, `--policy-bundle`, `--feeds-bundle`, `--runs`, `--fixed-clock`, `--rng-seed`, `--max-concurrency`, `--memory`, `--cpuset`, `--platform`, `--image-threshold`, `--overall-threshold`, `--output-dir`, `--release`, and `--json` options. Added `ERR_DETER_*` error codes (exit code 13). | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli)
CLI-LNM-22-001 | DONE (2025-11-28) | Implemented `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, conflict display, and `ERR_AGG_*` error code mapping. Added `AdvisoryLinksetModels.cs` with OSV format support, extended `IConcelierObservationsClient` with `GetLinksetAsync`/`GetObservationByIdAsync`, and added command handlers for all three subcommands. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-LNM-22-002 | DONE (2025-11-28) | Implemented `stella vex obs get/linkset show` commands with product/status/provider filters, pagination, and JSON output for CI usage. Created `VexObservationModels.cs` with query/response/linkset models, `IVexObservationsClient.cs` interface, `VexObservationsClient.cs` HTTP client with VexRead scope, and command handlers with rich table output, conflict detection, and aggregate summaries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Implement `stella notify rules | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-NOTIFY-40-001 | TODO | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
CLI-OBS-50-001 | DONE (2025-11-28) | Implemented `TraceparentHttpMessageHandler` that propagates W3C Trace Context headers for all HTTP requests, logs correlation IDs on failure, records trace IDs in verbose logs (scrubbed), and includes `AddTraceparentPropagation()` extension method for IHttpClientBuilder. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
Please edit the canonical file only. This legacy filename is retained to prevent divergent updates.

32
docs/implplan/SPRINT_210_ui_ii.md
View File

@@ -1,32 +0,0 @@
# Sprint 210 - Experience & SDKs · 180.E) UI.II
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Experience & SDKs] 180.E) UI.II
Depends on: Sprint 180.E - UI.I
Summary: Experience & SDKs focus on UI (phase II).
## Related Sprints & Advisories
- **SPRINT_0215_0001_0001_vuln_triage_ux.md** - Comprehensive vulnerability triage UX with VEX-first decisioning
- **Advisory:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
- **Schemas:** `docs/schemas/vex-decision.schema.json`, `docs/schemas/audit-bundle-index.schema.json`
Note: UI-LNM-22-003 (VEX tab) should align with VEX decision model defined in SPRINT_0215. The VEX modal and decision workflows are detailed in the new sprint.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
UI-LNM-22-002 | TODO | Implement filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination/lazy loading for large linksets. Docs depend on finalized filtering UX. Dependencies: UI-LNM-22-001. | UI Guild (src/UI/StellaOps.UI)
UI-LNM-22-003 | TODO | Add VEX tab with status/justification summaries, conflict indicators, and export actions. Required for `DOCS-LNM-22-005` coverage of VEX evidence tab. Dependencies: UI-LNM-22-002. | UI Guild, Excititor Guild (src/UI/StellaOps.UI)
UI-LNM-22-004 | TODO | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. Dependencies: UI-LNM-22-003. | UI Guild (src/UI/StellaOps.UI)
UI-ORCH-32-001 | TODO | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. | UI Guild, Console Guild (src/UI/StellaOps.UI)
UI-POLICY-13-007 | TODO | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-20-001 | TODO | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. Dependencies: UI-POLICY-13-007. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-20-002 | TODO | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. Dependencies: UI-POLICY-20-001. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-20-003 | TODO | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). Dependencies: UI-POLICY-20-002. | UI Guild, Product Ops (src/UI/StellaOps.UI)
UI-POLICY-20-004 | TODO | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. Dependencies: UI-POLICY-20-003. | UI Guild, Observability Guild (src/UI/StellaOps.UI)
UI-POLICY-23-001 | TODO | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. Dependencies: UI-POLICY-20-004. | UI Guild, Policy Guild (src/UI/StellaOps.UI)
UI-POLICY-23-002 | TODO | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. Dependencies: UI-POLICY-23-001. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-23-003 | TODO | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. Dependencies: UI-POLICY-23-002. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-23-004 | TODO | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. Dependencies: UI-POLICY-23-003. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-23-005 | TODO | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. Dependencies: UI-POLICY-23-004. | UI Guild (src/UI/StellaOps.UI)
UI-POLICY-23-006 | TODO | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. Dependencies: UI-POLICY-23-005. | UI Guild (src/UI/StellaOps.UI)

