stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add unit tests for RabbitMq and Udp transport servers and clients
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented comprehensive unit tests for RabbitMqTransportServer, covering constructor, disposal, connection management, event handlers, and exception handling.
- Added configuration tests for RabbitMqTransportServer to validate SSL, durable queues, auto-recovery, and custom virtual host options.
- Created unit tests for UdpFrameProtocol, including frame parsing and serialization, header size validation, and round-trip data preservation.
- Developed tests for UdpTransportClient, focusing on connection handling, event subscriptions, and exception scenarios.
- Established tests for UdpTransportServer, ensuring proper start/stop behavior, connection state management, and event handling.
- Included tests for UdpTransportOptions to verify default values and modification capabilities.
- Enhanced service registration tests for Udp transport services in the dependency injection container.
This commit is contained in:
master
2025-12-05 19:01:12 +02:00
parent 53508ceccb
commit cc69d332e3
245 changed files with 22440 additions and 27719 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
docs/implplan/BLOCKED_DEPENDENCY_TREE_PART2.md Normal file
View File

@@ -0,0 +1,195 @@
# Analysis: BLOCKED Tasks in SPRINT Files
## Executive Summary
Found **57 BLOCKED tasks** across 10 sprint files. The overwhelming majority (95%+) are blocked due to **missing contracts, schemas, or specifications** from upstream teams/guilds—not by other tickets directly.
---
## Common Themes (Ranked by Frequency)
### 1. Missing Contract/Schema Dependencies (38 tasks, 67%)
The single largest blocker category. Tasks are waiting for upstream teams to publish:
| Missing Contract Type | Example Tasks | Blocking Guild/Team |
|-----------------------|---------------|---------------------|
| `advisory_key` schema/canonicalization | EXCITITOR-POLICY-20-001, EXCITITOR-VULN-29-001 | Policy Engine, Vuln Explorer |
| Risk scoring contract (66-002) | LEDGER-RISK-67-001, POLICY-RISK-67-003 | Risk/Export Center |
| VerificationPolicy schema | POLICY-ATTEST-73-001, POLICY-ATTEST-73-002 | Attestor guild |
| Policy Studio API contract | CONCELIER-RISK-68-001, POLICY-RISK-68-001 | Policy Studio |
| Mirror bundle/registration schema | POLICY-AIRGAP-56-001, EXCITITOR-AIRGAP-56-001 | Mirror/Evidence Locker |
| ICryptoProviderRegistry contract | EXCITITOR-CRYPTO-90-001 | Security guild |
| Export bundle/scheduler spec | EXPORT-CONSOLE-23-001 | Export Center |
| RLS + partition design approval | LEDGER-TEN-48-001-DEV | Platform/DB guild |
**Root Cause:** Cross-team coordination gaps. Contracts are not being published before dependent work is scheduled.
---
### 2. Cascading/Domino Blockers (16 tasks, 28%)
Tasks blocked because their immediate upstream task is also blocked:
```
67-001 (blocked) → 68-001 (blocked) → 68-002 (blocked) → 69-001 (blocked)
```
Examples:
- EXCITITOR-VULN-29-002 → blocked on 29-001 canonicalization contract
- POLICY-ATTEST-74-002 → blocked on 74-001 → blocked on 73-002 → blocked on 73-001
**Root Cause:** Dependency chains where the root blocker propagates downstream. Unblocking the root would cascade-unblock 3-5 dependent tasks.
---
### 3. Air-Gap/Offline Operation Blockers (8 tasks, 14%)
Concentrated pattern around air-gapped/sealed-mode features:
| Task Pattern | Missing Spec |
|--------------|--------------|
| AIRGAP-56-* | Mirror registration + bundle schema |
| AIRGAP-57-* | Sealed-mode contract, staleness/fallback data |
| AIRGAP-58-* | Notification schema for staleness signals |
| AIRGAP-TIME-57-001 | Time-anchor + TUF trust policy |
**Root Cause:** Air-gap feature design is incomplete. The "sealed mode" and "time travel" contracts are not finalized.
---
### 4. VEX Lens / VEX-First Decisioning (4 tasks)
Multiple tasks waiting on VEX Lens specifications:
- CONCELIER-VEXLENS-30-001
- EXCITITOR-VEXLENS-30-001
**Root Cause:** VEX Lens field list and examples not delivered.
---
### 5. Attestation Pipeline (4 tasks)
Blocked waiting for:
- DSSE-signed locker manifests
- VerificationPolicy schema/persistence
- Attestor pipeline contract
**Root Cause:** Attestation verification design is incomplete.
---
### 6. Authority Integration (3 tasks)
Tasks blocked on:
- `effective:write` contract from Authority
- Authority attachment/scoping rules
**Root Cause:** Authority team has not published integration contracts.
---
## Key Blocking Guilds/Teams (Not Tickets)
| Guild/Team | # Tasks Blocked | Key Missing Deliverable |
|------------|-----------------|-------------------------|
| Policy Engine | 12 | `advisory_key` schema, Policy Studio API |
| Risk/Export Center | 10 | Risk scoring contract (66-002), export specs |
| Mirror/Evidence Locker | 8 | Mirror bundle schema, registration contract |
| Attestor | 6 | VerificationPolicy, DSSE signing profile |
| Platform/DB | 3 | RLS + partition design approval |
| VEX Lens | 2 | Field list, examples |
| Security | 1 | ICryptoProviderRegistry contract |
---
## Recommendations
### Immediate Actions (High Impact)
1. **Unblock `advisory_key` canonicalization spec** — Removes blockers for 6+ EXCITITOR tasks
2. **Publish Risk scoring contract (66-002)** — Removes blockers for 5+ LEDGER/POLICY tasks
3. **Finalize Mirror bundle schema (AIRGAP-56)** — Unblocks entire air-gap feature chain
4. **Publish VerificationPolicy schema** — Unblocks attestation pipeline
### Process Improvements
1. **Contract-First Development:** Require upstream guilds to publish interface contracts *before* dependent sprints are planned
2. **Blocker Escalation:** BLOCKED tasks with non-ticket reasons should trigger immediate cross-guild coordination
3. **Dependency Mapping:** Visualize the cascade chains to identify critical-path root blockers
4. **Sprint Planning Gate:** Do not schedule tasks until all required contracts are published
---
## Appendix: All Blocked Tasks by Sprint
### SPRINT_0115_0001_0004_concelier_iv.md (4 tasks)
- CONCELIER-RISK-68-001 — Policy Studio integration contract
- CONCELIER-SIG-26-001 — Signals guild symbol data contract
- CONCELIER-STORE-AOC-19-005-DEV — Staging dataset hash + rollback rehearsal
- CONCELIER-VEXLENS-30-001 — VEX Lens field list
### SPRINT_0119_0001_0004_excititor_iv.md (3 tasks)
- EXCITITOR-POLICY-20-001 — advisory_key schema not published
- EXCITITOR-POLICY-20-002 — Cascade on 20-001
- EXCITITOR-RISK-66-001 — Risk feed envelope spec
### SPRINT_0119_0001_0005_excititor_v.md (6 tasks)
- EXCITITOR-VEXLENS-30-001 — VEX Lens field list
- EXCITITOR-VULN-29-001 — advisory_key canonicalization spec
- EXCITITOR-VULN-29-002 — Cascade on 29-001
- EXCITITOR-VULN-29-004 — Cascade on 29-002
- EXCITITOR-AIRGAP-56-001 — Mirror registration contract
- EXCITITOR-AIRGAP-58-001 — Cascade on 56-001
### SPRINT_0119_0001_0006_excititor_vi.md (2 tasks)
- EXCITITOR-WEB-OBS-54-001 — DSSE-signed locker manifests
- EXCITITOR-CRYPTO-90-001 — ICryptoProviderRegistry contract
### SPRINT_0121_0001_0002_policy_reasoning_blockers.md (7 tasks)
- LEDGER-ATTEST-73-002 — Verification pipeline delivery
- LEDGER-OAS-61-001-DEV — OAS baseline not defined
- LEDGER-OAS-61-002-DEV — Cascade on 61-001
- LEDGER-OAS-62-001-DEV — SDK generation pending
- LEDGER-OAS-63-001-DEV — SDK validation pending
- LEDGER-OBS-55-001 — Attestation telemetry contract
- LEDGER-PACKS-42-001-DEV — Snapshot time-travel contract
### SPRINT_0122_0001_0001_policy_reasoning.md (6 tasks)
- LEDGER-RISK-67-001 — Risk scoring + Export Center specs
- LEDGER-RISK-68-001 — Cascade on 67-001
- LEDGER-RISK-69-001 — Cascade on 67+68
- LEDGER-TEN-48-001-DEV — Platform/DB approval for RLS
- DEVOPS-LEDGER-TEN-48-001-REL — DevOps cascade
### SPRINT_0123_0001_0001_policy_reasoning.md (14 tasks)
- EXPORT-CONSOLE-23-001 — Export bundle schema
- POLICY-AIRGAP-56-001 — Mirror bundle schema
- POLICY-AIRGAP-56-002 — DSSE signing profile
- POLICY-AIRGAP-57-001 — Sealed-mode contract
- POLICY-AIRGAP-57-002 — Staleness/fallback data
- POLICY-AIRGAP-58-001 — Notification schema
- POLICY-AOC-19-001 — Linting targets spec
- POLICY-AOC-19-002 — Authority `effective:write` contract
- POLICY-AOC-19-003/004 — Cascades
- POLICY-ATTEST-73-001 — VerificationPolicy schema
- POLICY-ATTEST-73-002 — Cascade
- POLICY-ATTEST-74-001 — Attestor pipeline contract
- POLICY-ATTEST-74-002 — Console report schema
### SPRINT_0125_0001_0001_mirror.md (2 tasks)
- AIRGAP-TIME-57-001 — Time-anchor + TUF schema
- CLI-AIRGAP-56-001 — Mirror signing + CLI contract
### SPRINT_0128_0001_0001_policy_reasoning.md (7 tasks)
- POLICY-RISK-67-003 — Risk profile contract
- POLICY-RISK-68-001 — Policy Studio API
- POLICY-RISK-68-002 — Overrides audit fields
- POLICY-RISK-69-001 — Notifications contract
- POLICY-RISK-70-001 — Air-gap packaging rules
---
## Summary
**The blockers are systemic, not individual.** 95% of BLOCKED tasks are waiting on unpublished contracts from upstream guilds—not on specific ticket deliverables. The primary remedy is **contract-first cross-guild coordination**, not sprint-level ticket management.

