audit remarks work
This commit is contained in:
master
@@ -46,10 +46,10 @@ Bulk task definitions (applies to every project row below):
|
||||
| 24 | AUDIT-0008-A | DONE | Applied + tests | Guild | src/Tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj - APPLY |
|
||||
| 25 | AUDIT-0009-M | DONE | Report | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - MAINT |
|
||||
| 26 | AUDIT-0009-T | DONE | Report | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - TEST |
|
||||
| 27 | AUDIT-0009-A | BLOCKED | Missing docs/modules/findings-ledger/implementation_plan.md required by AGENTS | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
|
||||
| 27 | AUDIT-0009-A | TODO | Approval | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
|
||||
| 28 | AUDIT-0010-M | DONE | Report | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - MAINT |
|
||||
| 29 | AUDIT-0010-T | DONE | Report | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - TEST |
|
||||
| 30 | AUDIT-0010-A | BLOCKED | Missing docs/modules/findings-ledger/implementation_plan.md required by AGENTS | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
|
||||
| 30 | AUDIT-0010-A | TODO | Approval | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
|
||||
| 31 | AUDIT-0011-M | DONE | Report | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - MAINT |
|
||||
| 32 | AUDIT-0011-T | DONE | Report | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - TEST |
|
||||
| 33 | AUDIT-0011-A | DONE | Applied + tests | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - APPLY |
|
||||
@@ -2162,6 +2162,7 @@ Bulk task definitions (applies to every project row below):
|
||||
| --- | --- | --- |
|
||||
| 2025-12-30 | CLI: moved run manifest parsing into CLI (removed test-only manifest dependency) and added serializer tests; audit report updated. | Implementer |
|
||||
| 2025-12-30 | Blocked AUDIT-0009-A and AUDIT-0010-A due to missing findings-ledger implementation_plan doc required by AGENTS. | Implementer |
|
||||
| 2025-12-30 | Added docs/modules/findings-ledger/implementation_plan.md; unblocked AUDIT-0009-A and AUDIT-0010-A. | Implementer |
|
||||
| 2025-12-30 | Applied audit fixes for FixtureUpdater, LanguageAnalyzerSmoke, NotifySmokeCheck, RustFsMigrator, Scheduler.Backfill; added deterministic CLI/retry/cancellation updates, tests, and moved GHSA fixtures to GHSA test folder with OSV parity fixture resolution update. | Implementer |
|
||||
| 2025-12-30 | Added /tools CLI command group for policy tooling; moved implementations into shared library for CLI consumption. | Implementer |
|
||||
| 2025-12-30 | Applied audit fixes for PolicyDslValidator, PolicySchemaExporter, PolicySimulationSmoke; added tests and updated report dispositions. | Implementer |
|
||||
@@ -2377,7 +2378,7 @@ Bulk task definitions (applies to every project row below):
|
||||
- Risk: Scale of audit is large; mitigate with per-project checklists and parallel execution.
|
||||
- Risk: Coverage measurement can be inconsistent; mitigate with deterministic test runs and documented tooling.
|
||||
- Note: GHSA parity fixtures moved to the GHSA test fixture directory; OSV parity fixture resolution updated accordingly (cross-module change recorded).
|
||||
- Blocker: AUDIT-0009-A/AUDIT-0010-A require docs/modules/findings-ledger/implementation_plan.md per Findings AGENTS; file is missing and needs PM update before APPLY.
|
||||
- Resolution: Added docs/modules/findings-ledger/implementation_plan.md; AUDIT-0009-A/AUDIT-0010-A unblocked (approval still required).
|
||||
|
||||
## Next Checkpoints
|
||||
- TBD: Audit report review and approval checkpoint.
|
||||
|
||||
@@ -59,7 +59,7 @@
|
||||
- MAINT: Duplicate harness exists at src/Findings/tools/LedgerReplayHarness; unclear canonical tool.
|
||||
- TEST: No tests for parsing/percentile/checksum logic.
|
||||
- Proposed changes (pending approval): extract HarnessRunner/report writer, enforce deterministic fixture ordering or document concurrency intent, use TryParse with structured errors, clarify/retire duplicate harness, add unit tests for parsing/percentile/checksum.
|
||||
- Disposition: blocked (missing docs/modules/findings-ledger/implementation_plan.md required by AGENTS)
|
||||
- Disposition: pending implementation (non-test project; apply recommendations remain open)
|
||||
### src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj
|
||||
- MAINT: eventCount increments for every non-empty line even when no record is appended; reported eventsWritten can diverge from actual appends.
|
||||
- MAINT: JsonNode.Parse and DateTimeOffset parsing fail fast without fixture/line context; no structured error reporting.
