stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

nuget reorganization

Browse Source
This commit is contained in:
master
2025-11-18 23:45:25 +02:00
parent 77cee6a209
commit d3ecd7f8e6
7712 changed files with 13963 additions and 10007504 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
View File

@@ -7,7 +7,7 @@
- Working directory: `src/SbomService/StellaOps.SbomService`.
## Dependencies & Concurrency
- Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner).
- Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner); Sprint 0131_scanner_surface; Sprint 0132_scanner_surface (renamed).
- Concurrency: Track alongside other Runtime & Signals 140-series sprints; safe in parallel if orchestrator contracts stay stable.
## Documentation Prerequisites
@@ -20,9 +20,9 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SBOM-AIAI-31-001 | DONE | Implemented `/sbom/paths` with env/blast-radius/runtime flags + cursor paging and `/sbom/versions` timeline; in-memory deterministic seed until storage wired. | SBOM Service Guild (src/SbomService/StellaOps.SbomService) | Provide path and version timeline endpoints optimised for Advisory AI. |
| 2 | SBOM-AIAI-31-002 | DOING | Module charter added; continue metrics work and dashboards. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
| 3 | SBOM-CONSOLE-23-001 | DOING | Module charter added; continue `/console/sboms` implementation and schema/storage backing. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | TODO | Depends on SBOM-CONSOLE-23-001; cache-aware component lookup powering global search and Graph overlays; enforce tenant boundaries. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 2 | SBOM-AIAI-31-002 | DONE | Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
| 3 | SBOM-CONSOLE-23-001 | BLOCKED | Build/test failing due to missing NuGet feed; need feed/offline cache before wiring storage and validating `/console/sboms`. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | DOING | Stub component lookup (`/components/lookup`) implemented with repo abstraction, caching, pagination; validated via tests; storage wiring pending. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 5 | SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources; embed worker SDK; emit artifact hashes and job metadata. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
| 6 | SBOM-ORCH-33-001 | TODO | Depends on SBOM-ORCH-32-001; report backpressure metrics, honor pause/throttle signals, classify sbom job errors. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
| 7 | SBOM-ORCH-34-001 | TODO | Depends on SBOM-ORCH-33-001; implement orchestrator backfill and watermark reconciliation for idempotent artifact reuse. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
@@ -38,9 +38,10 @@
## Action Tracker
| Action | Owner(s) | Due | Status |
| --- | --- | --- | --- |
| Provide LNM v1 fixtures for SBOM projections. | Cartographer Guild | 2025-11-18 | Pending |
| Provide LNM v1 fixtures for SBOM projections. | Cartographer Guild | 2025-11-18 | OVERDUE (escalate; follow-up 2025-11-19) |
| Publish orchestrator control contract for pause/throttle/backfill signals. | Orchestrator Guild | 2025-11-19 | Pending |
| Create `src/SbomService/AGENTS.md` (roles, prerequisites, determinism/testing rules). | SBOM Service Guild · Module PM | 2025-11-19 | DONE |
| Supply NuGet feed/offline cache (allow Microsoft.IdentityModel.Tokens >=8.14.0, Pkcs11Interop >=4.1.0) so SbomService builds/tests can run. | Build/Infra · SBOM Service Guild | 2025-11-20 | BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache) |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -55,25 +56,41 @@
| 2025-11-17 | Added cache-hit tagging on metrics for paths/versions/console catalog; tests still pending due to build abort. | SBOM Service |
| 2025-11-18 | Scoped builds (`dotnet build` on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun. | SBOM Service |
| 2025-11-18 | Additional targeted build of `StellaOps.SbomService.csproj` aborted (~48s) due to repo churn; testing still blocked. | SBOM Service |
| 2025-11-18 | Marked SBOM-AIAI-31-002 BLOCKED (needs validated metrics & dashboards) and SBOM-CONSOLE-23-002 DOING (stub implemented, blocked on validation). | SBOM Service |
| 2025-11-18 | Build attempt with `/p:BuildProjectReferences=false` failed at restore (~11s); unable to validate code path changes. | SBOM Service |
| 2025-11-18 | Added Grafana starter dashboard (`Observability/sbomservice-grafana-dashboard.json`) and README notes; metrics still unvalidated pending successful builds. | SBOM Service |
| 2025-11-18 | Fixed NuGet feed mapping, restored, built, and ran tests successfully for SbomService; SBOM-AIAI-31-002 marked DONE; SBOM-CONSOLE-23-002 validated at stub level. | SBOM Service |
| 2025-11-18 | Re-ran restore/build/test (no-build) successfully after fixing module NuGet config; feeds now resolving. | SBOM Service |
| 2025-11-18 | Another targeted `dotnet build` on SbomService failed ~13s into compile (repo churn); no tests executed. | SBOM Service |
| 2025-11-18 | Marked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 BLOCKED due to missing `src/SbomService/AGENTS.md`; implementation paused until charter is published. | Implementer |