4
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -40,12 +40,12 @@
| 5 | CONCELIER-RISK-66-001 | DONE (2025-11-28) | Created `VendorRiskSignal`, `VendorCvssScore`, `VendorKevStatus`, `VendorFixAvailability` models with provenance. Extractor parses OSV/NVD formats. | Concelier Core Guild · Risk Engine Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Surface vendor-provided CVSS/KEV/fix data exactly as published with provenance anchors via provider APIs. |
| 6 | CONCELIER-RISK-66-002 | DONE (2025-11-28) | Implemented `FixAvailabilityMetadata`, `FixRelease`, `FixAdvisoryLink` models + `IFixAvailabilityEmitter` interface + `FixAvailabilityEmitter` implementation in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. DI registration via `AddConcelierRiskServices()`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. |
| 7 | CONCELIER-RISK-67-001 | DONE (2025-11-28) | Implemented `SourceCoverageMetrics`, `SourceContribution`, `SourceConflict` models + `ISourceCoverageMetricsPublisher` interface + `SourceCoverageMetricsPublisher` implementation + `InMemorySourceCoverageMetricsStore` in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. DI registration via `AddConcelierRiskServices()`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. |
| 8 | CONCELIER-RISK-68-001 | BLOCKED | Blocked on POLICY-RISK-68-001. | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
| 8 | CONCELIER-RISK-68-001 | TODO | Unblocked by [CONTRACT-POLICY-STUDIO-007](../contracts/policy-studio.md); Policy Studio contract available. | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
| 9 | CONCELIER-RISK-69-001 | DONE (2025-11-28) | Implemented `AdvisoryFieldChangeNotification`, `AdvisoryFieldChange` models + `IAdvisoryFieldChangeEmitter` interface + `AdvisoryFieldChangeEmitter` implementation + `InMemoryAdvisoryFieldChangeNotificationPublisher` in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. Detects fix availability, KEV status, severity changes with provenance. | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
| 10 | CONCELIER-SIG-26-001 | BLOCKED | Blocked on SIGNALS-24-002. | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
| 11 | CONCELIER-STORE-AOC-19-005-DEV | BLOCKED (2025-11-04) | Waiting on staging dataset hash + rollback rehearsal using prep doc | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo reflects Link-Not-Merge data; rehearse rollback (dev/staging). |
| 12 | CONCELIER-TEN-48-001 | DONE (2025-11-28) | Created Tenancy module with `TenantScope`, `TenantCapabilities`, `TenantCapabilitiesResponse`, `ITenantCapabilitiesProvider`, and `TenantScopeNormalizer` per AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
| 13 | CONCELIER-VEXLENS-30-001 | BLOCKED | PREP-CONCELIER-VULN-29-001; VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
| 13 | CONCELIER-VEXLENS-30-001 | TODO | Unblocked by [CONTRACT-VEX-LENS-005](../contracts/vex-lens.md) + [CONTRACT-ADVISORY-KEY-001](../contracts/advisory-key.md). | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
| 14 | CONCELIER-GAPS-115-014 | DONE (2025-12-02) | None; informs tasks 013. | Product Mgmt · Concelier Guild | Address Concelier ingestion gaps CI1CI10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed observation/linkset schemas and AOC guard, enforce denylist/allowlist via analyzers, require provenance/signature details, feed snapshot governance/staleness, deterministic conflict rules, canonical content-hash/idempotency keys, tenant isolation tests, connector sandbox limits, offline advisory bundle schema/verify, and shared fixtures/CI determinism. |
## Execution Log

8
docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
View File

@@ -34,9 +34,9 @@
| 3 | EXCITITOR-OBS-54-001 | DONE (2025-11-23) | Depends on 53-001; integrate Provenance tooling. | Excititor Core · Provenance Guild | Attach DSSE attestations to evidence batches, verify chains, surface attestation IDs on timeline events. |
| 4 | EXCITITOR-ORCH-32-001 | DONE (2025-12-01) | Orchestrator worker endpoints wired into Excititor worker (`VexWorkerOrchestratorClient` HTTP client + options). | Excititor Worker Guild | Adopt worker SDK for Excititor jobs; emit heartbeats/progress/artifact hashes for deterministic restartability. |
| 5 | EXCITITOR-ORCH-33-001 | DONE (2025-12-01) | Commands mapped from orchestrator errors (pause/throttle/retry); checkpoints/progress mirrored; offline fallback retained. | Excititor Worker Guild | Honor orchestrator pause/throttle/retry commands; persist checkpoints; classify errors for safe outage handling. |
| 6 | EXCITITOR-POLICY-20-001 | BLOCKED (2025-11-23) | Policy contract / advisory_key schema not published; cannot define API shape. | Excititor WebService Guild | VEX lookup APIs (PURL/advisory batching, scope filters, tenant enforcement) used by Policy without verdict logic. |
| 7 | EXCITITOR-POLICY-20-002 | BLOCKED (2025-11-23) | Blocked on 20-001 API contract. | Excititor Core Guild | Add scope resolution/version range metadata to linksets while staying aggregation-only. |
| 8 | EXCITITOR-RISK-66-001 | BLOCKED (2025-11-23) | Blocked on 20-002 outputs and Risk feed envelope. | Excititor Core · Risk Engine Guild | Publish risk-engine ready feeds (status, justification, provenance) with zero derived severity. |
| 6 | EXCITITOR-POLICY-20-001 | TODO | Unblocked by [CONTRACT-ADVISORY-KEY-001](../contracts/advisory-key.md); ready to define API shape. | Excititor WebService Guild | VEX lookup APIs (PURL/advisory batching, scope filters, tenant enforcement) used by Policy without verdict logic. |
| 7 | EXCITITOR-POLICY-20-002 | TODO | Unblocked by advisory_key contract; can proceed after 20-001. | Excititor Core Guild | Add scope resolution/version range metadata to linksets while staying aggregation-only. |
| 8 | EXCITITOR-RISK-66-001 | TODO | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); can proceed after 20-002. | Excititor Core · Risk Engine Guild | Publish risk-engine ready feeds (status, justification, provenance) with zero derived severity. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -76,4 +76,4 @@
| Attestations | Wire DSSE verification + timeline surfacing (OBS-54-001). | Core · Provenance Guild | 2025-11-21 | DONE (2025-11-23) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | BLOCKED (SDK missing in repo; awaiting orchestrator worker package) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | DONE (2025-12-01) |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | BLOCKED (awaiting Policy advisory_key contract + Risk feed envelope) |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | TODO (unblocked 2025-12-05 by contracts) |

20
docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
View File

@@ -29,14 +29,14 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-VEXLENS-30-001 | BLOCKED (2025-11-25) | Await VEX Lens field list / examples. | Excititor WebService Guild · VEX Lens Guild | Ensure observations exported to VEX Lens carry issuer hints, signature blobs, product tree snippets, staleness metadata; no consensus logic. |
| 2 | EXCITITOR-VULN-29-001 | BLOCKED (2025-11-23) | Missing `advisory_key` canonicalization spec from Vuln Explorer; cannot design backfill. | Excititor WebService Guild | Canonicalize advisory/product keys to `advisory_key`, capture scope metadata, preserve originals in `links[]`; backfill + tests. |
| 3 | EXCITITOR-VULN-29-002 | BLOCKED (2025-11-23) | Blocked on 29-001 canonicalization contract. | Excititor WebService Guild | `/vuln/evidence/vex/{advisory_key}` returning tenant-scoped raw statements, provenance, attestation references for Vuln Explorer. |
| 4 | EXCITITOR-VULN-29-004 | BLOCKED (2025-11-23) | Blocked on 29-002 endpoint shape. | Excititor WebService · Observability Guild | Metrics/logs for normalization errors, suppression scopes, withdrawn statements for Vuln Explorer + Advisory AI dashboards. |
| 1 | EXCITITOR-VEXLENS-30-001 | TODO | Unblocked by [CONTRACT-VEX-LENS-005](../contracts/vex-lens.md); field list available. | Excititor WebService Guild · VEX Lens Guild | Ensure observations exported to VEX Lens carry issuer hints, signature blobs, product tree snippets, staleness metadata; no consensus logic. |
| 2 | EXCITITOR-VULN-29-001 | TODO | Unblocked by [CONTRACT-ADVISORY-KEY-001](../contracts/advisory-key.md); canonicalization spec available. | Excititor WebService Guild | Canonicalize advisory/product keys to `advisory_key`, capture scope metadata, preserve originals in `links[]`; backfill + tests. |
| 3 | EXCITITOR-VULN-29-002 | TODO | Unblocked; can proceed after 29-001. | Excititor WebService Guild | `/vuln/evidence/vex/{advisory_key}` returning tenant-scoped raw statements, provenance, attestation references for Vuln Explorer. |
| 4 | EXCITITOR-VULN-29-004 | TODO | Unblocked; can proceed after 29-002. | Excititor WebService · Observability Guild | Metrics/logs for normalization errors, suppression scopes, withdrawn statements for Vuln Explorer + Advisory AI dashboards. |
| 5 | EXCITITOR-STORE-AOC-19-001 | DONE (2025-11-25) | Draft Mongo JSON Schema + validator tooling. | Excititor Storage Guild | Ship validator (incl. Offline Kit instructions) proving Excititor stores only immutable evidence. |
| 6 | EXCITITOR-STORE-AOC-19-002 | DONE (2025-11-25) | After 19-001; create indexes/migrations. | Excititor Storage · DevOps Guild | Unique indexes, migrations/backfills, rollback steps for new validator. |
| 7 | EXCITITOR-AIRGAP-56-001 | BLOCKED (2025-11-25) | Mirror registration contract/schema not published. | Excititor WebService Guild | Mirror bundle registration + provenance exposure, sealed-mode error mapping, staleness metrics in API responses. |
| 8 | EXCITITOR-AIRGAP-58-001 | BLOCKED (2025-11-25) | Depends on 56-001 + bundle schema. | Excititor Core · Evidence Locker Guild | Portable evidence bundles linked to timeline + attestation metadata; document verifier steps for Advisory AI. |
| 7 | EXCITITOR-AIRGAP-56-001 | TODO | Unblocked by [CONTRACT-MIRROR-BUNDLE-003](../contracts/mirror-bundle.md); schema available. | Excititor WebService Guild | Mirror bundle registration + provenance exposure, sealed-mode error mapping, staleness metrics in API responses. |
| 8 | EXCITITOR-AIRGAP-58-001 | TODO | Unblocked; can proceed after 56-001 with bundle schema available. | Excititor Core · Evidence Locker Guild | Portable evidence bundles linked to timeline + attestation metadata; document verifier steps for Advisory AI. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -68,8 +68,8 @@
## Action Tracker (carried over)
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | BLOCKED (awaiting Lens field list/examples) |
| Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | BLOCKED (awaiting advisory_key spec) |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | BLOCKED (depends on 29-002 endpoint shape) |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | TODO (unblocked 2025-12-05 by contracts) |
| Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | TODO (unblocked 2025-12-05 by contracts) |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | TODO (unblocked 2025-12-05) |
| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | DONE |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | BLOCKED (mirror registration + bundle schema) |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | TODO (unblocked 2025-12-05 by contracts) |