14
docs/implplan/SPRINT_211_ui_iii.md
View File

@@ -1,14 +0,0 @@
# Sprint 211 - Experience & SDKs · 180.E) UI.III
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Experience & SDKs] 180.E) UI.III
Depends on: Sprint 180.E - UI.II
Summary: Experience & SDKs focus on UI (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
UI-POLICY-27-001 | TODO | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. Dependencies: UI-POLICY-23-006. | UI Guild, Product Ops (src/UI/StellaOps.UI)
UI-SIG-26-001 | TODO | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | UI Guild, Signals Guild (src/UI/StellaOps.UI)
UI-SIG-26-002 | TODO | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. Dependencies: UI-SIG-26-001. | UI Guild (src/UI/StellaOps.UI)
UI-SIG-26-003 | TODO | Add reachability overlay halos/time slider to SBOM Graph along with state legend. Dependencies: UI-SIG-26-002. | UI Guild (src/UI/StellaOps.UI)
UI-SIG-26-004 | TODO | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. Dependencies: UI-SIG-26-003. | UI Guild (src/UI/StellaOps.UI)

25
docs/implplan/SPRINT_213_web_ii.md
View File

@@ -1,25 +0,0 @@
# Sprint 213 - Experience & SDKs · 180.F) Web.II
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Experience & SDKs] 180.F) Web.II
Depends on: Sprint 180.F - Web.I
Summary: Experience & SDKs focus on Web (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-EXC-25-002 `Policy integration surfaces` | TODO | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-EXC-25-003 `Notifications & events` | TODO | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. Dependencies: WEB-EXC-25-002. | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web)
WEB-EXPORT-35-001 `Export routing` | TODO | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-EXPORT-36-001 `Distribution endpoints` | TODO | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-EXPORT-37-001 `Scheduling & verification` | TODO | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. Dependencies: WEB-EXPORT-36-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-SPEC-21-000 `Graph API/overlay spec drop` | BLOCKED | Draft stub exists; awaiting Graph Platform ratification of overlay format and cache schema. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-21-001 `Graph endpoints` | BLOCKED | Depends on ratified spec `WEB-GRAPH-SPEC-21-000`. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-21-002 `Request validation` | BLOCKED | Depends on WEB-GRAPH-21-001 and final overlay schema. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-21-003 `Error mapping & exports` | TODO | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, document rate limits. Dependencies: WEB-GRAPH-21-002. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web)
WEB-GRAPH-21-004 `Overlay pass-through` | TODO | Proxy Policy Engine overlays while keeping gateway stateless; maintain streaming budgets. Dependencies: WEB-GRAPH-21-003. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
WEB-GRAPH-24-001 `Gateway proxy refresh` | TODO | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-24-001 `Graph endpoints` | TODO | Implement `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping while acting as a pure proxy. Dependencies: WEB-GRAPH-24-001. | BE-Base Platform Guild, SBOM Service Guild (src/Web/StellaOps.Web)
WEB-GRAPH-24-004 `AOC enrichers` | TODO | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-GRAPH-24-004 `Telemetry aggregation` | TODO | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. Dependencies: WEB-GRAPH-24-004. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web)
WEB-LNM-21-001 `Advisory observation endpoints` | TODO | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web)
WEB-LNM-21-002 `VEX observation endpoints` | TODO | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. Dependencies: WEB-LNM-21-001. | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web)

24
docs/implplan/SPRINT_214_web_iii.md
View File

@@ -1,24 +0,0 @@
# Sprint 214 - Experience & SDKs · 180.F) Web.III
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Experience & SDKs] 180.F) Web.III
Depends on: Sprint 180.F - Web.II
Summary: Experience & SDKs focus on Web (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-LNM-21-003 `Policy evidence aggregation` | TODO | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
WEB-NOTIFY-38-001 `Gateway routing` | TODO | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-NOTIFY-39-001 `Digest & simulation endpoints` | TODO | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-NOTIFY-40-001 `Escalations & localization` | TODO | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OAS-61-001 `Discovery endpoint` | TODO | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OAS-61-002 `Standard error envelope` | TODO | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. Dependencies: WEB-OAS-61-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OAS-62-001 `Pagination & idempotency alignment` | TODO | Normalize all endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. Dependencies: WEB-OAS-61-002. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OAS-63-001 `Deprecation support` | TODO | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. Dependencies: WEB-OAS-62-001. | BE-Base Platform Guild, API Governance Guild (src/Web/StellaOps.Web)
WEB-OBS-50-001 `Telemetry core adoption` | TODO | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web)
WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/health` and `/obs/slo` aggregations, pulling metrics from Prometheus/collector APIs, including burn-rate signals and exemplar links for Console widgets. Dependencies: WEB-OBS-50-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OBS-52-001 `Trace & log proxies` | TODO | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. Dependencies: WEB-OBS-51-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OBS-54-001 `Evidence & attestation bridges` | TODO | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. Dependencies: WEB-OBS-52-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-OBS-55-001 `Incident mode controls` | TODO | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. Dependencies: WEB-OBS-54-001. | BE-Base Platform Guild, Ops Guild (src/Web/StellaOps.Web)
WEB-OBS-56-001 `Sealed status surfaces` | TODO | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web)
WEB-ORCH-32-001 `Read-only routing` | TODO | Expose `/orchestrator/sources | BE-Base Platform Guild (src/Web/StellaOps.Web)