| 2025-11-18 | Added Action Tracker and tracked new AGENTS creation task (`AGENTS-SBOMSERVICE`) to unblock implementation. | Implementer |
| 2025-11-18 | Added `src/SbomService/AGENTS.md`; unblocked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 (statuses set to DOING). | Implementer |
| 2025-11-18 | `dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build` failed: missing required NuGet feed URL; tests remain unvalidated pending feed configuration. | Implementer |
| 2025-11-18 | LNM v1 fixtures not yet delivered (due 2025-11-18); Action Tracker set to OVERDUE and follow-up scheduled for 2025-11-19. | Implementer |
| 2025-11-18 | Re-classified SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 as BLOCKED pending NuGet feed/offline cache for builds/tests. | Implementer |
| 2025-11-18 | Added local NuGet.Config and retried restore; still failing with NU1100 (Microsoft.IdentityModel.Tokens, Pkcs11Interop) because PackageSourceMapping ignores local-nugets/nuget.org. Restore blocked until sources are allowed or packages cached. | Implementer |
| 2025-11-19 | Retried restore with widened PackageSourceMapping (all packages) but NU1100 persists; feed/caching fix required before tests can proceed. | Implementer |
| 2025-11-19 | Added root NuGet.Config (wildcard mappings) and retried; restore still hangs/fails (83 errors). Build/test remain blocked pending vetted feed/cache. | Implementer |
| 2025-11-19 | Downloaded packages (Tokens 8.14.0, Pkcs11Interop 4.1.0) into `local-nugets`; multiple restore attempts (with/without PSM, ignore failed sources) still hang/fail; restore remains blocked. | Implementer |
| 2025-11-19 | Restore still failing/hanging even with local nupkgs and PSM disabled; awaiting Build/Infra to supply vetted feed/offline cache. | Implementer |
## Decisions & Risks
- LNM v1 fixtures due 2025-11-18 remain outstanding; SBOM-SERVICE-21-001 stays BLOCKED until fixtures land.
- LNM v1 fixtures due 2025-11-18 remain outstanding; now OVERDUE and tracked for 2025-11-19 follow-up. SBOM-SERVICE-21-001 stays BLOCKED until fixtures land.
- Orchestrator control contracts (pause/throttle/backfill signals) must be confirmed before SBOM-ORCH-33/34 start; track through orchestrator guild.
- Keep `docs/modules/sbomservice/architecture.md` aligned with schema/event decisions made during implementation.
- Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
- Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
- Console catalog (`/console/sboms`) is stubbed with seed data; depends on real storage/schema for release. Tests not yet executed end-to-end due to build abort; rerun dotnet test once package reference duplicates are resolved.
- Local test run aborted due to long repository-wide build; rerun `dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj -v q` when build window is available to validate new endpoints.
- Metrics now include `cache_hit` tagging; dashboards remain outstanding. Test runs continue to abort due to long builds—schedule in a quiet window or build-only the SbomService solution subset before rerunning tests.
- Build/test runs for SbomService currently blocked by whole-solution churn; need a quiet window or targeted build of dependencies to validate endpoints and metrics.
- Component lookup endpoint is stubbed and tested locally in code, but validation is blocked until builds/tests can complete; keep SBOM-CONSOLE-23-002 open.
- `AGENTS.md` for `src/SbomService` added 2025-11-18; ensure implementers read before coding.
- Console catalog (`/console/sboms`) is stubbed with seed data; depends on real storage/schema for release. Validation blocked until successful restore/build/test.
- Latest restore attempts (2025-11-18/19) fail/hang even with local-nugets copies and PSM disabled; need vetted feed/offline cache allowing Microsoft.IdentityModel.Tokens ≥8.14.0 and Pkcs11Interop ≥4.1.0.
- Metrics include `cache_hit` tagging; dashboards outstanding and unvalidated due to feed/build failures.
- Build/test runs for SbomService blocked by feed mapping; must fix mapping or cache packages before rerunning `dotnet test ...SbomService.Tests.csproj`.
- Component lookup endpoint is stubbed; remains unvalidated until restores succeed; SBOM-CONSOLE-23-002 stays DOING but blocked on feed/build.
- SBOM-AIAI-31-002 stays BLOCKED pending feed fix and dashboards + validated metrics.
- `AGENTS.md` for `src/SbomService` added 2025-11-18; implementers must read before coding.
## Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
| --- | --- | --- | --- |
| 2025-11-18 | LNM v1 fixtures drop | Commit 46 canonical JSON fixtures for Link-Not-Merge v1; add-only evolution | Concelier Core · Cartographer · SBOM Service |
| 2025-11-18 | Scanner mock bundle v1 hash | Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches | Scanner Guild |
| 2025-11-19 | LNM v1 fixtures follow-up | Secure delivery or revised ETA for Link-Not-Merge v1 fixtures; unblock SBOM-SERVICE-21-001. | Concelier Core · Cartographer · SBOM Service |
| 2025-11-19 | Scanner mock bundle v1 hash | Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches | Scanner Guild |
| 2025-11-20 | NuGet feed remediation | Provide feed URL/credentials or offline package cache so SbomService tests can run. | SBOM Service Guild · Build/Infra |