stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

move docs/**/archived/* to docs-archived/**/*

Browse Source
This commit is contained in:
master
2026-01-05 16:02:11 +02:00
parent dfab8a29c3
commit d0a7b88398
1083 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

318
docs-archived/implplan/SPRINT_3500_9999_0000_summary.md Normal file
View File

@@ -0,0 +1,318 @@
# Sprint 3500.9999.0000 - Summary (All Sprints Quick Reference)
**Epic**: Deeper Moat Beyond Reachability
**Total Duration**: 20 weeks (10 sprints)
**Status**: DONE
---
## Topic & Scope
- Summary index for Epic 3500 planning and delivery status.
- Provides a quick reference to sprints, dependencies, and deliverables.
- Working directory: `docs/implplan`.
## Dependencies & Concurrency
- See the "Dependencies" section and sprint dependency graph below.
- No independent execution tasks; summary mirrors sprint state.
## Documentation Prerequisites
- `docs/implplan/archived/SPRINT_3500_0001_0001_deeper_moat_master.md`
- `docs/product-advisories/archived/17-Dec-2025/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SUMMARY-3500 | DONE | Archive sprint records | Planning | Maintain the Epic 3500 quick reference. |
## Wave Coordination
- Epic A (3500.0002.x), Epic B (3500.0003.x), CLI/UI/Tests/Docs (3500.0004.x).
## Wave Detail Snapshots
- See "Sprint Overview" table.
## Interlocks
- None listed beyond sprint dependencies.
## Upcoming Checkpoints
- None listed.
## Action Tracker
- None listed.
## Decisions & Risks
| Item | Type | Owner | Notes |
| --- | --- | --- | --- |
| Summary status mirror | Decision | Planning | Summary stays aligned with sprint completion state. |
| Cross-doc link updates | Decision | Planning | Updated product advisories and benchmarks to point at archived sprint paths. |
| No new risks | Risk | Planning | Track risks in individual sprint files. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-22 | Normalized summary to sprint template; renamed from SPRINT_3500_SUMMARY.md and archived. | Agent |
## Sprint Overview
| Sprint ID | Topic | Duration | Status | Key Deliverables |
|-----------|-------|----------|--------|------------------|
| **3500.0001.0001** | **Master Plan** | — | DONE | Overall planning, prerequisites, risk assessment |
| **3500.0002.0001** | Score Proofs Foundations | 2 weeks | DONE | Canonical JSON, DSSE, ProofLedger, DB schema |
| **3500.0002.0002** | Unknowns Registry v1 | 2 weeks | DONE (7/7) | 2-factor ranking, band assignment, escalation API, Scheduler integration |
| **3500.0002.0003** | Proof Replay + API | 2 weeks | DONE | All 7 tasks complete (manifest, proofs, idempotency, rate limiting, OpenAPI, tests) |
| **3500.0003.0001** | Reachability .NET Foundations | 2 weeks | DONE | Implemented via SPRINT_3600_0002_0001 (DotNetCallGraphExtractor, ReachabilityAnalyzer) |
| **3500.0003.0002** | Reachability Java Integration | 2 weeks | DONE | Implemented via SPRINT_3610_0001_0001 (JavaCallGraphExtractor, Spring Boot) |
| **3500.0003.0003** | Graph Attestations + Rekor | 2 weeks | DONE | RichGraphAttestationService, Rekor via Attestor module, budget policy documented |
| **3500.0004.0001** | CLI Verbs + Offline Bundles | 2 weeks | DONE | `stella score`, `stella graph`, `stella unknowns`, offline kit, corpus — 8/8 tasks, 183 tests pass |
| **3500.0004.0002** | UI Components + Visualization | 2 weeks | DONE | All 8 components: Proof Ledger, Unknowns Queue, Reachability Explain, Score Comparison, Proof Replay, API Services, Accessibility, Tests |
| **3500.0004.0003** | Integration Tests + Corpus | 2 weeks | DONE | Golden corpus (12 cases), 6 test projects (74 test methods), CI gates, perf baselines |
| **3500.0004.0004** | Documentation + Handoff | 2 weeks | DONE | Runbooks (5), training (6 docs), release notes, OpenAPI, handoff checklist — 8/8 tasks |
---
## Epic A: Score Proofs (Sprints 3500.0002.00010003)
### Sprint 3500.0002.0001: Foundations
**Owner**: Scanner Team + Policy Team
**Deliverables**:
- [ ] Canonical JSON library (`StellaOps.Canonical.Json`)