24
docs/implplan/SPRINT_216_web_v.md
View File

@@ -1,24 +0,0 @@
# Sprint 216 - Experience & SDKs · 180.F) Web.V
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Experience & SDKs] 180.F) Web.V
Depends on: Sprint 180.F - Web.IV
Summary: Experience & SDKs focus on Web (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-RISK-66-001 `Risk API routing` | TODO | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
WEB-RISK-66-002 `Explainability downloads` | TODO | Add signed URL handling for explanation blobs and enforce scope checks. Dependencies: WEB-RISK-66-001. | BE-Base Platform Guild, Risk Engine Guild (src/Web/StellaOps.Web)
WEB-RISK-67-001 `Risk status endpoint` | TODO | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). Dependencies: WEB-RISK-66-002. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-RISK-68-001 `Notification hooks` | TODO | Emit events on severity transitions via gateway to notifier bus with trace metadata. Dependencies: WEB-RISK-67-001. | BE-Base Platform Guild, Notifications Guild (src/Web/StellaOps.Web)
WEB-SIG-26-001 `Signals proxy endpoints` | TODO | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. | BE-Base Platform Guild, Signals Guild (src/Web/StellaOps.Web)
WEB-SIG-26-002 `Reachability joins` | TODO | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. Dependencies: WEB-SIG-26-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-SIG-26-003 `Simulation hooks` | TODO | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. Dependencies: WEB-SIG-26-002. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-TEN-47-001 `Auth middleware` | TODO | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-TEN-48-001 `Tenant context propagation` | TODO | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. Dependencies: WEB-TEN-47-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-TEN-49-001 `ABAC & audit API` | TODO | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. Dependencies: WEB-TEN-48-001. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
WEB-VEX-30-007 `VEX consensus routing` | TODO | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web)
WEB-VULN-29-001 `Vuln API routing` | TODO | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-VULN-29-002 `Ledger proxy headers` | TODO | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. Dependencies: WEB-VULN-29-001. | BE-Base Platform Guild, Findings Ledger Guild (src/Web/StellaOps.Web)
WEB-VULN-29-003 `Simulation + export routing` | TODO | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. Dependencies: WEB-VULN-29-002. | BE-Base Platform Guild (src/Web/StellaOps.Web)
WEB-VULN-29-004 `Telemetry aggregation` | TODO | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. Dependencies: WEB-VULN-29-003. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web)

53
docs/implplan/SPRINT_3401_0001_0001_postgres_authority.md
View File

@@ -39,26 +39,42 @@
| 16 | PG-T1.6.2 | DONE | Completed 2025-11-29 | Authority Guild | Implement `IAuditRepository` |
| 17 | PG-T1.7 | DONE | Completed 2025-11-29 | Authority Guild | Add configuration switch in `ServiceCollectionExtensions` |
| 18 | PG-T1.8.1 | DONE | Completed 2025-11-29 | Authority Guild | Write integration tests for all repositories |
| 19 | PG-T1.8.2 | TODO | Depends on PG-T1.8.1 | Authority Guild | Write determinism tests for token generation |
| 20 | PG-T1.9 | TODO | Depends on PG-T1.8 | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
| 21 | PG-T1.10 | TODO | Depends on PG-T1.8 | Authority Guild | Run backfill from MongoDB to PostgreSQL |
| 22 | PG-T1.11 | TODO | Depends on PG-T1.10 | Authority Guild | Verify data integrity: row counts, checksums |
| 23 | PG-T1.12 | TODO | Depends on PG-T1.11 | Authority Guild | Switch Authority to PostgreSQL-only |
| 19 | PG-T1.8.2 | TODO | Depends on PG-T1.8.1; blocked pending AGENTS for working dir | Authority Guild | Write determinism tests for token generation |
| 20 | PG-T1.9 | TODO | Depends on PG-T1.8; blocked pending AGENTS for working dir | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
| 21 | PG-T1.10 | TODO | Depends on PG-T1.8; blocked pending AGENTS for working dir | Authority Guild | Run backfill from MongoDB to PostgreSQL |
| 22 | PG-T1.11 | TODO | Depends on PG-T1.10; blocked pending AGENTS for working dir | Authority Guild | Verify data integrity: row counts, checksums |
| 23 | PG-T1.12 | TODO | Depends on PG-T1.11; blocked pending AGENTS for working dir | Authority Guild | Switch Authority to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T1.1 through PG-T1.6.2) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T1.7) | Claude |
| 2025-11-29 | Integration tests created for all repositories (PG-T1.8.1) | Claude |
## Wave Coordination
- Single-wave sprint (Phase 1). Downstream phases 24 proceed independently once Phase 0 foundations verified.
## Wave Detail Snapshots
- **Phase 1 (current):** Storage project, schema, repositories, and integration tests completed; determinism tests and cutover steps remain.
## Interlocks
- Alignment with Scheduler (Phase 2) for shared tenant/user references before cutover.
- Requires Phase 0 foundations artifacts for migrations and shared abstractions.
- AGENTS file missing for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres`; implementers should not start new work until created.
## Action Tracker
| Item | Status | Owner | Next step |
| --- | --- | --- | --- |
| Create AGENTS.md for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres` | TODO | Authority PM | Draft minimal charter (roles, prerequisites, test rules) so remaining tasks can move to DOING |
| Plan dual-write verification harness for Tier A data | TODO | Authority Guild | Define wrapper and metrics for PG-T1.9; capture in docs/db/tasks/PHASE_1_AUTHORITY.md |
## Decisions & Risks
**Design decisions**
- Password hashes stored as TEXT; Argon2id parameters in separate columns.
- Token expiry uses `TIMESTAMPTZ` for timezone-aware comparisons.
- Audit log may grow large; consider partitioning by `created_at` in production.
- Dual-write mode optional but recommended for Tier A data verification.
**Risks**
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Audit log growth without partitioning | Large tables degrade query latency | Add time-based partitioning before production cutover (post Phase 1 hardening) |
| Missing AGENTS for working directory | Implementers cannot start PG-T1.8.2+ per charter rules | Create AGENTS.md (see Action Tracker) and link from sprint once published |
| Cutover without determinism tests | Token issuance non-deterministic across dual-write | Complete PG-T1.8.2 determinism tests before PG-T1.9PG-T1.12 |
## Exit Criteria
- [ ] All 12+ repository interfaces implemented
- [ ] Schema migrations idempotent and tested
@@ -66,8 +82,17 @@
- [ ] Data backfill completed and verified
- [ ] Authority running on PostgreSQL in staging
## Next Checkpoints
## Upcoming Checkpoints
- Coordinate with Phase 2 (Scheduler) for any shared user/tenant references.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T1.1 through PG-T1.6.2) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T1.7) | Claude |
| 2025-11-29 | Integration tests created for all repositories (PG-T1.8.1) | Claude |
| 2025-11-30 | Normalised sprint to docs/implplan template; added interlocks/action tracker; flagged missing AGENTS for working dir | Codex |
---
*Reference: docs/db/tasks/PHASE_1_AUTHORITY.md*