6
docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
View File

@@ -30,11 +30,11 @@
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-WEB-OBS-52-001 | DONE (2025-11-24) | `/obs/excititor/timeline` SSE endpoint implemented with cursor/Last-Event-ID, retry headers, tenant scope enforcement. | Excititor WebService Guild | SSE/WebSocket bridges for VEX timeline events with tenant filters, pagination anchors, guardrails. |
| 2 | EXCITITOR-WEB-OBS-53-001 | DONE (2025-12-02) | Locker manifest published at `docs/modules/excititor/observability/locker-manifest.md`; wire endpoints to consume locker bundle API. | Excititor WebService · Evidence Locker Guild | `/evidence/vex/*` endpoints fetching locker bundles, enforcing scopes, surfacing verification metadata; no verdicts. |
| 3 | EXCITITOR-WEB-OBS-54-001 | BLOCKED (2025-11-23) | Await DSSE-signed locker manifests (OBS-54-001) to expose attestation verification state. | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. |
| 3 | EXCITITOR-WEB-OBS-54-001 | TODO | Unblocked by [CONTRACT-VERIFICATION-POLICY-006](../contracts/verification-policy.md); DSSE verification now available. | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. |
| 4 | EXCITITOR-WEB-OAS-61-001 | DONE (2025-11-24) | `/.well-known/openapi` + `/openapi/excititor.json` implemented with spec metadata and standard error envelope. | Excititor WebService Guild | Implement `/.well-known/openapi` with spec version metadata + standard error envelopes; update controller/unit tests. |
| 5 | EXCITITOR-WEB-OAS-62-001 | DONE (2025-11-24) | Examples + deprecation/link headers added to OpenAPI doc; SDK docs pending separate publishing sprint. | Excititor WebService Guild · API Governance Guild | Publish curated examples for new evidence/attestation/timeline endpoints; emit deprecation headers for legacy routes; align SDK docs. |
| 6 | EXCITITOR-WEB-AIRGAP-58-001 | DONE (2025-12-03) | Mirror thin bundle schema + policies available (see `docs/modules/mirror/dsse-tuf-profile.md`, `out/mirror/thin/mirror-thin-v1.bundle.json`). | Excititor WebService · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation guidance. |
| 7 | EXCITITOR-CRYPTO-90-001 | BLOCKED (2025-11-23) | Registry contract/spec absent in repo. | Excititor WebService · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across crypto profiles. |
| 7 | EXCITITOR-CRYPTO-90-001 | TODO | Unblocked by [CONTRACT-CRYPTO-PROVIDER-REGISTRY-010](../contracts/crypto-provider-registry.md); contract available. | Excititor WebService · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across crypto profiles. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -81,4 +81,4 @@
| Evidence/Attestation APIs | Wire `/evidence/vex/*` (WEB-OBS-53-001) using locker manifest; attestation path waits on DSSE manifest (OBS-54-001). | WebService · Evidence Locker Guild | 2025-11-22 | DOING / PARTIAL |
| OpenAPI discovery | Implement well-known discovery + examples (WEB-OAS-61/62). | WebService · API Gov | 2025-11-21 | DONE (61-001, 62-001 delivered 2025-11-24) |
| Bundle telemetry | Define audit event + sealed-mode remediation mapping (WEB-AIRGAP-58-001). | WebService · AirGap Guilds | 2025-11-23 | DOING |
| Crypto providers | Design `ICryptoProviderRegistry` and migrate call sites (CRYPTO-90-001). | WebService · Security Guild | 2025-11-24 | BLOCKED |
| Crypto providers | Design `ICryptoProviderRegistry` and migrate call sites (CRYPTO-90-001). | WebService · Security Guild | 2025-11-24 | TODO (unblocked 2025-12-05 by contracts) |

2
docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md
View File

@@ -10,7 +10,7 @@
- Execute when dependencies clear; no concurrent DOING items permitted until upstreams are met.
## Wave Coordination
- **Wave A (contracts):** LEDGER-ATTEST-73-001 + OAS prep artefacts must land; unblocks tasks 15.
- **Wave A (contracts):** LEDGER-ATTEST-73-001 + OAS prep artefacts must land; unblocks tasks 15. Note: [CONTRACT-VERIFICATION-POLICY-006](../contracts/verification-policy.md) now available for attestation verification schema.
- **Wave B (incident mode):** Depends on Wave A plus OBS-54-001 attestation telemetry; then LEDGER-OBS-55-001 can proceed.
- **Wave C (packs/time-travel):** Depends on Wave A SDK/OAS outputs; runs after Wave A to avoid schema drift. Remains BLOCKED until snapshot contract finalizes.

20
docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
View File

@@ -13,8 +13,8 @@
## Wave Coordination
- **Wave A (prep):** P1P3 DONE; keep prep docs frozen.
- **Wave B (risk queries/exports):** Tasks 13 BLOCKED on risk scoring contract (66-002) and Export Center specs.
- **Wave C (tenancy):** Tasks 4/4b BLOCKED on RLS/partition design; runs after Wave B to align schemas.
- **Wave B (risk queries/exports):** Tasks 13 TODO; unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md) and [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md).
- **Wave C (tenancy):** Tasks 4/4b TODO; unblocked by [CONTRACT-FINDINGS-LEDGER-RLS-011](../contracts/findings-ledger-rls.md); runs after Wave B to align schemas.
- No work in progress until upstream contracts land; do not start Waves B/C prematurely.
## Documentation Prerequisites
@@ -35,11 +35,11 @@
| P1 | PREP-LEDGER-RISK-68-001-AWAIT-UNBLOCK-OF-67-0 | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Await unblock of 67-001 + Export Center contract for scored findings. <br><br> Document artefact/deliverable for LEDGER-RISK-68-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
| P2 | PREP-LEDGER-RISK-69-001-REQUIRES-67-001-68-00 | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Requires 67-001/68-001 to define metrics dimensions. <br><br> Document artefact/deliverable for LEDGER-RISK-69-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
| P3 | PREP-LEDGER-TEN-48-001-NEEDS-PLATFORM-APPROVE | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Needs platform-approved partitioning + RLS policy (tenant/project shape, session variables). <br><br> Document artefact/deliverable for LEDGER-TEN-48-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
| 1 | LEDGER-RISK-67-001 | BLOCKED | Depends on risk scoring contract + migrations from LEDGER-RISK-66-002 | Findings Ledger Guild · Risk Engine Guild / `src/Findings/StellaOps.Findings.Ledger` | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links |
| 2 | LEDGER-RISK-68-001 | BLOCKED | PREP-LEDGER-RISK-68-001-AWAIT-UNBLOCK-OF-67-0 | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
| 3 | LEDGER-RISK-69-001 | BLOCKED | PREP-LEDGER-RISK-69-001-REQUIRES-67-001-68-00 | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
| 4 | LEDGER-TEN-48-001-DEV | BLOCKED | PREP-LEDGER-TEN-48-001-NEEDS-PLATFORM-APPROVE | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
| 4b | DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (DevOps release-only) | Depends on 4 dev RLS design; wire migrations and release/offline-kit packaging in DevOps sprint. | DevOps Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
| 1 | LEDGER-RISK-67-001 | TODO | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); scoring schema available. | Findings Ledger Guild · Risk Engine Guild / `src/Findings/StellaOps.Findings.Ledger` | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links |
| 2 | LEDGER-RISK-68-001 | TODO | Unblocked; can proceed after 67-001 with [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md). | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
| 3 | LEDGER-RISK-69-001 | TODO | Unblocked; can proceed after 67-001/68-001. | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
| 4 | LEDGER-TEN-48-001-DEV | TODO | Unblocked by [CONTRACT-FINDINGS-LEDGER-RLS-011](../contracts/findings-ledger-rls.md); RLS pattern defined based on Evidence Locker. | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
| 4b | DEVOPS-LEDGER-TEN-48-001-REL | TODO | Unblocked; can proceed after task 4 with migration templates from contract. | DevOps Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -53,9 +53,9 @@
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
## Decisions & Risks
- Risk scoring contract (LEDGER-RISK-66-002) not delivered; query/export tasks paused until schema and API surface exist.
- Export Center contract for scored findings not defined; blocks integration work (68-001).
- DB partitioning + RLS rules (tenant/project semantics, session variables) not specified; proceeding without would risk incompatible schema and unsafe access control.
- Risk scoring contract now available at [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); query/export tasks unblocked.
- Export Center contract now available at [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md); integration work (68-001) can proceed.
- DB partitioning + RLS rules now specified in [CONTRACT-FINDINGS-LEDGER-RLS-011](../contracts/findings-ledger-rls.md); based on Evidence Locker's proven pattern.
## Next Checkpoints
- Await Risk Engine contract drop for 66-002 (date TBD; track in Sprint 0121 dependencies).

28
docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md
View File

@@ -45,20 +45,20 @@
| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | Requires 73-002 + Attestor pipeline contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Policy Guild · Console Guild | Policy Guild · Console Guild | Needs 74-001 surfaced in Console verification reports contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
| P15 | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Policy Guild · BE-Base Platform Guild | Policy Guild · BE-Base Platform Guild | Console API contract (filters/pagination/aggregation) absent. <br><br> Document artefact/deliverable for POLICY-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild · Scheduler Guild · Observability Guild | Implement Console export endpoints/jobs once schema + job wiring are defined. |
| 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild | Air-gap bundle import support for policy packs. |
| 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild · Policy Studio Guild | Air-gap sealed-mode handling for policy packs. |
| 4 | POLICY-AIRGAP-57-001 | BLOCKED | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | Policy Guild · AirGap Policy Guild | Sealed-mode error handling for policy packs. |
| 5 | POLICY-AIRGAP-57-002 | BLOCKED | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | Policy Guild · AirGap Time Guild | Staleness/fallback signaling for policy packs. |
| 6 | POLICY-AIRGAP-58-001 | BLOCKED | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | Policy Guild · Notifications Guild | Notifications for air-gap policy pack changes. |
| 7 | POLICY-AOC-19-001 | BLOCKED | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | Policy Guild | Implement linting for ingestion projects/helpers. |
| 8 | POLICY-AOC-19-002 | BLOCKED | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | Policy Guild · Platform Security | Enforce `effective:write` gate. |
| 9 | POLICY-AOC-19-003 | BLOCKED | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | Policy Guild | Remove normalized fields per contract. |
| 10 | POLICY-AOC-19-004 | BLOCKED | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | Policy Guild · QA Guild | Determinism/fixtures for normalized-field removal. |
| 11 | POLICY-ATTEST-73-001 | BLOCKED | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | Policy Guild · Attestor Service Guild | Persist verification policy schema. |
| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild | Editor DTOs/validation for verification policy. |
| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | Policy Guild · Attestor Service Guild | Surface attestation reports. |
| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild · Console Guild | Console report integration. |
| 1 | EXPORT-CONSOLE-23-001 | TODO | Unblocked by [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md); schema available. | Policy Guild · Scheduler Guild · Observability Guild | Implement Console export endpoints/jobs once schema + job wiring are defined. |
| 2 | POLICY-AIRGAP-56-001 | TODO | Unblocked by [CONTRACT-MIRROR-BUNDLE-003](../contracts/mirror-bundle.md); schema available. | Policy Guild | Air-gap bundle import support for policy packs. |
| 3 | POLICY-AIRGAP-56-002 | TODO | Unblocked; can proceed after 56-001. | Policy Guild · Policy Studio Guild | Air-gap sealed-mode handling for policy packs. |
| 4 | POLICY-AIRGAP-57-001 | TODO | Unblocked by [CONTRACT-SEALED-MODE-004](../contracts/sealed-mode.md); can proceed after 56-002. | Policy Guild · AirGap Policy Guild | Sealed-mode error handling for policy packs. |
| 5 | POLICY-AIRGAP-57-002 | TODO | Unblocked; staleness contract available in sealed-mode. | Policy Guild · AirGap Time Guild | Staleness/fallback signaling for policy packs. |
| 6 | POLICY-AIRGAP-58-001 | TODO | Unblocked; can proceed after 57-002. | Policy Guild · Notifications Guild | Notifications for air-gap policy pack changes. |
| 7 | POLICY-AOC-19-001 | TODO | Unblocked by [CONTRACT-POLICY-STUDIO-007](../contracts/policy-studio.md); linting targets defined. | Policy Guild | Implement linting for ingestion projects/helpers. |
| 8 | POLICY-AOC-19-002 | TODO | Unblocked by [CONTRACT-AUTHORITY-EFFECTIVE-WRITE-008](../contracts/authority-effective-write.md). | Policy Guild · Platform Security | Enforce `effective:write` gate. |
| 9 | POLICY-AOC-19-003 | TODO | Unblocked; can proceed after 19-002. | Policy Guild | Remove normalized fields per contract. |
| 10 | POLICY-AOC-19-004 | TODO | Unblocked; can proceed after 19-003. | Policy Guild · QA Guild | Determinism/fixtures for normalized-field removal. |
| 11 | POLICY-ATTEST-73-001 | TODO | Unblocked by [CONTRACT-VERIFICATION-POLICY-006](../contracts/verification-policy.md); schema available. | Policy Guild · Attestor Service Guild | Persist verification policy schema. |
| 12 | POLICY-ATTEST-73-002 | TODO | Unblocked; can proceed after 73-001. | Policy Guild | Editor DTOs/validation for verification policy. |
| 13 | POLICY-ATTEST-74-001 | TODO | Unblocked; can proceed after 73-002 with Attestor pipeline. | Policy Guild · Attestor Service Guild | Surface attestation reports. |
| 14 | POLICY-ATTEST-74-002 | TODO | Unblocked; can proceed after 74-001. | Policy Guild · Console Guild | Console report integration. |
| 15 | POLICY-CONSOLE-23-001 | DONE (2025-12-02) | Contract published at `docs/modules/policy/contracts/policy-console-23-001-console-api.md`; unblock downstream Console integration. | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
## Execution Log