- [ ] Scan Manifest model (`ScanManifest.cs`)
- [ ] DSSE envelope implementation (`StellaOps.Attestor.Dsse`)
- [ ] ProofLedger with node hashing (`StellaOps.Policy.Scoring`)
- [ ] Database schema: `scanner.scan_manifest`, `scanner.proof_bundle`
- [ ] Proof Bundle Writer
**Tests**: Unit tests ≥85% coverage, integration test for full pipeline
**Documentation**: See `SPRINT_3500_0002_0001_score_proofs_foundations.md` (DETAILED)
---
### Sprint 3500.0002.0002: Unknowns Registry
**Owner**: Policy Team
**Status**: DONE (7/7 tasks complete)
**Deliverables**:
- [x] `policy.unknowns` table (2-factor ranking model)
- [x] `UnknownRanker.Rank(...)` — Deterministic ranking function
- [x] Band assignment (HOT/WARM/COLD)
- [x] API: `GET /unknowns`, `POST /unknowns/{id}/escalate`, `POST /unknowns/{id}/resolve`
- [x] Scheduler integration: rescan on escalation (via ISchedulerJobClient abstraction)
**Tests**: Ranking determinism tests (29 tests pass), band threshold tests
**Documentation**:
- `docs/db/schemas/policy_schema_specification.md`
- `docs/api/scanner-score-proofs-api.md` (Unknowns endpoints)
---
### Sprint 3500.0002.0003: Replay + API
**Owner**: Scanner Team
**Deliverables**:
- [ ] API: `POST /api/v1/scanner/scans`
- [ ] API: `GET /api/v1/scanner/scans/{id}/manifest`
- [ ] API: `POST /api/v1/scanner/scans/{id}/score/replay`
- [ ] API: `GET /api/v1/scanner/scans/{id}/proofs/{rootHash}`
- [ ] Idempotency via `Content-Digest` headers
- [ ] Rate limiting (100 req/hr per tenant for POST endpoints)
**Tests**: API integration tests, idempotency tests, error handling tests
**Documentation**:
- `docs/api/scanner-score-proofs-api.md` (COMPREHENSIVE)
- OpenAPI spec update: `src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml`
---
## Epic B: Reachability (Sprints 3500.0003.00010003)
### Sprint 3500.0003.0001: .NET Reachability
**Owner**: Scanner Team
**Deliverables**:
- [ ] Roslyn-based call-graph extractor (`DotNetCallGraphExtractor.cs`)
- [ ] IL-based node ID computation
- [ ] ASP.NET Core entrypoint discovery (controllers, minimal APIs, hosted services)
- [ ] `CallGraph.v1.json` schema implementation
- [ ] BFS reachability algorithm (`ReachabilityAnalyzer.cs`)
- [ ] Database schema: `scanner.cg_node`, `scanner.cg_edge`, `scanner.entrypoint`
**Tests**: Call-graph extraction tests, BFS tests, entrypoint detection tests
**Documentation**:
- `src/Scanner/AGENTS_SCORE_PROOFS.md` (Task 3.1, 3.2) (DETAILED)
- `docs/db/schemas/scanner_schema_specification.md`
- `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`
---
### Sprint 3500.0003.0002: Java Reachability
**Owner**: Scanner Team
**Deliverables**:
- [ ] Soot/WALA-based call-graph extractor (`JavaCallGraphExtractor.cs`)
- [ ] Spring Boot entrypoint discovery (`@RestController`, `@RequestMapping`)
- [ ] JAR node ID computation (class file hash + method signature)
- [ ] Integration with `CallGraph.v1.json` schema
- [ ] Reachability analysis for Java artifacts
**Tests**: Java call-graph extraction tests, Spring Boot entrypoint tests
**Prerequisite**: Java worker POC with Soot/WALA (must complete before sprint starts)
**Documentation**:
- `docs/dev/java-call-graph-extractor-spec.md` (to be created)
- `src/Scanner/AGENTS_JAVA_REACHABILITY.md` (to be created)
---
### Sprint 3500.0003.0003: Graph Attestations
**Owner**: Attestor Team + Scanner Team
**Deliverables**:
- [ ] Graph-level DSSE attestation (one per scan)
- [ ] Rekor integration: `POST /rekor/entries`
- [ ] Rekor budget policy: graph-only by default, edge bundles on escalation
- [ ] API: `POST /api/v1/scanner/scans/{id}/callgraphs` (upload)
- [ ] API: `POST /api/v1/scanner/scans/{id}/reachability/compute`
- [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/findings`
- [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/explain`
**Tests**: DSSE signing tests, Rekor integration tests, API tests
**Documentation**:
- `docs/operations/rekor-policy.md` (budget policy)
- `docs/api/scanner-score-proofs-api.md` (reachability endpoints)