8
docs/implplan/SPRINT_3402_0001_0001_postgres_scheduler.md
View File

@@ -37,8 +37,8 @@
| 14 | PG-T2.6.2 | DONE | Completed 2025-11-29 | Scheduler Guild | Implement `IMetricsRepository` |
| 15 | PG-T2.7 | DONE | Completed 2025-11-29 | Scheduler Guild | Add configuration switch in `ServiceCollectionExtensions` |
| 16 | PG-T2.8.1 | DONE | Completed 2025-11-29 | Scheduler Guild | Write integration tests for job queue operations |
| 17 | PG-T2.8.2 | TODO | Depends on PG-T2.8.1 | Scheduler Guild | Write determinism tests for trigger calculations |
| 18 | PG-T2.8.3 | TODO | Depends on PG-T2.8.1 | Scheduler Guild | Write concurrency tests for distributed locking |
| 17 | PG-T2.8.2 | DONE | Completed 2025-11-30 | Scheduler Guild | Write determinism tests for trigger calculations |
| 18 | PG-T2.8.3 | DONE | Completed 2025-11-30 | Scheduler Guild | Write concurrency tests for distributed locking |
| 19 | PG-T2.9 | TODO | Depends on PG-T2.8 | Scheduler Guild | Run backfill from MongoDB to PostgreSQL |
| 20 | PG-T2.10 | TODO | Depends on PG-T2.9 | Scheduler Guild | Verify data integrity and trigger timing |
| 21 | PG-T2.11 | TODO | Depends on PG-T2.10 | Scheduler Guild | Switch Scheduler to PostgreSQL-only |
@@ -50,6 +50,8 @@
| 2025-11-29 | All repository implementations completed (PG-T2.1 through PG-T2.6.2) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T2.7) | Claude |
| 2025-11-29 | Integration tests created for Trigger, DistributedLock, Worker repositories (PG-T2.8.1) | Claude |
| 2025-11-30 | Added deterministic due-trigger ordering and determinism + concurrency test coverage (PG-T2.8.2, PG-T2.8.3) | StellaOps Agent |
| 2025-11-30 | Postgres integration test run failed locally: Docker daemon unavailable (Testcontainers) | StellaOps Agent |
## Decisions & Risks
- PostgreSQL advisory locks replace MongoDB distributed locks.
@@ -57,6 +59,8 @@
- Cron expressions stored as TEXT; next-fire computed in application.
- Job payload stored as JSONB for flexibility.
- Risk: advisory lock key collision; use tenant-scoped hash values.
- Due trigger retrieval is now ordered by `next_fire_at`, `tenant_id`, then `id` to keep scheduling deterministic under ties.
- Risk: Local test runs require Docker for Testcontainers; ensure Docker daemon is available before CI/local execution.
## Exit Criteria
- [ ] All repository interfaces implemented