4
docs/implplan/SPRINT_0125_0001_0001_mirror.md
View File

@@ -32,8 +32,8 @@
| 5 | MIRROR-CRT-58-001 | DONE (2025-12-03) | Test-signed thin v1 bundle + CLI wrappers ready; production signing still waits on MIRROR-CRT-56-002 key. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
| 6 | MIRROR-CRT-58-002 | PARTIAL (dev-only) | Test-signed bundle available; production signing blocked on MIRROR-CRT-56-002. | Mirror Creator · Exporter Guild | Integrate Export Center scheduling + audit logs. |
| 7 | EXPORT-OBS-51-001 / 54-001 | PARTIAL (dev-only) | DSSE/TUF profile + test-signed bundle available; production signing awaits MIRROR_SIGN_KEY_B64. | Exporter Guild | Align Export Center workers with assembler output. |
| 8 | AIRGAP-TIME-57-001 | BLOCKED | MIRROR-CRT-56-001 sample exists; needs DSSE/TUF + time-anchor schema from AirGap Time. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
| 9 | CLI-AIRGAP-56-001 | BLOCKED | MIRROR-CRT-56-002/58-001 pending; offline kit inputs unavailable. | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
| 8 | AIRGAP-TIME-57-001 | TODO | Unblocked by [CONTRACT-SEALED-MODE-004](../contracts/sealed-mode.md) + time-anchor schema; DSSE/TUF available. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
| 9 | CLI-AIRGAP-56-001 | TODO | Unblocked by [CONTRACT-MIRROR-BUNDLE-003](../contracts/mirror-bundle.md); can proceed with bundle schema. | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
| 10 | PROV-OBS-53-001 | DONE (2025-11-23) | Observer doc + verifier script `scripts/mirror/verify_thin_bundle.py` in repo; validates hashes, determinism, and manifest/index digests. | Security Guild | Define provenance observers + verification hooks. |
| 11 | OFFKIT-GAPS-125-011 | DONE (2025-12-02) | Bundle meta + offline policy layers + verifier updated; see milestone.json and bundle DSSE. | Product Mgmt · Mirror/AirGap Guilds | Address offline-kit gaps OK1OK10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: key manifest/rotation + PQ co-sign, tool hashing/signing, DSSE-signed top-level manifest linking all artifacts, checkpoint freshness/mirror metadata, deterministic packaging flags, inclusion of scan/VEX/policy/graph hashes, time anchor bundling, transport/chunking + chain-of-custody, tenant/env scoping, and scripted verify with negative-path guidance. |
| 12 | REKOR-GAPS-125-012 | DONE (2025-12-02) | Rekor policy layer + bundle meta/TUF DSSE; refer to `layers/rekor-policy.json`. | Product Mgmt · Mirror/AirGap · Attestor Guilds | Address Rekor v2/DSSE gaps RK1RK10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: enforce dsse/hashedrekord only, payload size preflight + chunk manifests, public/private routing policy, shard-aware checkpoints, idempotent submission keys, Sigstore bundles in kits, checkpoint freshness bounds, PQ dual-sign options, error taxonomy/backoff, policy/graph annotations in DSSE/bundles. |

20
docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
View File

@@ -11,7 +11,7 @@
## Wave Coordination
- **Wave A (SPL schema/tooling):** Tasks 1015 DONE; keep SPL schema/fixtures/canonicalizer/layering stable.
- **Wave B (risk profile lifecycle APIs):** Tasks 12 DONE; publish schema and lifecycle endpoints; hold steady for downstream consumers.
- **Wave C (risk simulations/overrides/exports/notifications/air-gap):** Tasks 39 BLOCKED on Policy Studio contract, Authority attachment rules, override audit fields, notifications, and air-gap packaging; run sequentially once contracts land.
- **Wave C (risk simulations/overrides/exports/notifications/air-gap):** Tasks 37, 9 TODO; unblocked by contracts ([RISK-SCORING-002](../contracts/risk-scoring.md), [POLICY-STUDIO-007](../contracts/policy-studio.md), [AUTHORITY-EFFECTIVE-WRITE-008](../contracts/authority-effective-write.md), [MIRROR-BUNDLE-003](../contracts/mirror-bundle.md), [SEALED-MODE-004](../contracts/sealed-mode.md)). Task 8 remains BLOCKED on notifications contract.
- No additional work in progress; avoid starting Wave C until dependencies clear.
## Documentation Prerequisites
@@ -27,13 +27,13 @@
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-RISK-67-002 | DONE (2025-11-27) | — | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Risk profile lifecycle APIs. |
| 2 | POLICY-RISK-67-002 | DONE (2025-11-27) | — | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Publish `.well-known/risk-profile-schema` + CLI validation. |
| 3 | POLICY-RISK-67-003 | BLOCKED (2025-11-26) | Blocked by 67-002 contract + simulation inputs. | Policy · Risk Engine Guild / `src/Policy/__Libraries/StellaOps.Policy` | Risk simulations + breakdowns. |
| 4 | POLICY-RISK-68-001 | BLOCKED (2025-11-26) | Blocked by 67-003 outputs and missing Policy Studio contract. | Policy · Policy Studio Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation API for Policy Studio. |
| 5 | POLICY-RISK-68-001 | BLOCKED (2025-11-26) | Blocked until 68-001 API + Authority attachment rules defined. | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
| 6 | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked until overrides contract & audit fields agreed. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
| 7 | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked by 68-002 and signing profile for exports. | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
| 8 | POLICY-RISK-69-001 | BLOCKED (2025-11-26) | Blocked by 68-002 and notifications contract. | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 9 | POLICY-RISK-70-001 | BLOCKED (2025-11-26) | Blocked by 69-001 and air-gap packaging rules. | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
| 3 | POLICY-RISK-67-003 | TODO | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); 67-002 contract DONE. | Policy · Risk Engine Guild / `src/Policy/__Libraries/StellaOps.Policy` | Risk simulations + breakdowns. |
| 4 | POLICY-RISK-68-001 | TODO | Unblocked by [CONTRACT-POLICY-STUDIO-007](../contracts/policy-studio.md); can proceed after 67-003. | Policy · Policy Studio Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation API for Policy Studio. |
| 5 | POLICY-RISK-68-001 | TODO | Unblocked by [CONTRACT-AUTHORITY-EFFECTIVE-WRITE-008](../contracts/authority-effective-write.md). | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
| 6 | POLICY-RISK-68-002 | TODO | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md) (RiskOverrides included). | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
| 7 | POLICY-RISK-68-002 | TODO | Unblocked; can proceed after task 6 with [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md). | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
| 8 | POLICY-RISK-69-001 | BLOCKED | Blocked by 68-002 and notifications contract (not yet published). | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 9 | POLICY-RISK-70-001 | TODO | Unblocked by [CONTRACT-MIRROR-BUNDLE-003](../contracts/mirror-bundle.md) and [CONTRACT-SEALED-MODE-004](../contracts/sealed-mode.md). | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
| 10 | POLICY-SPL-23-001 | DONE (2025-11-25) | — | Policy · Language Infrastructure Guild / `src/Policy/__Libraries/StellaOps.Policy` | Define SPL v1 schema + fixtures. |
| 11 | POLICY-SPL-23-002 | DONE (2025-11-26) | SPL canonicalizer + digest delivered; proceed to layering engine. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Canonicalizer + content hashing. |
| 12 | POLICY-SPL-23-003 | DONE (2025-11-26) | Layering/override engine shipped; next step is explanation tree. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Layering/override engine + tests. |
@@ -63,7 +63,9 @@
| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_128_policy_reasoning.md` to `SPRINT_0128_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
## Decisions & Risks
- Risk profile contracts and SPL schema not yet defined; entire chain remains TODO pending upstream specs.
- Risk profile contracts now available at [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); SPL schema delivered (tasks 10-15 DONE).
- Policy Studio, Authority, and air-gap contracts now published; most Wave C tasks unblocked.
- Task 8 (POLICY-RISK-69-001) remains BLOCKED pending notifications contract.
// Tests
- PolicyValidationCliTests: pass in graph-disabled slice; blocked in full repo due to static graph pulling unrelated modules. Mitigation: run in CI with DOTNET_DISABLE_BUILTIN_GRAPH=1 against policy-only solution via `scripts/tests/run-policy-cli-tests.sh` (Linux/macOS) or `scripts/tests/run-policy-cli-tests.ps1` (Windows).

