stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(policy): Start Epic 3900 - Exception Objects as Auditable Entities

Browse Source 
Advisory Processing:
- Processed 7 unprocessed advisories and 12 moat documents
- Created advisory processing report with 3 new epic recommendations
- Identified Epic 3900 (Exception Objects) as highest priority

Sprint 3900.0001.0001 - 4/8 tasks completed:
- T1: ExceptionObject domain model with full governance fields
- T2: ExceptionEvent model for event-sourced audit trail
- T4: IExceptionRepository interface with CRUD and query methods
- T6: ExceptionEvaluator service with PURL pattern matching

New library: StellaOps.Policy.Exceptions
- Models: ExceptionObject, ExceptionScope, ExceptionEvent
- Enums: ExceptionStatus, ExceptionType, ExceptionReason
- Services: ExceptionEvaluator with scope matching and specificity
- Repository: IExceptionRepository with filter and history support

Remaining tasks: PostgreSQL schema, repository implementation, tests
This commit is contained in:
StellaOps Bot
2025-12-20 23:44:55 +02:00
parent ad193449a7
commit d55a353481
11 changed files with 1946 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
docs/implplan/ADVISORY_PROCESSING_REPORT_20251220.md Normal file
View File

@@ -0,0 +1,228 @@
# Advisory Processing Report — 2025-12-20
**Role**: Product Manager
**Date**: 2025-12-20
**Status**: ANALYZED
---
## Executive Summary
Reviewed **7 unprocessed advisories** and **12 moat documents** from `docs/product-advisories/unprocessed/`. After cross-referencing with existing sprints, archived advisories, and implemented code, identified **3 new epic-level initiatives** and **5 enhancement opportunities** for existing features.
---
## 1. Advisories Reviewed
| File | Date | Primary Topic | Status |
|------|------|---------------|--------|
| Reimagining ProofLinked UX in Security Workflows | 2025-12-16 | Narrative-First Triage UX | ALREADY PROCESSED |
| Reachability Drift Detection | 2025-12-17 | Call graph drift between versions | NEW - ACTIONABLE |
| Designing Explainable Triage and ProofLinked Evidence | 2025-12-18 | Evidence-linked approvals | OVERLAPS w/ 12/16 |
| Branch · UX patterns worth borrowing | 2025-12-20 | Competitor UX analysis | REFERENCE ONLY |
| Testing strategy | 2025-12-20 | E2E testing strategy | NEW - ACTIONABLE |
| Moat #1 (Security Delta) | 2025-12-19 | Delta Verdicts as governance | NEW - STRATEGIC |
| Moat - Exception management | 2025-12-20 | Auditable exceptions | NEW - ACTIONABLE |
| Moat - Signed Replayable Verdicts | 2025-12-20 | Verdict attestations | PARTIAL OVERLAP |
| Moat - Knowledge Snapshots | 2025-12-20 | Time-travel replay | NEW - ACTIONABLE |
| Moat - Risk Budgets | 2025-12-20 | Diff-aware release gates | PARTIAL OVERLAP |
---
## 2. Cross-Reference with Existing Work
### 2.1 Already Implemented (Do Not Duplicate)
| Topic | Existing Implementation | Location |
|-------|------------------------|----------|
| Proof Ledger | ProofLedgerViewComponent | Sprint 3500.0004.0002 T1 |
| Reachability Explain | ReachabilityExplainWidget | Sprint 3500.0004.0002 T3 |
| Score Comparison | ScoreComparisonComponent | Sprint 3500.0004.0002 T4 |
| Proof Replay | ProofReplayDashboard | Sprint 3500.0004.0002 T5 |
| Material Risk Changes | MaterialRiskChangeDetector | Scanner.SmartDiff.Detection |
| VEX Lattice Merge | Excititor module | src/Excititor |
| Unknowns Registry | UnknownsService | Sprint 3500.0002.0002 |
| Call Graph Extraction | DotNetCallGraphExtractor, JavaCallGraphExtractor | Sprint 3500.0003.x |
| Semantic Entrypoints | Sprint 0411 | EntryTrace module |
| Temporal/Mesh Analysis | Sprint 0412 | EntryTrace module |
| Binary Intelligence | Sprint 0414 | EntryTrace module |
| Risk Scoring | Sprint 0415 | EntryTrace module |
### 2.2 Gaps Identified (New Work Required)
| Gap | Advisory Source | Priority | Complexity |
|-----|----------------|----------|------------|
| **Reachability Drift Detection** | 17-Dec advisory | HIGH | HIGH |
| **Exception Objects (Auditable)** | Moat Exception mgmt | HIGH | MEDIUM |
| **Knowledge Snapshots + Time-Travel** | Moat Knowledge Snapshots | HIGH | HIGH |
| **Delta Verdict Attestations** | Moat #1 | MEDIUM | MEDIUM |
| **Offline E2E Test Suite** | Testing strategy | MEDIUM | MEDIUM |
| **Code Change Facts Table** | 17-Dec advisory | MEDIUM | LOW |
| **Path Viewer UI Enhancement** | 17-Dec advisory | LOW | LOW |
---
## 3. Recommended New Epics
### Epic 3800: Reachability Drift Detection
**Justification**: The 17-Dec advisory identifies that reachability can change between versions even when vulnerability count stays the same. This is a significant moat differentiator.
**What's Missing** (per advisory gap analysis):
- `scanner.code_changes` table for AST-level diff facts
- `scanner.call_graph_snapshots` for per-scan graph cache
- `DriftCauseExplainer` service to attribute causes to code changes
- Cross-scan function-level drift (state drift exists, function-level doesn't)