60
docs/implplan/SPRINT_3403_0001_0001_postgres_notify.md
View File

@@ -16,7 +16,9 @@
- docs/db/README.md
- docs/db/SPECIFICATION.md (Section 5.5 - Notify Schema)
- docs/db/RULES.md
- src/Notify/AGENTS.md (if exists)
- docs/db/VERIFICATION.md
- src/Notify/AGENTS.md
- src/Notify/__Libraries/StellaOps.Notify.Storage.Postgres/AGENTS.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -49,21 +51,32 @@
| 26 | PG-T3.10.2 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test notification delivery flow end-to-end |
| 27 | PG-T3.10.3 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test escalation handling |
| 28 | PG-T3.10.4 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test digest aggregation |
| 29 | PG-T3.11 | TODO | Depends on PG-T3.10 | Notify Guild | Switch Notify to PostgreSQL-only |
| 29 | PG-T3.11 | TODO | Depends on PG-T3.10.x verification | Notify Guild | Switch Notify to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T3.1 through PG-T3.8.3) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T3.9) | Claude |
| 2025-11-29 | Integration tests created for Channel, Delivery, Rule, Template, Inbox, Digest, NotifyAudit repositories (PG-T3.10.1) | Claude |
## Wave Coordination
- Single wave covering Notify Postgres conversion; tasks grouped by repository implementation (PG-T3.1PG-T3.9) followed by verification and cutover (PG-T3.10.xPG-T3.11).
## Wave Detail Snapshots
- Repository implementations (PG-T3.1PG-T3.9): DONE as of 2025-11-29.
- Verification & cutover (PG-T3.10.xPG-T3.11): pending; awaiting PG-T3.10.1 evidence before end-to-end runs.
## Interlocks
- Scheduler trigger integration required before final cutover (PG-T3.11).
- Alignment with db conversion foundations from Sprint 3400 (Phase 0) already satisfied.
- Notify WebService/Worker DI wiring confirmed via PG-T3.9; monitor for downstream impacts in UI regressions.
## Decisions & Risks
- Channel configurations stored as JSONB for flexibility across channel types.
- Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
- Escalation states may need frequent updates; index accordingly.
- Digest aggregation queries may be complex; consider materialized views.
- Decisions:
- Channel configurations stored as JSONB for flexibility across channel types.
- Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
- DI wiring uses `ServiceCollectionExtensions` switch for Postgres enablement.
Risks:
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Escalation state churn can create hot partitions | Elevated write contention and vacuum churn | Index on tenant + escalation key; monitor autovacuum settings and add partial indexes if needed | Notify Guild | Open |
| Digest aggregation queries may be complex/heavy | Slow digest generation or stale digests | Evaluate materialized views with refresh-on-commit for high-volume tenants; add explain plans in PG-T3.10.4 | Notify Guild | Open |
| Cutover depends on successful PG-T3.10.x end-to-end tests | PostgreSQL-only switch (PG-T3.11) blocked | Run end-to-end suites immediately after PG-T3.10.1 evidence; keep Mongo fallback toggles until PG-T3.11 sign-off | Notify Guild | Open |
## Exit Criteria
- [ ] All 15 repository interfaces implemented
@@ -72,8 +85,25 @@
- [ ] All integration tests pass
- [ ] Notify running on PostgreSQL in staging
## Next Checkpoints
- Coordinate with Scheduler for notification trigger integration.
## Upcoming Checkpoints
- 2025-12-02: Kick off end-to-end delivery/escalation/digest runs (PG-T3.10.2PG-T3.10.4).
- 2025-12-04: Cutover readiness review for PG-T3.11 with Scheduler alignment.
## Action Tracker
| # | Action | Owner | Status | Notes |
| --- | --- | --- | --- | --- |
| 1 | Add AGENTS.md for `StellaOps.Notify.Storage.Postgres` working directory | Planning | DONE | Added 2025-11-30 and linked in Documentation Prerequisites |
| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | TODO | Needed before starting PG-T3.10.2PG-T3.10.4 |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T3.1 through PG-T3.8.3) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T3.9) | Claude |
| 2025-11-29 | Integration tests created for Channel, Delivery, Rule, Template, Inbox, Digest, NotifyAudit repositories (PG-T3.10.1) | Claude |
| 2025-11-30 | Normalised sprint to docs/implplan template; added coordination/interlock/action sections | Planning |
| 2025-11-30 | Added AGENTS.md for Postgres storage working directory and linked in prerequisites | Planning |
---
*Reference: docs/db/tasks/PHASE_3_NOTIFY.md*