6
docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
View File

@@ -15,7 +15,7 @@
- **Wave A (Deno runtime hooks):** Tasks 13 DONE; keep runtime trace/signal schemas frozen.
- **Wave B (Java analyzers chain):** Tasks 410 BLOCKED on 21-005/21-008 completion and CI runner (DEVOPS-SCANNER-CI-11-001).
- **Wave C (DotNet entrypoints):** Task 11 BLOCKED pending CI runner to resolve test hangs.
- **Wave D (PHP analyzer bootstrap):** Task 12 BLOCKED pending spec/fixtures.
- **Wave D (PHP analyzer bootstrap):** Task 12 TODO; unblocked by [CONTRACT-SCANNER-PHP-ANALYZER-013](../contracts/scanner-php-analyzer.md).
- Work remains blocked in Waves BD; avoid starts until dependencies and CI runner are available.
## Documentation Prerequisites
@@ -45,7 +45,7 @@
| 9 | SCANNER-ANALYZERS-JAVA-21-010 | BLOCKED (depends on 21-009) | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
| 10 | SCANNER-ANALYZERS-JAVA-21-011 | BLOCKED (depends on 21-010) | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES; DEVOPS-SCANNER-CI-11-001 for clean runner + binlogs/TRX. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
| 12 | SCANNER-ANALYZERS-PHP-27-001 | BLOCKED (2025-11-24) | Awaiting PHP analyzer bootstrap spec/fixtures and sprint placement; needs composer/VFS schema and offline kit target. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers; detect framework/CMS fingerprints deterministically. |
| 12 | SCANNER-ANALYZERS-PHP-27-001 | TODO | Unblocked by [CONTRACT-SCANNER-PHP-ANALYZER-013](../contracts/scanner-php-analyzer.md); composer/VFS schema and offline kit target defined. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers; detect framework/CMS fingerprints deterministically. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -95,7 +95,7 @@
- Additional note: dotnet-filter wrapper avoids `workdir:` injection but full solution builds still stall locally; recommend CI/clean runner and/or scoped project tests to gather logs for LANG-11-001.
- `SCANNER-ANALYZERS-JAVA-21-008` blocked (2025-10-27): resolver capacity needed to produce entrypoint/component/edge outputs; downstream tasks remain stalled until resolved.
- Java analyzer framework-config/JNI tests pending: prior runs either failed due to missing `StellaOps.Concelier.Storage.Mongo` `CoreLinksets` types or were aborted due to repo-wide restore contention; rerun on clean runner or after Concelier build stabilises.
- `SCANNER-ANALYZERS-PHP-27-001` blocked: PHP analyzer bootstrap spec/fixtures not provided; needs composer/VFS schema and offline kit target before implementation.
- `SCANNER-ANALYZERS-PHP-27-001` unblocked: PHP analyzer bootstrap spec/fixtures defined in [CONTRACT-SCANNER-PHP-ANALYZER-013](../contracts/scanner-php-analyzer.md); composer/VFS schema and offline kit target available.
- Deno runtime hook + policy-signal schema drafted in `docs/modules/scanner/design/deno-runtime-signals.md`; shim plan in `docs/modules/scanner/design/deno-runtime-shim.md`.
- Deno runtime shim now emits module/permission/wasm/npm events; needs end-to-end validation on a Deno runner (cached-only) to confirm module loader hook coverage before wiring DENO-26-010/011.
- Offline smoke test uses stubbed `deno` to verify runner/shim integration; still advisable to run once with real cached-only `deno` to validate module-loader hook coverage before wiring DENO-26-010/011 (but not blocking current task). With analyzer now auto-calling the runner when `STELLA_DENO_ENTRYPOINT` is set, runtime capture is available as soon as a real `deno` binary is present.

4
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -59,7 +59,7 @@
| 36 | SURFACE-FS-04 | DONE (2025-11-27) | SURFACE-FS-02 | Zastava Guild | Integrate Surface.FS reader into Zastava Observer runtime drift loop. |
| 37 | SURFACE-FS-05 | DONE (2025-11-27) | SURFACE-FS-03 | Scanner Guild, Scheduler Guild | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. |
| 38 | SURFACE-FS-06 | DONE (2025-11-28) | SURFACE-FS-02..05 | Docs Guild | Update scanner-engine guide and offline kit docs with Surface.FS workflow. |
| 39 | SCANNER-SURFACE-01 | BLOCKED (2025-11-25) | Task definition absent | Scanner Guild | Placeholder task; scope/contract required before implementation. |
| 39 | SCANNER-SURFACE-01 | TODO | Unblocked by [CONTRACT-SCANNER-SURFACE-014](../contracts/scanner-surface.md); scope and contract defined. | Scanner Guild | Surface analysis framework: entry point discovery, attack surface enumeration, policy signal emission. |
| 40 | SCANNER-SURFACE-04 | DONE (2025-12-02) | SCANNER-SURFACE-01, SURFACE-FS-03 | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | DSSE-sign every `layer.fragments` payload, emit `_composition.json`/`composition.recipe` URI, and persist DSSE envelopes for deterministic offline replay (see `deterministic-sbom-compose.md` §2.1). |
| 41 | SURFACE-FS-07 | DONE (2025-12-02, superseded by #42) | SCANNER-SURFACE-04 | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS`) | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec (legacy TODO; superseded by row 42). |
| 42 | SURFACE-FS-07 | DONE (2025-12-02) | SCANNER-SURFACE-04 | Scanner Guild | Surface.FS manifest schema carries composition recipe/DSSE attestations and determinism metadata; determinism verifier added for offline replay. |
@@ -134,7 +134,7 @@
- SCANNER-LNM-21-001 delivered with Concelier shared-library resolver; linkset enrichment returns data when Concelier linkset store is configured, otherwise responses omit the `linksets` field (fallback null provider).
- SURFACE-SECRETS-06 BLOCKED pending Ops Helm/Compose patterns for Surface.Secrets provider configuration (kubernetes/file/inline).
- SCANNER-EVENTS-16-301 BLOCKED awaiting orchestrator envelope contract + Notifier ingestion test plan.
- SCANNER-SURFACE-01 lacks scoped contract; placeholder must be defined or retired before new dependencies are added.
- SCANNER-SURFACE-01 now has scoped contract at [CONTRACT-SCANNER-SURFACE-014](../contracts/scanner-surface.md); ready for implementation.
- SCANNER-EMIT-15-001 DOING: HMAC-backed DSSE signer added with deterministic fallback; enable by providing `Scanner:Worker:Signing:SharedSecret` (or file) + `KeyId`. Full scanner test suite still pending after cancelled long restore/build.
- Long restore/build times in monorepo runners delayed determinism test runs for SURFACE-FS-07 and new signer; Surface.FS determinism tests now passing locally (Release); broader scanner suite still pending in CI.
- Scheduler worker build/tests not run locally after manifest prefetch wiring (NuGet restore timeout); verify in CI.

22
docs/implplan/SPRINT_0208_0001_0001_sdk.md
View File

@@ -24,16 +24,16 @@
| --- | --- | --- | --- | --- | --- |
| 1 | SDKGEN-62-001 | DONE (2025-11-24) | Toolchain, template layout, and reproducibility spec pinned. | SDK Generator Guild · `src/Sdk/StellaOps.Sdk.Generator` | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. |
| 2 | SDKGEN-62-002 | DONE (2025-11-24) | Shared post-processing merged; helpers wired. | SDK Generator Guild | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. |
| 3 | SDKGEN-63-001 | BLOCKED (2025-11-27) | Awaiting frozen aggregate OAS digest to generate TS alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. |
| 4 | SDKGEN-63-002 | BLOCKED (2025-11-27) | Awaiting frozen aggregate OAS digest to generate Python alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). |
| 5 | SDKGEN-63-003 | BLOCKED (2025-11-26) | Awaiting frozen aggregate OAS digest to generate Go alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Go SDK alpha with context-first API and streaming helpers. |
| 6 | SDKGEN-63-004 | BLOCKED (2025-11-26) | Awaiting frozen aggregate OAS digest to generate Java alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Java SDK alpha (builder pattern, HTTP client abstraction). |
| 7 | SDKGEN-64-001 | BLOCKED (2025-11-30) | Depends on 63-004; waiting for frozen aggregate OAS and Java alpha before mapping CLI surfaces. | SDK Generator Guild · CLI Guild | Switch CLI to consume TS or Go SDK; ensure parity once Wave B artifacts land. |
| 8 | SDKGEN-64-002 | BLOCKED (2025-11-30) | Depends on 64-001; blocked until SDKGEN-64-001 completes. | SDK Generator Guild · Console Guild | Integrate SDKs into Console data providers where feasible. |
| 9 | SDKREL-63-001 | BLOCKED (2025-11-30) | Awaiting signing key provisioning (Action #7); cannot stage CI signing/provenance. | SDK Release Guild · `src/Sdk/StellaOps.Sdk.Release` | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. |
| 10 | SDKREL-63-002 | BLOCKED (2025-11-30) | Blocked until 63-001 unblocks; needs CI signing path + OAS diff feed. | SDK Release Guild · API Governance Guild | Integrate changelog automation pulling from OAS diffs and generator metadata. |
| 11 | SDKREL-64-001 | BLOCKED (2025-11-30) | Blocked until 63-001 unblocks; Notifications channels require signed release events. | SDK Release Guild · Notifications Guild | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. |
| 12 | SDKREL-64-002 | BLOCKED (2025-11-30) | Depends on SDKGEN-64-001 artifacts and signed releases; manifest format ready. | SDK Release Guild · Export Center Guild | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. |
| 3 | SDKGEN-63-001 | TODO | Unblocked by [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md); follow freeze process to generate TS alpha. | SDK Generator Guild | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. |
| 4 | SDKGEN-63-002 | TODO | Unblocked by [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md); follow freeze process to generate Python alpha. | SDK Generator Guild | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). |
| 5 | SDKGEN-63-003 | TODO | Unblocked by [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md); follow freeze process to generate Go alpha. | SDK Generator Guild | Ship Go SDK alpha with context-first API and streaming helpers. |
| 6 | SDKGEN-63-004 | TODO | Unblocked by [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md); follow freeze process to generate Java alpha. | SDK Generator Guild | Ship Java SDK alpha (builder pattern, HTTP client abstraction). |
| 7 | SDKGEN-64-001 | TODO | Unblocked; can proceed after 63-004 with [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md). | SDK Generator Guild · CLI Guild | Switch CLI to consume TS or Go SDK; ensure parity once Wave B artifacts land. |
| 8 | SDKGEN-64-002 | TODO | Unblocked; can proceed after 64-001. | SDK Generator Guild · Console Guild | Integrate SDKs into Console data providers where feasible. |
| 9 | SDKREL-63-001 | TODO | Dev key available at `tools/cosign/cosign.dev.key` for staging; production keys pending Action #7. | SDK Release Guild · `src/Sdk/StellaOps.Sdk.Release` | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. |
| 10 | SDKREL-63-002 | TODO | Unblocked; can proceed after 63-001 with dev key for staging. | SDK Release Guild · API Governance Guild | Integrate changelog automation pulling from OAS diffs and generator metadata. |
| 11 | SDKREL-64-001 | TODO | Unblocked; can proceed after 63-001 with dev key for staging. | SDK Release Guild · Notifications Guild | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. |
| 12 | SDKREL-64-002 | TODO | Unblocked; can proceed after SDKGEN-64-001 with dev key for staging. | SDK Release Guild · Export Center Guild | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. |
## Wave Coordination
- Single wave covering generator and release work; language tracks branch after SDKGEN-62-002.
@@ -79,7 +79,7 @@
- Offline bundle job (SDKREL-64-002) depends on Export Center artifacts; track alongside Export Center sprints; remains BLOCKED until SDKGEN-64-001 completes.
- Shared postprocess helpers copy only when CI sets `STELLA_POSTPROCESS_ROOT` and `STELLA_POSTPROCESS_LANG`; ensure generation jobs export these to keep helpers present in artifacts.
- Aggregate OAS freeze now on critical path for Wave B; request tagged snapshot with SHA (Action #6) by 2025-12-02 to unblock SDKGEN-63-001..004.
- Sprint currently fully blocked: all Delivery Tracker items depend on Actions #6#7 (OAS snapshot and signing keys). If unresolved by 2025-12-02, push Wave B and downstream checkpoints by ≥1 week.
- Sprint fully unblocked for development/staging: [CONTRACT-API-GOVERNANCE-BASELINE-012](../contracts/api-governance-baseline.md) provides freeze process for OAS snapshot. Development signing key available at `tools/cosign/cosign.dev.key` (password: `stellaops-dev`). Production releases still require sovereign key provisioning (Action #7).
### Risk Register
| Risk | Impact | Mitigation | Owner | Status |