---
## CLI & UI (Sprints 3500.0004.00010002)
### Sprint 3500.0004.0001: CLI Verbs
**Owner**: CLI Team
**Deliverables**:
- [ ] `stella score replay --scan <id>`
- [ ] `stella proof verify --bundle <path>`
- [ ] `stella scan graph --lang dotnet|java --sln <path>`
- [ ] `stella reachability explain --scan <id> --cve <cve>`
- [ ] `stella unknowns list --band HOT`
- [ ] Offline bundle extensions: `/offline/reachability/`, `/offline/corpus/`
**Tests**: CLI E2E tests, offline bundle verification tests
**Documentation**:
- `docs/09_API_CLI_REFERENCE.md` (update with new verbs)
- `docs/24_OFFLINE_KIT.md` (reachability bundle format)
---
### Sprint 3500.0004.0002: UI Components
**Owner**: UI Team
**Deliverables**:
- [ ] Proof ledger view (timeline visualization)
- [ ] Unknowns queue (filterable, sortable)
- [ ] Reachability explain widget (call-path visualization)
- [ ] Score delta badges
- [ ] "View Proof" button on finding cards
**Tests**: UI component tests (Jest/Cypress)
**Prerequisite**: UX wireframes delivered by Product team
**Documentation**:
- `docs/dev/ui-proof-visualization-spec.md` (to be created)
---
## Testing & Handoff (Sprints 3500.0004.00030004)
### Sprint 3500.0004.0003: Integration Tests + Corpus
**Owner**: QA + Scanner Team
**Deliverables**:
- [ ] Golden corpus: 10 .NET + 10 Java test cases
- [ ] End-to-end tests: SBOM → scan → proof → replay → verify
- [ ] CI gates: precision/recall ≥80%, deterministic replay 100%
- [ ] Load tests: 10k scans/day without degradation
- [ ] Air-gap verification tests
**Tests**: All integration tests passing, corpus CI green
**Documentation**:
- `docs/testing/golden-corpus-spec.md` (to be created)
- `docs/testing/integration-test-plan.md`
---
### Sprint 3500.0004.0004: Documentation + Handoff
**Owner**: Docs Guild + All Teams
**Deliverables**:
- [ ] Runbooks: `docs/operations/score-proofs-runbook.md`
- [ ] Runbooks: `docs/operations/reachability-troubleshooting.md`
- [ ] API documentation published
- [ ] Training materials for support team
- [ ] Competitive battlecard updated
- [ ] Claims index updated: DET-004, REACH-003, PROOF-001, UNKNOWNS-001
**Tests**: Documentation review by 3+ stakeholders
**Documentation**:
- All docs in `docs/` reviewed and published
---
## Dependencies
```mermaid
graph TD
A[3500.0001.0001 Master Plan] --> B[3500.0002.0001 Foundations]
B --> C[3500.0002.0002 Unknowns]
C --> D[3500.0002.0003 Replay API]
D --> E[3500.0003.0001 .NET Reachability]
E --> F[3500.0003.0002 Java Reachability]
F --> G[3500.0003.0003 Attestations]
G --> H[3500.0004.0001 CLI]
G --> I[3500.0004.0002 UI]
H --> J[3500.0004.0003 Tests]
I --> J
J --> K[3500.0004.0004 Docs]
```
---
## Success Metrics
### Technical Metrics
- **Determinism**: 100% bit-identical replay on golden corpus ✅
- **Performance**: TTFRP <30s for 100k LOC (p95)
- **Accuracy**: Precision/recall 80% on ground-truth corpus
- **Scalability**: 10k scans/day without Postgres degradation
- **Air-gap**: 100% offline bundle verification success
### Business Metrics
- **Competitive wins**: 3 deals citing deterministic replay (6 months) 🎯
- **Customer adoption**: 20% of enterprise customers enable score proofs (12 months) 🎯
- **Support escalations**: <5 Rekor/attestation issues per month 🎯
---
## Quick Links
**Sprint Files**:
- [SPRINT_3500_0001_0001 - Master Plan](SPRINT_3500_0001_0001_deeper_moat_master.md) START HERE
- [SPRINT_3500_0002_0001 - Score Proofs Foundations](SPRINT_3500_0002_0001_score_proofs_foundations.md) DETAILED
**Documentation**:
- [Scanner Schema Specification](docs/db/schemas/scanner_schema_specification.md)
- [Scanner API Specification](docs/api/scanner-score-proofs-api.md)
- [Scanner AGENTS Guide](src/Scanner/AGENTS_SCORE_PROOFS.md) FOR AGENTS
**Source Advisory**:
- [16-Dec-2025 - Building a Deeper Moat Beyond Reachability](docs/product-advisories/archived/17-Dec-2025/16-Dec-2025%20-%20Building%20a%20Deeper%20Moat%20Beyond%20Reachability.md)
---
**Last Updated**: 2025-12-17
**Next Review**: Weekly during sprint execution