60
docs/implplan/SPRINT_3404_0001_0001_postgres_policy.md
View File

@@ -48,19 +48,19 @@
| 25 | PG-T4.11 | TODO | Depends on PG-T4.10 | Policy Guild | Verify version numbers and active version settings |
| 26 | PG-T4.12 | TODO | Depends on PG-T4.11 | Policy Guild | Switch Policy to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T4.1 through PG-T4.6.4) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T4.7) | Claude |
| 2025-11-29 | Integration tests created for Pack, Rule, Exception, EvaluationRun, RiskProfile, PolicyAudit repositories (PG-T4.8.1) | Claude |
## Wave Coordination
- Single wave covering PG-T4.8.2 through PG-T4.12; sequencing is tests → export → import → verification → cutover.
- Migration window reuses Phase 0 foundations; avoid schema changes once PG-T4.9 starts.
## Decisions & Risks
- Pack versions are immutable once published; new versions create new rows.
- Rego content stored as TEXT; consider compression for large policies.
- Evaluation results may grow rapidly; consider partitioning or archival.
- Risk profile versioning critical for audit trail; never delete old versions.
## Wave Detail Snapshots
| Wave | Scope | Exit evidence |
| --- | --- | --- |
| W1 | Complete tests (PG-T4.8.2PG-T4.8.3), export/import, verification, cutover (PG-T4.9PG-T4.12) | Passing integration tests, successful data export/import, verified active versions, Policy service running on PostgreSQL in staging |
## Interlocks
- Postgres infrastructure from Sprint 3400 must remain stable during export/import (PG-T4.9PG-T4.10).
- Coordinate with Excititor on VEX policy integration to avoid concurrent schema changes during cutover.
- MongoDB write freeze required during PG-T4.9PG-T4.11 to prevent drift while exporting/importing packs.
## Exit Criteria
- [ ] All repository interfaces implemented
@@ -69,8 +69,40 @@
- [ ] All integration tests pass
- [ ] Policy running on PostgreSQL in staging
## Next Checkpoints
- Coordinate with Excititor for VEX policy integration.
## Upcoming Checkpoints
- Schedule alignment with Excititor for VEX policy integration before PG-T4.12 (date TBD).
- Stage export/import dry-run once PG-T4.8.1 evidence is reviewed.
## Action Tracker
| # | Action | Owner | Due | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Run pack versioning workflow test suite (PG-T4.8.2) | Policy Guild | After PG-T4.8.1 evidence | TODO | Validates happy-path and rollback |
| 2 | Run risk profile version history tests (PG-T4.8.3) | Policy Guild | After PG-T4.8.1 evidence | TODO | Covers `GetVersionAsync`/`ListVersionsAsync` |
| 3 | Export active packs from MongoDB (PG-T4.9) | Policy Guild | After PG-T4.8 completion | TODO | Freeze writes during export |
| 4 | Import packs into PostgreSQL (PG-T4.10) | Policy Guild | After PG-T4.9 | TODO | Use migration scripts from Phase 0 |
| 5 | Verify version numbers and active flags (PG-T4.11) | Policy Guild | After PG-T4.10 | TODO | Cross-check pack/risk profile parity |
| 6 | Switch Policy to PostgreSQL-only (PG-T4.12) | Policy Guild | After PG-T4.11 | TODO | Flip configuration flag and monitor |
## Decisions & Risks
- Pack versions are immutable once published; new versions create new rows.
- Rego content stored as TEXT; consider compression for large policies.
- Evaluation results may grow rapidly; consider partitioning or archival.
- Risk profile versioning is critical for audit trail; never delete old versions.
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Large policy bodies inflate storage | Higher storage and I/O costs | Evaluate compression option post-migration; monitor size metrics | Policy Guild | Open |
| Evaluation table growth | Potential performance/retention issues | Plan partitioning/archival after cutover; add retention policy | Policy Guild | Open |
| Drift during export/import | Inconsistent active versions | Enforce MongoDB write freeze during PG-T4.9PG-T4.11; verify counts before cutover | Policy Guild | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-29 | All repository implementations completed (PG-T4.1 through PG-T4.6.4) | Claude |
| 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T4.7) | Claude |
| 2025-11-29 | Integration tests created for Pack, Rule, Exception, EvaluationRun, RiskProfile, PolicyAudit repositories (PG-T4.8.1) | Claude |
| 2025-11-30 | Normalised sprint to docs/implplan template; added coordination and action tracker sections | Codex |
---
*Reference: docs/db/tasks/PHASE_4_POLICY.md*