**Scope**:
- Sprint 3800.0001.0001: Schema + Code Changes Table
- Sprint 3800.0001.0002: Call Graph Snapshot Service
- Sprint 3800.0002.0001: Drift Cause Explainer
- Sprint 3800.0002.0002: UI Integration
**Estimated Duration**: 4 weeks
---
### Epic 3900: Exception Management as Auditable Objects
**Justification**: The moat advisory explicitly states "Exception Objects" should be first-class, governed decisions — not .ignore files or UI toggles. This is critical for enterprise customers.
**What's Missing**:
- `policy.exceptions` table with full governance fields
- Exception lifecycle (proposed → approved → active → expired → revoked)
- Scope constraints (artifact digest, purl, environment)
- Time-bounded expiry enforcement
- Approval workflow integration
- Signed exception attestations
**Scope**:
- Sprint 3900.0001.0001: Schema + Exception Object Model
- Sprint 3900.0001.0002: Exception API (CRUD + approval workflow)
- Sprint 3900.0002.0001: Policy Engine Integration
- Sprint 3900.0002.0002: UI + Audit Pack Export
**Estimated Duration**: 4 weeks
---
### Epic 4000: Knowledge Snapshots + Time-Travel Replay
**Justification**: Multiple advisories emphasize that replayability requires pinned knowledge state (vuln feeds, VEX, policies). Current replay works for scores but not for full "time-travel" to a past knowledge state.
**What's Missing**:
- Content-addressed knowledge snapshot bundles
- Snapshot manifest with feed digests + policy versions
- Time-travel replay API that loads historical snapshots
- Evidence that the same inputs produce the same verdict
**Scope**:
- Sprint 4000.0001.0001: Knowledge Snapshot Model + Storage
- Sprint 4000.0001.0002: Snapshot Creation Service
- Sprint 4000.0002.0001: Time-Travel Replay API
- Sprint 4000.0002.0002: Verification + Audit Integration
**Estimated Duration**: 4 weeks
---
## 4. Enhancement Opportunities (Existing Features)
### 4.1 Delta Verdict Attestations
**Current State**: Score proofs exist and are signed via DSSE. Material risk changes are detected.
**Enhancement**: Create a formal "Delta Verdict" attestation that wraps:
- Baseline snapshot digest
- Target snapshot digest
- Delta categories (SBOM/VEX/Reachability/Decision changes)
- Policy outcome with explanation
- Signed envelope
**Effort**: ~1 sprint (add to existing attestation infrastructure)
---
### 4.2 Offline E2E Test Suite
**Current State**: Integration tests exist (Sprint 3500.0004.0003). Air-gap tests are ad-hoc.
**Enhancement**: Formalize per the Testing Strategy advisory:
- Offline bundle spec (`bundle.json` with digests)
- No-egress CI jobs
- SBOM round-trip tests (Syft → cosign → Grype)
- Router backpressure chaos tests
**Effort**: ~1 sprint
---
### 4.3 VEX Conflict Studio UI
**Current State**: VEX merge happens in Excititor with lattice logic. No UI for conflict visualization.
**Enhancement**: Per UX advisory, add side-by-side VEX conflict view:
- Left: Vendor statement + provenance
- Right: Internal statement + provenance
- Middle: Merge result + rule that decided
- Evidence hooks checklist
**Effort**: ~1 sprint
---
## 5. Recommendations
### Immediate Actions (Next 2 Weeks)
1. **Create Sprint files for Epic 3800** (Reachability Drift) — highest impact moat
2. **Archive processed advisories** — move 16-Dec and 18-Dec to archive (already processed)
3. **Update moat.md** — sync key-features with new moat explanations
### Medium-Term (Next 4 Weeks)
4. **Create Sprint files for Epic 3900** (Exception Objects)
5. **Create Sprint files for Epic 4000** (Knowledge Snapshots)
6. **Add Delta Verdict attestation to existing proof infrastructure**
### Deferred (Roadmap)
7. Offline E2E test formalization
8. VEX Conflict Studio UI
9. Fleet-level blast radius visualization
---
## 6. Decision Required
**Question for Stakeholders**: Which epic should be prioritized first?
| Option | Epic | Business Value | Technical Risk |
|--------|------|----------------|----------------|
| A | 3800 Reachability Drift | HIGH (differentiator) | MEDIUM |
| B | 3900 Exception Objects | HIGH (enterprise) | LOW |
| C | 4000 Knowledge Snapshots | MEDIUM (audit) | HIGH |
**Recommendation**: Start with **Epic 3900 (Exception Objects)** due to lower risk and clear enterprise demand, then **Epic 3800 (Reachability Drift)** for moat differentiation.
---
## Appendix: Files to Archive
These advisories have been processed or are reference-only:
```
docs/product-advisories/unprocessed/16-Dec-2025 - Reimagining ProofLinked UX in Security Workflows.md
→ Already processed (Status: PROCESSED in file)
docs/product-advisories/unprocessed/18-Dec-2025 - Designing Explainable Triage and ProofLinked Evidence.md
→ Overlaps with 16-Dec, consolidate
docs/product-advisories/unprocessed/20-Dec-2025 - Branch · UX patterns worth borrowing from top scanners.md
→ Reference only, no actionable tasks
```
---
**Report Generated By**: StellaOps Agent (Product Manager Role)
**Next Step**: Await stakeholder decision on epic prioritization