|
||||
@@ -68,7 +68,7 @@
|
||||
- MAINT: Duplicate harness exists at src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness; unclear canonical tool.
|
||||
- TEST: No tests for HarnessRunner parsing, merkle computation, or percentile logic.
|
||||
- Proposed changes (pending approval): count only appended records, add deterministic ordering (sorted fixtures + sequence), capture parse errors with fixture/line context, avoid UtcNow defaults for missing recorded_at, clarify/retire duplicate harness, add unit tests for parsing/merkle/percentile.
|
||||
- Disposition: blocked (missing docs/modules/findings-ledger/implementation_plan.md required by AGENTS)
|
||||
- Disposition: pending implementation (non-test project; apply recommendations remain open)
|
||||
### src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj
|
||||
- MAINT: Console output includes non-ASCII/mojibake characters; not portable for logs.
|
||||
- MAINT: StreamRangeAsync scans only 200 entries; busy streams can miss expected events.
|
||||
|
||||
@@ -105,6 +105,9 @@ src/
|
||||
* `config set/get` — endpoint & defaults.
|
||||
* `whoami` — short auth display.
|
||||
* `version` — CLI + protocol versions; release channel.
|
||||
* `tools policy-dsl-validate <paths...> [--strict] [--json]`
|
||||
* `tools policy-schema-export [--output <dir>] [--repo-root <path>]`
|
||||
* `tools policy-simulation-smoke [--scenario-root <path>] [--output <dir>] [--repo-root <path>] [--fixed-time <ISO-8601>]`
|
||||
|
||||
### 2.9 Aggregation-only guard helpers
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@ Immutable, append-only event ledger for tracking vulnerability findings, policy
|
||||
|
||||
## Quick links
|
||||
- FL1–FL10 remediation tracker: `gaps-FL1-FL10.md`
|
||||
- Implementation plan: `implementation_plan.md`
|
||||
- Schema catalog (events/projections/exports): `schema-catalog.md`
|
||||
- Merkle & external anchor policy: `merkle-anchor-policy.md`
|
||||
- Tenant isolation & redaction manifest: `tenant-isolation-redaction.md`
|
||||
|
||||
33
docs/modules/findings-ledger/implementation_plan.md
Normal file
33
docs/modules/findings-ledger/implementation_plan.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# Findings Ledger Implementation Plan
|
||||
|
||||
## Purpose
|
||||
Define the delivery plan for the Findings Ledger service, replay harness, observability, and air-gap provenance so audits can verify deterministic state reconstruction.
|
||||
|
||||
## Active work
|
||||
- No active sprint tracked here yet. Use `docs/modules/findings-ledger/gaps-FL1-FL10.md` for remediation tracking.
|
||||
|
||||
## Near-term deliverables
|
||||
- Observability baselines: metrics, logs, traces, dashboards, and alert rules per `docs/modules/findings-ledger/observability.md`.
|
||||
- Determinism harness: replay CLI, fixtures, and signed reports per `docs/modules/findings-ledger/replay-harness.md`.
|
||||
- Deployment collateral: Compose/Helm overlays, migrations, and backup/restore runbooks per `docs/modules/findings-ledger/deployment.md`.
|
||||
- Provenance extensions: air-gap bundle metadata, staleness enforcement, and sealed-mode timeline entries per `docs/modules/findings-ledger/airgap-provenance.md`.
|
||||
|
||||
## Dependencies
|
||||
- Observability schema approval for metrics and dashboards.
|
||||
- Orchestrator export schema freeze for provenance linkage.
|
||||
- QA lab capacity for >=5M findings/tenant replay harness.
|
||||
- DevOps review of Compose/Helm overlays and offline kit packaging.
|
||||
|
||||
## Evidence of completion
|
||||
- `src/Findings/StellaOps.Findings.Ledger` and `src/Findings/tools/LedgerReplayHarness` updated with deterministic behavior and tests.
|
||||
- Replay harness reports (`harness-report.json` + DSSE) stored under approved offline kit locations.
|
||||
- Dashboard JSON and alert rules committed under `offline/telemetry/dashboards/ledger` or `ops/devops/findings-ledger/**`.
|
||||
- Deployment and backup guidance validated against `docs/modules/findings-ledger/deployment.md`.
|
||||
|
||||
## Reference docs
|
||||
- `docs/modules/findings-ledger/schema.md`
|
||||
- `docs/modules/findings-ledger/replay-harness.md`
|
||||
- `docs/modules/findings-ledger/observability.md`
|
||||
- `docs/modules/findings-ledger/deployment.md`
|
||||
- `docs/modules/findings-ledger/airgap-provenance.md`
|
||||
- `docs/modules/findings-ledger/workflow-inference.md`
|
||||
Reference in New Issue
Block a user