50
docs/implplan/SPRINT_3405_0001_0001_postgres_vulnerabilities.md
View File

@@ -64,17 +64,18 @@
| 35 | PG-T5b.5 | TODO | Depends on PG-T5b.4 | Concelier Guild | Performance optimization with EXPLAIN ANALYZE |
| 36 | PG-T5b.6 | TODO | Depends on PG-T5b.5 | Concelier Guild | Switch Scanner/Concelier to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
## Wave Coordination
- Two-wave structure: 5a (schema/repositories) must reach PG-T5a.6 before 5b (conversion/verification) begins.
- Dual-import mode (PG-T5b.3.1) and parity checks (PG-T5b.4.x) gate the Excititor hand-off.
## Decisions & Risks
- PURL stored as TEXT with GIN trigram index for efficient matching.
- Version ranges stored as JSONB; too complex for relational decomposition.
- Full-text search using `tsvector` column with GIN index.
- Risk: matching discrepancies between backends; extensive comparison testing required.
- Expected data volume: 300K+ advisories, 2M+ affected entries.
## Wave Detail Snapshots
- **Wave 5a focus:** project creation, schema migrations, repositories, and integration tests; all tasks currently `TODO`.
- **Wave 5b focus:** converter, importer rewrites, parity runs, and performance tuning; blocked until Wave 5a completes integration tests.
## Interlocks
- Sprint 3400 must be verified as `DONE` before PG-T5a.1 starts.
- Excititor Phase 6 is blocked until parity results from PG-T5b.4.4 are recorded.
- Deterministic matching must be proven across MongoDB and PostgreSQL before switching Scanner/Concelier to PostgreSQL-only (PG-T5b.6).
## Exit Criteria
- [ ] All repository interfaces implemented
@@ -83,8 +84,33 @@
- [ ] Feed imports working on PostgreSQL
- [ ] Concelier running on PostgreSQL in staging
## Next Checkpoints
- Phase 6 (Excititor) depends on this completing successfully.
## Upcoming Checkpoints
| Date (UTC) | Checkpoint | Owner | Notes |
| --- | --- | --- | --- |
| TBD | Schedule parity verification window after PG-T5b.4.3 completes | Concelier Guild | Add date once 5a integration tests are green |
| TBD | Phase 6 (Excititor) kickoff after PostgreSQL-only cutover readiness | Excititor Guild | Dependent on PG-T5b.6 sign-off |
## Action Tracker
| # | Action | Owner | Due | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Confirm Sprint 3400 (Phase 0) completion and evidence link | Planning | TBD | TODO | Required before PG-T5a.1 starts |
| 2 | Assign owners and dates for parity verification checkpoints | Concelier Guild | TBD | TODO | Populate Upcoming Checkpoints with dates |
## Decisions & Risks
- PURL stored as TEXT with GIN trigram index for efficient matching.
- Version ranges stored as JSONB; too complex for relational decomposition.
- Full-text search using `tsvector` column with GIN index.
| Risk | Impact | Mitigation | Status |
| --- | --- | --- | --- |
| Matching discrepancies between MongoDB and PostgreSQL backends | Potential false positives/negatives and loss of trust | Run PG-T5b.4 parity checks with fixed SBOM set; require identical results before PG-T5b.6 | Open |
| Data volume (~300K advisories; ~2M affected rows) stresses indexing | Slow imports and lookups | Use partition-friendly schema, analyze after bulk load, validate GIN/GIST index choices during PG-T5b.5 | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
| 2025-11-30 | Normalised to docs/implplan template; added coordination, interlocks, risk table, and action tracker | Planning |
---
*Reference: docs/db/tasks/PHASE_5_VULNERABILITIES.md*