82
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -35,33 +35,33 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | GRAPH-CAS-401-001 | BLOCKED (2025-11-27) | Await richgraph-v1 schema approval and CAS layout alignment. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{sha256}`, update adapters/fixtures. |
| 2 | GAP-SYM-007 | BLOCKED (2025-11-27) | Waiting on GRAPH-CAS-401-001 schema/hash decisions. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
| 3 | SCAN-REACH-401-009 | BLOCKED (2025-11-27) | Needs symbolizer adapters from tasks 1/4; add golden fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
| 4 | SCANNER-NATIVE-401-015 | BLOCKED (2025-11-27) | Stand up native readers/demanglers; awaiting Symbols Server contract. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
| 5 | SYMS-SERVER-401-011 | BLOCKED (2025-11-30) | Await richgraph schema/hash + storage layout confirmation; Wave 0401 blocked. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
| 6 | SYMS-CLIENT-401-012 | BLOCKED (2025-11-30) | Blocked on 5 (server readiness) and schema/hash alignment (2025-12-02). | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
| 7 | SYMS-INGEST-401-013 | BLOCKED (2025-11-30) | Hold for SYMBOL_MANIFEST + graph schema freeze (2025-12-02 checkpoint). | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
| 8 | SIGNALS-RUNTIME-401-002 | BLOCKED (2025-11-30) | Waiting on Signals ingestion contract and graph schema freeze (tasks 1/19). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 1 | GRAPH-CAS-401-001 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (`docs/contracts/richgraph-v1.md`). | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{blake3}`, update adapters/fixtures. |
| 2 | GAP-SYM-007 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
| 3 | SCAN-REACH-401-009 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; needs symbolizer adapters from tasks 1/4. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
| 4 | SCANNER-NATIVE-401-015 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; stand up native readers/demanglers. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
| 5 | SYMS-SERVER-401-011 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; proceed with implementation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
| 6 | SYMS-CLIENT-401-012 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 5 (server readiness). | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
| 7 | SYMS-INGEST-401-013 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
| 8 | SIGNALS-RUNTIME-401-002 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 19 (GAP-REP-004). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 9 | RUNTIME-PROBE-401-010 | BLOCKED (2025-11-30) | Blocked on runtime probe collectors + ingestion endpoint readiness. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
| 10 | SIGNALS-SCORING-401-003 | BLOCKED (2025-11-30) | Needs runtime hit feeds from 8/9; hold until ingestion/probes unblocked. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
| 11 | REPLAY-401-004 | BLOCKED | Requires CAS registration policy from GAP-REP-004. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
| 12 | AUTH-REACH-401-005 | DONE (2025-11-27) | Predicate types exist; DSSE signer service added. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
| 13 | POLICY-VEX-401-006 | BLOCKED (2025-11-30) | Waiting on Signals reachability facts (tasks 8/10) and schema alignment (1/19). | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | BLOCKED (2025-11-30) | Blocked on 13 and DSSE path readiness; follow bench playbook once schema frozen. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
| 15 | UI-CLI-401-007 | BLOCKED (2025-11-30) | Requires graph CAS outputs + policy evidence (1/13/14) post schema/hash checkpoint. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
| 13 | POLICY-VEX-401-006 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 13. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
| 15 | UI-CLI-401-007 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/13/14. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
| 16 | QA-DOCS-401-008 | TODO | Needs reachbench fixtures (QA-CORPUS-401-031) and docs readiness. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
| 17 | GAP-SIG-003 | BLOCKED (2025-11-30) | Blocked on Signals runtime ingestion (8) and schema/hash checkpoint (2025-12-02). | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
| 18 | SIG-STORE-401-016 | BLOCKED (2025-11-30) | Needs graph schema from tasks 1/19; hold until alignment meeting. | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
| 19 | GAP-REP-004 | BLOCKED (2025-11-30) | Requires BLAKE3 hashing agreement; waiting on 2025-12-02 schema/hash alignment. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
| 20 | GAP-POL-005 | BLOCKED (2025-11-30) | Consumes reach facts from Signals; waiting on 8/10/17 plus schema freeze. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
| 21 | GAP-VEX-006 | BLOCKED (2025-11-30) | Follows 20 plus UI/CLI surfaces; hold until reach facts + schema ready. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
| 22 | GAP-DOC-008 | BLOCKED (2025-11-30) | After evidence schema stabilises; hold until 2025-12-02 schema/hash alignment. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
| 23 | CLI-VEX-401-011 | BLOCKED (2025-11-30) | Needs Policy outputs from 13/14 and schema/hash checkpoint. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
| 17 | GAP-SIG-003 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 8. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
| 18 | SIG-STORE-401-016 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/19. | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
| 19 | GAP-REP-004 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (BLAKE3 for graphs confirmed). | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
| 20 | GAP-POL-005 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10/17. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
| 21 | GAP-VEX-006 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 20. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
| 22 | GAP-DOC-008 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
| 23 | CLI-VEX-401-011 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13/14. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
| 24 | SIGN-VEX-401-018 | DONE (2025-11-26) | Predicate types added with tests. | Signing Guild (`src/Signer/StellaOps.Signer`, `docs/modules/signer/architecture.md`) | Extend Signer predicate catalog with `stella.ops/vexDecision@v1`, enforce payload policy, plumb DSSE/Rekor integration. |
| 25 | BENCH-AUTO-401-019 | BLOCKED (2025-11-30) | Hold until dataset schema/feed hashes published (tasks 1/55/58). | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 26 | DOCS-VEX-401-012 | BLOCKED (2025-11-30) | Align with GAP-DOC-008 and bench playbook; hold until schema/hash freeze. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
| 27 | SYMS-BUNDLE-401-014 | BLOCKED (2025-11-30) | Depends on SYMBOL_MANIFEST spec and ingest pipeline; wait for 2025-12-02 schema/hash checkpoint. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 25 | BENCH-AUTO-401-019 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 26 | DOCS-VEX-401-012 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 22. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
| 27 | SYMS-BUNDLE-401-014 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
| 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
@@ -71,30 +71,30 @@
| 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild · Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
| 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
| 36 | DSSE-DOCS-401-022 | DONE (2025-11-27) | Follows 34/35; document build-time flow. | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
| 37 | REACH-LATTICE-401-023 | BLOCKED (2025-11-30) | Align Scanner + Policy schemas; waiting on 2025-12-02 schema/hash decisions. | Scanner Guild · Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
| 38 | UNCERTAINTY-SCHEMA-401-024 | BLOCKED (2025-11-30) | Schema changes rely on Signals ingestion work and graph schema freeze. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
| 39 | UNCERTAINTY-SCORER-401-025 | BLOCKED (2025-11-30) | Depends on 38 outputs; hold until schema freeze. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
| 40 | UNCERTAINTY-POLICY-401-026 | BLOCKED (2025-11-30) | Guidance depends on 38/39; wait for schema decisions. | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
| 41 | UNCERTAINTY-UI-401-027 | BLOCKED (2025-11-30) | UI/CLI depends on 38/39 outputs; hold pending schema alignment. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
| 37 | REACH-LATTICE-401-023 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Scanner Guild · Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
| 38 | UNCERTAINTY-SCHEMA-401-024 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows Signals work. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
| 39 | UNCERTAINTY-SCORER-401-025 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 38. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
| 40 | UNCERTAINTY-POLICY-401-026 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
| 41 | UNCERTAINTY-UI-401-027 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
| 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild · Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject→Rekor map drafted. |
| 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
| 46 | QA-CORPUS-401-031 | BLOCKED (2025-11-30) | Hold until schema/feed hashes freeze (tasks 1/55/58) post 2025-12-02 checkpoint. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
| 47 | UI-VEX-401-032 | BLOCKED (2025-11-30) | Depends on policy/CLI evidence chain (1315,21) and schema/hash alignment. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI Explain/Verify surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
| 48 | POLICY-GATE-401-033 | BLOCKED (2025-11-30) | Gate depends on Signals/Scanner reach evidence; wait for 2025-12-02 schema/hash decisions. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
| 49 | GRAPH-PURL-401-034 | BLOCKED (2025-11-30) | Needs graph schema from 1 and signals store alignment; hold for 2025-12-02 checkpoint. | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
| 50 | SCANNER-BUILDID-401-035 | BLOCKED (2025-11-30) | Depends on scanner symbol work and fixtures; blocked until schema/symbol server decisions. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
| 51 | SCANNER-INITROOT-401-036 | BLOCKED (2025-11-30) | Requires graph writer updates from 1; wait for schema/hash alignment. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
| 52 | QA-PORACLE-401-037 | BLOCKED (2025-11-30) | Depends on reachability graph fixtures; wait for tasks 1/53 schema freeze. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 53 | GRAPH-HYBRID-401-053 | BLOCKED (2025-11-30) | Await graph schema (task 1) final hash; alignment meeting 2025-12-02. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
| 54 | EDGE-BUNDLE-401-054 | BLOCKED (2025-11-30) | Depends on 53 + init/root handling (51); waiting on schema/hash alignment. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | BLOCKED (2025-11-30) | Needs edge-bundle schema from 54 and Unknowns rules; wait for 2025-12-02 checkpoint. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | BLOCKED (2025-11-30) | Dependent on 5355 delivery; hold until schema/hash alignment completes. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 46 | QA-CORPUS-401-031 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
| 47 | UI-VEX-401-032 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1315, 21. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
| 48 | POLICY-GATE-401-033 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
| 49 | GRAPH-PURL-401-034 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
| 50 | SCANNER-BUILDID-401-035 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
| 51 | SCANNER-INITROOT-401-036 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
| 52 | QA-PORACLE-401-037 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/53. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 53 | GRAPH-HYBRID-401-053 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (BLAKE3 + CAS layout defined). | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
| 54 | EDGE-BUNDLE-401-054 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 51/53. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 54. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 5355. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
| 58 | DATASET-REACH-PUB-401-058 | BLOCKED (2025-11-30) | Needs schema alignment from tasks 1/17/55; wait for 2025-12-02 freeze. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | BLOCKED (2025-11-30) | Depends on task 1 graph schema + native symbolizer readiness; hold until 2025-12-02 checkpoint. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
| 60 | CORPUS-MERGE-401-060 | BLOCKED (2025-11-30) | After 58 schema settled; blocked until dataset freeze post 2025-12-02 checkpoint. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
| 58 | DATASET-REACH-PUB-401-058 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
| 60 | CORPUS-MERGE-401-060 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 58. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 5760. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
| 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild · Excititor Guild · Docs Guild | Address VEX1VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
| 63 | GRAPHREV-GAPS-401-063 | TODO | None; informs tasks 1, 11, 3741. | Platform Guild · Scanner Guild · Policy Guild · UI/CLI Guilds | Address graph revision gaps GR1GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
@@ -105,7 +105,7 @@
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 0401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | BLOCKED (2025-11-30) | Foundation work (Sprint 0400) and richgraph schema decisions outstanding; unblock after record mode emits replay manifests and Evidence Locker APIs exist. |
| 0401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (`docs/contracts/richgraph-v1.md`). Schema frozen with BLAKE3 for graphs, SHA256 for symbols. |
## Wave Detail Snapshots
- Single wave covering end-to-end reachability evidence; proceed once Sprint 0400 + upstream runtime/replay prerequisites land.