45
docs/implplan/SPRINT_3406_0001_0001_postgres_vex_graph.md
View File

@@ -16,7 +16,26 @@
- docs/db/README.md
- docs/db/SPECIFICATION.md (Section 5.3 - VEX Schema)
- docs/db/RULES.md
- src/Excititor/AGENTS.md (if exists)
- src/Excititor/AGENTS.md
## Wave Coordination
| Wave | Scope | Exit gate | Notes |
| --- | --- | --- | --- |
| 6a | Core schema and repositories | VEX schema migrations + repositories + tests (Tasks 1-16) | Blocks all graph storage work |
| 6b | Graph storage and determinism | Revision_id algorithm captured; node/edge COPY bulk ops proven deterministic (Tasks 17-30) | Requires Wave 6a DONE |
| 6c | Migration & verification | Dual-run parity demonstrated and cutover-ready (Tasks 31-42) | Requires Waves 6a-6b DONE |
## Wave Detail Snapshots
| Wave | Key outputs | Evidence to collect |
| --- | --- | --- |
| 6a | VEX schema migrations; data source; repositories for projects/statements/observations/linksets/consensus | Migration scripts, repository unit/integration tests |
| 6b | Graph revision/node/edge repositories; COPY-based bulk insert; traversal queries; revision determinism tests | Benchmark traces, stability test results (≥5 runs) |
| 6c | Mongo→Postgres conversion services; deterministic extraction order; dual-backend comparisons; cutover plan | Comparison reports (revision_id, counts), migration checklist |
## Interlocks
- Downstream phases (Phase 7 cleanup) cannot start until 6c cutover checks pass.
- Uses COPY; coordinate with DB ops on allowed temp paths/statement timeouts.
- Determinism requirements must align with Excititor module charter (tenant guards, UTC ordering).
## Delivery Tracker
@@ -74,10 +93,12 @@
| 41 | PG-T6c.4 | TODO | Depends on PG-T6c.3 | Excititor Guild | Migrate active projects |
| 42 | PG-T6c.5 | TODO | Depends on PG-T6c.4 | Excititor Guild | Switch Excititor to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | Sprint file created | Planning |
## Action Tracker
| # | Item | Status | Owner | Notes |
| --- | --- | --- | --- | --- |
| 1 | Confirm Sprints 3400 and 3405 are marked DONE before Wave 6a starts | TODO | Planning | Blocker gate for PG-T6a.1 |
| 2 | Lock agreed revision_id algorithm in docs/db/SPECIFICATION.md addendum | TODO | Excititor Guild | Needed before tasks PG-T6b.4.1-4.4 |
| 3 | Coordinate COPY settings (work_mem, statement_timeout) with DB ops | TODO | Excititor Guild | Required ahead of PG-T6b.2/PG-T6b.3 |
## Decisions & Risks
- Graph nodes/edges use BIGSERIAL for high-volume IDs.
@@ -86,6 +107,18 @@
- Graph traversal indexes on `(from_node_id)` and `(to_node_id)`.
- Estimated volumes: 10M+ nodes, 20M+ edges, 1M+ VEX statements.
| Risk | Impact | Mitigation | Status |
| --- | --- | --- | --- |
| Revision_id instability | High: breaks reproducibility and cutover confidence | Document algorithm; deterministic ordering; 5x stability tests (PG-T6b.4.1-4.4) | Open |
| COPY misconfiguration | Medium: bulk inserts fail or throttle | Pre-negotiate COPY settings with DB ops; reuse infra defaults from Sprint 3400 | Open |
| Dual-run divergence | High: Mongo vs Postgres results mismatch | Use comparison tasks PG-T6c.3.1-3.5; capture deltas and block cutover until resolved | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised sprint to docs/implplan template (waves/interlocks/action tracker) | Planning |
| 2025-11-28 | Sprint file created | Planning |
## Exit Criteria
- [ ] All repository interfaces implemented
- [ ] Graph storage working efficiently with bulk operations
@@ -94,7 +127,7 @@
- [ ] All comparison tests pass
- [ ] Excititor running on PostgreSQL in staging
## Next Checkpoints
## Upcoming Checkpoints
- This is the most complex phase; allocate extra time for determinism verification.
- Phase 7 (Cleanup) follows after successful cutover.

3
docs/implplan/SPRINT_503_ops_devops_i.md
View File

@@ -31,7 +31,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| DEVOPS-AIRGAP-57-001 | DONE (2025-11-30) | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Dependencies: DEVOPS-AIRGAP-56-003. | DevOps Guild, Mirror Creator Guild (ops/devops) |
| DEVOPS-AIRGAP-57-002 | BLOCKED (2025-11-18) | Waiting on upstream DEVOPS-AIRGAP-57-001 (mirror bundle automation) to provide artifacts/endpoints for sealed-mode CI; no sealed fixtures available to exercise tests. | DevOps Guild, Authority Guild (ops/devops) |
| DEVOPS-AIRGAP-58-001 | DONE (2025-11-30) | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | DevOps Guild, Notifications Guild (ops/devops) |
| DEVOPS-AIRGAP-58-002 | TODO | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-AIRGAP-58-002 | DONE (2025-11-30) | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | DevOps Guild, Platform Guild (ops/devops) |
| DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. Dependencies: DEVOPS-AOC-19-001. | DevOps Guild (ops/devops) |
| DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DevOps Guild, QA Guild (ops/devops) |
@@ -54,6 +54,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Completed DEVOPS-AIRGAP-58-002: added sealed-mode observability compose stack (Prometheus/Grafana/Tempo/Loki) with offline configs plus health script under `ops/devops/airgap/`; ready for sealed-mode bootstrap. | DevOps |
| 2025-11-30 | Completed DEVOPS-SBOM-23-001: added SBOM CI runner (`ops/devops/sbom-ci-runner/run-sbom-ci.sh`) with warmed-cache restore, binlog/TRX outputs, and NuGet cache hash evidence; documented in runner README. | DevOps |
| 2025-11-30 | Completed DEVOPS-SCANNER-CI-11-001: added offline-friendly Scanner CI runner (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`) and README; produces build binlog + TRX outputs from key test projects with warmed NuGet cache. | DevOps |
| 2025-11-30 | Completed DEVOPS-ATTEST-73-001/73-002: added attestor CI stub (`ops/devops/attestation/ci.yml`) and secrets/rotation plan in `ops/devops/attestation/README.md`; pending mirror into `.gitea/workflows/attestor-ci.yml` for live runs. | DevOps |