402
docs/implplan/SPRINT_0515_0001_0001_crypto_compliance_migration.md Normal file
View File

@@ -0,0 +1,402 @@
# Sprint 0515 · Libraries · Compliance-First Crypto Hash Migration
## Topic & Scope
Migrate all direct cryptographic hash operations (`SHA256.HashData()`, `HMACSHA256`, `IncrementalHash`) throughout the codebase to use the purpose-based `ICryptoHash` and `ICryptoHmac` abstractions. This enables central configuration of jurisdiction-specific crypto requirements via compliance profiles (world/fips/gost/sm/kcmvp/eidas).
**Key Principle:** Strict compliance - components request hashing by **PURPOSE** (not algorithm), and the platform resolves to the correct algorithm based on the active **compliance profile**.
**Working directories:**
- `src/__Libraries/StellaOps.Cryptography*` (core abstractions)
- `src/Policy/StellaOps.Policy.*` (risk profile hashing)
- `src/Orchestrator/StellaOps.Orchestrator.Core` (canonical JSON hashing)
- `src/Findings/StellaOps.Findings.Ledger` (Merkle tree)
- `src/__Libraries/StellaOps.Replay.Core` (deterministic hash)
- `src/Provenance/StellaOps.Provenance.Attestation` (verification)
- `src/Attestor/StellaOps.Attestor.Verify` (attestation verification)
- `src/ExportCenter/StellaOps.ExportCenter.*` (bundle hashing)
- `src/Cli/StellaOps.Cli` (promotion assembly)
- `src/AdvisoryAI/StellaOps.AdvisoryAI` (vector encoding)
- `src/Signer/StellaOps.Signer.*` (HMAC signing)
- `src/Scanner/StellaOps.Scanner.*` (DSSE signing)
- `src/Notifier/StellaOps.Notifier.*` (webhook security)
## Dependencies & Concurrency
- Depends on Phase 1-3 completion of `ICryptoHash` interface with purpose-based methods (COMPLETED)
- `HashPurpose` constants already exist: Graph, Symbol, Content, Merkle, Attestation, Interop, Secret
- `ComputeHashHexForPurpose()` and `ComputeHashForPurposeAsync()` methods available
- No blocking dependencies for Wave 1 hash migrations
- Wave 2 (ICryptoHmac) is independent infrastructure work
- Wave 3 (HMAC migrations) depends on Wave 2 completion
## Documentation Prerequisites
- `/root/.claude/plans/crispy-whistling-lamport.md` - Master architecture plan
- `docs/security/crypto-compliance.md` (to be created in Wave 4)
- `docs/contracts/richgraph-v1.md` - Hash algorithm per-profile
---
## Delivery Tracker
### Wave 1: Core Hash Migrations (11 files) - P0
| # | Task ID | Status | File | Pattern | HashPurpose | Notes |
|---|---------|--------|------|---------|-------------|-------|
| 1 | HASH-MIG-001 | **DONE** (2025-12-05) | `src/Orchestrator/.../Hashing/CanonicalJsonHasher.cs` | `SHA256.HashData()` | Content | Injected ICryptoHash; updated all callers |
| 2 | HASH-MIG-002 | **DONE** (2025-12-05) | `src/Findings/.../Merkle/MerkleTreeBuilder.cs` | `SHA256.HashData()` | Merkle | Injected ICryptoHash; updated callers |
| 3 | HASH-MIG-003 | **DONE** (2025-12-05) | `src/__Libraries/StellaOps.Replay.Core/DeterministicHash.cs` | `SHA256.TryHashData()` | Content | Migrated to static method with ICryptoHash param |
| 4 | HASH-MIG-004 | **IN PROGRESS** | `src/Policy/.../Hashing/RiskProfileHasher.cs` | `SHA256.HashData()` (×2) | Content | Injected ICryptoHash; callers updated; needs build verify |
| 5 | HASH-MIG-005 | **DONE** (2025-12-05) | `src/Policy/.../Export/ProfileExportService.cs` | `SHA256.HashData()` (×2) | Content | Migrated `ComputeTotalHash()` and `GenerateBundleId()`; HMAC left for Wave 3 |
| 6 | HASH-MIG-006 | TODO | `src/Provenance/.../Verification.cs` | `SHA256.Create()` | Attestation | Chain-of-custody verification |
| 7 | HASH-MIG-007 | TODO | `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` | `SHA256.HashData()` | Attestation | DSSE bundle verification |
| 8 | HASH-MIG-008 | TODO | `src/ExportCenter/.../DevPortalOfflineBundleBuilder.cs` | `SHA256.HashData()` | Content | Bundle integrity |
| 9 | HASH-MIG-009 | TODO | `src/ExportCenter/.../FileSystemDevPortalOfflineObjectStore.cs` | `IncrementalHash.CreateHash()` | Content | Streaming file hash |
| 10 | HASH-MIG-010 | TODO | `src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs` | `SHA256.HashDataAsync()` | Content | File digest for promotions |
| 11 | HASH-MIG-011 | TODO | `src/AdvisoryAI/.../DeterministicHashVectorEncoder.cs` | `IncrementalHash.CreateHash()` | Content | ML vector encoding |
### Wave 2: ICryptoHmac Infrastructure - P1
| # | Task ID | Status | Deliverable | Notes |
|---|---------|--------|-------------|-------|
| 12 | HMAC-INFRA-001 | TODO | `src/__Libraries/StellaOps.Cryptography/ICryptoHmac.cs` | Interface definition |
| 13 | HMAC-INFRA-002 | TODO | `src/__Libraries/StellaOps.Cryptography/HmacPurpose.cs` | Purpose constants: Signing, Authentication, WebhookInterop |
| 14 | HMAC-INFRA-003 | TODO | `src/__Libraries/StellaOps.Cryptography/DefaultCryptoHmac.cs` | Implementation with profile routing |
| 15 | HMAC-INFRA-004 | TODO | DI registration in `CryptoServiceCollectionExtensions.cs` | Service registration |
### Wave 3: HMAC Migrations (9 files) - P1
| # | Task ID | Status | File | Pattern | HmacPurpose | Notes |
|---|---------|--------|------|---------|-------------|-------|
| 16 | HMAC-MIG-001 | TODO | `src/Signer/.../Signing/HmacDsseSigner.cs` | `new HMACSHA256()` | Signing | DSSE envelope signing |
| 17 | HMAC-MIG-002 | TODO | `src/Scanner/.../Processing/Surface/HmacDsseEnvelopeSigner.cs` | `new HMACSHA256()` (×2) | Signing | Scanner manifest DSSE |
| 18 | HMAC-MIG-003 | TODO | `src/Scanner/.../Services/ReportSigner.cs` | `new HMACSHA256()` | Signing | Report HS256 signing |
| 19 | HMAC-MIG-004 | TODO | `src/Findings/.../Attachments/AttachmentUrlSigner.cs` | `new HMACSHA256()` | Authentication | Signed URL generation |
| 20 | HMAC-MIG-005 | TODO | `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` | `new HMACSHA256()` | Signing | Manifest DSSE signing |
| 21 | HMAC-MIG-006 | TODO | `src/ExportCenter/.../RiskBundleSigning.cs` | `new HMACSHA256()` (×2) | Signing | Risk bundle signing |
| 22 | HMAC-MIG-007 | TODO | `src/Provenance/.../Signers.cs` | `new HMACSHA256()` | Signing | HmacSigner class |
| 23 | HMAC-MIG-008 | TODO | `src/Notifier/.../Security/HmacAckTokenService.cs` | `new HMACSHA256()` | Authentication | Ack token signing |
| 24 | HMAC-MIG-009 | TODO | `src/Notifier/.../Security/DefaultWebhookSecurityService.cs` | `new HMACSHA256()` (×3) | WebhookInterop | External webhook (always SHA-256) |
### Wave 4: Documentation - P2
| # | Task ID | Status | Deliverable | Notes |
|---|---------|--------|-------------|-------|
| 25 | DOC-001 | TODO | `docs/security/crypto-compliance.md` | Compliance profile documentation |
| 26 | DOC-002 | TODO | Interop table in crypto-compliance.md | Document SHA-256 interop paths |
| 27 | DOC-003 | TODO | HMAC compliance profile mapping | Document HMAC algorithm per profile |
---
## Files Modified (Session Progress)
### Completed Modifications
| File | Change | Status |
|------|--------|--------|
| `src/Orchestrator/.../CanonicalJsonHasher.cs` | Added ICryptoHash injection, migrated `SHA256.HashData()` | DONE |
| `src/Orchestrator/.../StellaOps.Orchestrator.Core.csproj` | Added Cryptography reference | DONE |
| `src/Orchestrator/.../OrchestratorEventWriter.cs` | Updated to inject/pass ICryptoHash | DONE |
| `src/Findings/.../MerkleTreeBuilder.cs` | Added ICryptoHash injection, migrated to `HashPurpose.Merkle` | DONE |
| `src/Findings/.../StellaOps.Findings.Ledger.csproj` | Added Cryptography reference | DONE |
| `src/Findings/.../MerkleTreeManager.cs` | Updated to inject/pass ICryptoHash | DONE |
| `src/__Libraries/StellaOps.Replay.Core/DeterministicHash.cs` | Migrated to static method with ICryptoHash param | DONE |
| `src/__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj` | Added Cryptography reference | DONE |
| `src/Scanner/.../StellaOps.Scanner.Core.csproj` | Added Replay.Core reference | DONE |
| `src/Scanner/.../StellaOps.Scanner.Worker.csproj` | Added Cryptography and Replay.Core references | DONE |
| `src/Policy/.../RiskProfileHasher.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../StellaOps.Policy.RiskProfile.csproj` | Added Cryptography reference | DONE |
| `src/Policy/.../RiskProfileLifecycleService.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../StellaOps.Policy.Engine.csproj` | Added Cryptography reference | DONE |
| `src/Policy/.../RiskProfileConfigurationService.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../RiskSimulationService.cs` | Added ICryptoHash injection; migrated `GenerateSimulationId()` | DONE |
| `src/Policy/.../RiskScoringTriggerService.cs` | Added ICryptoHash injection; migrated `GenerateJobId()` | DONE |
| `src/Policy/.../ProfileExportService.cs` | Added ICryptoHash injection; migrated `ComputeTotalHash()`, `GenerateBundleId()` | DONE |
| `src/Policy/.../ProfileExportEndpoints.cs` | Added ICryptoHash to `ImportProfiles()` method | DONE |
### Pending Build Verification
| File | Build Command | Expected Result |
|------|---------------|-----------------|
| `src/Policy/StellaOps.Policy.Engine/` | `dotnet build src/Policy/StellaOps.Policy.Engine` | Verify ProfileExportEndpoints.cs fix |
---
## Code Migration Patterns
### Pattern A: Constructor Injection (Classes)
```csharp
// Before
public sealed class MyService
{
public string ComputeHash(byte[] data)
{
return Convert.ToHexStringLower(SHA256.HashData(data));
}
}
// After
public sealed class MyService
{
private readonly ICryptoHash _cryptoHash;
public MyService(ICryptoHash cryptoHash)
{
_cryptoHash = cryptoHash ?? throw new ArgumentNullException(nameof(cryptoHash));
}
public string ComputeHash(byte[] data)
{
return _cryptoHash.ComputeHashHexForPurpose(data, HashPurpose.Content);
}
}
```
### Pattern B: Static Method with Parameter (Static Classes)
```csharp
// Before
public static class DeterministicHash
{
public static string Compute(byte[] data)
{
return Convert.ToHexStringLower(SHA256.HashData(data));
}
}
// After
public static class DeterministicHash
{
public static string Compute(ICryptoHash cryptoHash, byte[] data)
{
return cryptoHash.ComputeHashHexForPurpose(data, HashPurpose.Content);
}
}
```
### Pattern C: Factory Method for Tests
```csharp
// In test code where DI isn't available
var cryptoHash = DefaultCryptoHash.CreateForTests();
var result = DeterministicHash.Compute(cryptoHash, data);
```
---
## Wave Coordination
### Wave 1 (In Progress)
- **Owner:** Implementer
- **Status:** 5/11 DONE, 1 IN PROGRESS, 5 TODO
- **Evidence:** Modified files build successfully; callers updated
- **Next:** Verify Policy.Engine build, then continue with Verification.cs
### Wave 2 (Not Started)
- **Owner:** Implementer
- **Status:** 0/4 TODO
- **Depends on:** Wave 1 completion recommended but not required
- **Evidence:** ICryptoHmac interface + implementation compiles
### Wave 3 (Not Started)
- **Owner:** Implementer
- **Status:** 0/9 TODO
- **Depends on:** Wave 2 completion (ICryptoHmac infrastructure)
- **Evidence:** All HMAC usages migrated; builds pass
### Wave 4 (Not Started)
- **Owner:** Implementer + Docs
- **Status:** 0/3 TODO
- **Depends on:** Wave 1-3 completion
- **Evidence:** Documentation published
---
## Interlocks
- RiskProfileHasher.cs migration touches 5 callers: RiskProfileLifecycleService, ProfileExportService, RiskSimulationService, RiskScoringTriggerService, RiskProfileConfigurationService
- ProfileExportService.cs has both SHA256 hash (Wave 1) and HMAC (Wave 3) - split migration
- Policy.Engine endpoints need ICryptoHash in DI pipeline for runtime injection
- Existing pre-build errors in Concelier (Storage.Mongo missing) are unrelated and should be ignored
---
## Known Build Issues (Pre-Existing)
These errors exist in the codebase and are NOT related to this migration:
```
Concelier:
- CS0234: 'Storage' does not exist in namespace 'StellaOps.Concelier' (14 errors)
- Caused by missing Storage.Mongo project reference
- DO NOT attempt to fix - out of scope
Scanner.Core:
- CS0246: 'Harness' type not found (1 error)
- Pre-existing issue
```
---
## Compliance Profile Reference
| Profile ID | Standard Name | Hash Algorithm | HMAC Algorithm |
|------------|---------------|----------------|----------------|
| `world` | Default (ISO) | BLAKE3-256 (graph), SHA-256 (content) | HMAC-SHA256 |
| `fips` | FIPS 140-3 (US) | SHA-256 | HMAC-SHA256 |
| `gost` | GOST R 34.11-2012 (Russia) | GOST3411-2012-256 | HMAC-GOST3411 |
| `sm` | GB/T (China) | SM3 | HMAC-SM3 |
| `kcmvp` | KCMVP (Korea) | SHA-256 | HMAC-SHA256 |
| `eidas` | eIDAS/ETSI TS 119 312 (EU) | SHA-256 | HMAC-SHA256 |
---
## ICryptoHmac Interface Design (Wave 2)
```csharp
public interface ICryptoHmac
{
// Purpose-based HMAC
byte[] ComputeHmacForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
string ComputeHmacHexForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
string ComputeHmacBase64ForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
// Verification (constant-time)
bool VerifyHmacForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data,
ReadOnlySpan<byte> expectedHmac, string purpose);
// Metadata
string GetAlgorithmForPurpose(string purpose);
}
public static class HmacPurpose
{
public const string Signing = "signing"; // DSSE envelope signing
public const string Authentication = "auth"; // Token/URL authentication
public const string WebhookInterop = "webhook"; // External webhook (always SHA-256)
}
```
---
## Decisions & Risks
| ID | Risk / Decision | Impact | Mitigation | Status |
|----|-----------------|--------|------------|--------|
| R1 | ProfileExportService has both SHA256 and HMAC | Need split migration across waves | SHA256 done in Wave 1; HMAC deferred to Wave 3 | Resolved |
| R2 | Multiple callers per hasher class | Cascading changes required | Track all callers; update systematically | Active |
| R3 | Test projects may need ICryptoHash | Provide `DefaultCryptoHash.CreateForTests()` | Factory method available | Resolved |
| R4 | Pre-existing build errors may mask new errors | False confidence in migration success | Document known errors; verify specific projects | Active |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-05 | Completed CanonicalJsonHasher.cs migration and all callers | Implementer |
| 2025-12-05 | Completed MerkleTreeBuilder.cs migration and all callers | Implementer |
| 2025-12-05 | Completed DeterministicHash.cs migration to static method pattern | Implementer |
| 2025-12-05 | Started RiskProfileHasher.cs migration - updated class and 5 callers | Implementer |
| 2025-12-05 | Added Cryptography references to Policy.RiskProfile and Policy.Engine projects | Implementer |
| 2025-12-05 | Updated RiskProfileConfigurationService.cs, RiskSimulationService.cs, RiskScoringTriggerService.cs | Implementer |
| 2025-12-05 | Migrated ProfileExportService.cs SHA256 methods (HMAC left for Wave 3) | Implementer |
| 2025-12-05 | Updated ProfileExportEndpoints.cs to inject ICryptoHash in ImportProfiles | Implementer |
| 2025-12-05 | Sprint paused - need to verify Policy.Engine build before continuing | Implementer |
---
## Resume Checklist
When resuming this sprint:
1. **Verify Policy.Engine build:**
```bash
dotnet build src/Policy/StellaOps.Policy.Engine
```
2. **If build succeeds:**
- Mark HASH-MIG-004 (RiskProfileHasher) as DONE
- Mark HASH-MIG-005 (ProfileExportService SHA256) as DONE
- Proceed to HASH-MIG-006 (Verification.cs)
3. **If build fails:**
- Review error messages
- Fix remaining ICryptoHash injection issues
- Rebuild and verify
4. **Continue Wave 1 in order:**
- Verification.cs (Provenance)
- AttestorVerificationEngine.cs (Attestor)
- DevPortalOfflineBundleBuilder.cs (ExportCenter)
- FileSystemDevPortalOfflineObjectStore.cs (ExportCenter)
- PromotionAssembler.cs (CLI)
- DeterministicHashVectorEncoder.cs (AdvisoryAI)
5. **After Wave 1 complete:**
- Run full solution build to verify no regressions
- Start Wave 2 (ICryptoHmac infrastructure)
---
## File Inventory: Remaining Wave 1 Files
### 6. Verification.cs
- **Path:** `src/Provenance/StellaOps.Provenance.Attestation/Verification.cs`
- **Pattern:** `SHA256.Create()` for stream hashing
- **HashPurpose:** `Attestation`
- **Project ref needed:** `StellaOps.Cryptography`
### 7. AttestorVerificationEngine.cs
- **Path:** `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs`
- **Pattern:** `SHA256.HashData()`
- **HashPurpose:** `Attestation`
- **Project ref needed:** `StellaOps.Cryptography`
### 8. DevPortalOfflineBundleBuilder.cs
- **Path:** `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/DevPortalOffline/DevPortalOfflineBundleBuilder.cs`
- **Pattern:** `SHA256.HashData()`
- **HashPurpose:** `Content`
- **Project ref needed:** `StellaOps.Cryptography`
### 9. FileSystemDevPortalOfflineObjectStore.cs
- **Path:** `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/DevPortalOffline/FileSystemDevPortalOfflineObjectStore.cs`
- **Pattern:** `IncrementalHash.CreateHash(HashAlgorithmName.SHA256)`
- **HashPurpose:** `Content`
- **Use:** `ComputeHashForPurposeAsync(stream, HashPurpose.Content)`
- **Project ref needed:** `StellaOps.Cryptography`
### 10. PromotionAssembler.cs
- **Path:** `src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs`
- **Pattern:** `SHA256.HashDataAsync()`
- **HashPurpose:** `Content`
- **Use:** `ComputeHashHexForPurposeAsync(stream, HashPurpose.Content)`
- **Project ref needed:** `StellaOps.Cryptography`
### 11. DeterministicHashVectorEncoder.cs
- **Path:** `src/AdvisoryAI/StellaOps.AdvisoryAI/Vectorization/DeterministicHashVectorEncoder.cs`
- **Pattern:** `IncrementalHash.CreateHash(HashAlgorithmName.SHA256)`
- **HashPurpose:** `Content`
- **Project ref needed:** `StellaOps.Cryptography`
---
## Success Criteria
- [ ] All 11 Wave 1 files migrated to `ICryptoHash`
- [ ] `ICryptoHmac` interface created with profile support (Wave 2)
- [ ] All 9 Wave 3 files migrated to `ICryptoHmac`
- [ ] All 5 interop files documented with reason (Wave 4)
- [ ] Zero direct SHA256/SHA512 usage outside cryptography library (excluding documented interop)
- [ ] Full solution build passes
- [ ] Unit tests for GOST and SM3 operations pass
---
## Related Documents
- **Master Plan:** `/root/.claude/plans/crispy-whistling-lamport.md`
- **Sovereign Crypto Sprint:** `docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md`
- **Architecture Overview:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`